2. Tutorials
  3. hapi — Authenticate with GitLab And Remember the User

hapi — Authenticate with GitLab And Remember the User

Securing routes with authentication mechanisms is a common way to allow only selected people access to a given resource. If you’re tired of implementing boilerplate code for login and signup again, benefit from hapi’s powerful plugin system and integrate with third-party services to leverage OAuth access.

This tutorial guides you through the integration of your hapi app with GitLab and shows you how to let users authenticate with their GitLab account for your platform.

hapi Series Overview

  1. Get Your Server Up and Running
  2. v17 Upgrade Guide (Your Move to async/await)
  3. Become a Better Developer in 2018
  4. Become a Better Developer in 2017
  1. What You’ll Build
  2. Prepare Your Project: Stack & Structure
  3. Environment Variables and Storing Secrets
  4. Set Up MongoDB and Connect With Mongoose
  5. Sending Emails in Node.js
  6. Load the User’s Profile Picture From Gravatar Using Virtuals in Mongoose
  7. Implement a User Profile Editing Screen
  8. Generate a Username in Mongoose Middleware
  9. Displaying Seasons and Episodes for TV Shows with Mongoose Relationship Population
  10. Implementing Pagination for Movies
  11. Implement a Watchlist
  12. Create a Full Text Search with MongoDB
  1. Create a REST API with JSON Endpoints
  2. Update Mongoose Models for JSON Responses
  3. API Pagination for TV Shows
  4. Customize API Endpoints with Query Parameters
  5. Always Throw and Handle API Validation Errors
  6. Advanced API Validation With Custom Errors
  7. Create an API Documentation with Swagger
  8. Customize Your Swagger API Documentation URL
  9. Describe Endpoint Details in Your Swagger API Documentation
  10. 10 Tips on API Testing With Postman
  11. JWT Authentication in Swagger API Documentation
  12. API Versioning with Request Headers
  1. IP-Based Rate Limits (Part 1 of 7)
  2. Rate Limits for Routes (Part 2 of 7)
  3. Dynamic Rate Limits (Part 3 of 7)
  4. Render a “Rate Limit Exceeded” View (Part 4 of 7)
  5. Show “Rate Limit Exceeded” Error on Login (Part 5 of 7)
  6. Disable Rate Limiting (Part 6 of 7)
  7. Rate Limiter Refactoring & Cleanup (Part 7 of 7)
  1. API Login With Username and Password to Generate a JWT
  2. JWT Authentication and Private API Endpoints
  3. Refresh Tokens With JWT Authentication
  4. Create a JWT Utility
  5. JWT Refresh Token for Multiple Devices
  6. Check Refresh Token in Authentication Strategy
  7. Rate Limit Your Refresh Token API Endpoint
  8. How to Revoke a JWT
  9. Invalidate JWTs With Blacklists
  10. JWT Logout (Part 1/2)
  11. JWT “Immediate” Logout (Part 2/2)
  12. A Better Place to Invalidate Tokens
  13. How to Switch the JWT Signing Algorithm
  14. Roll Your Own Refresh Token Authentication Scheme
  15. JWT Claims 101
  16. Use JWT With Asymmetric Signatures (RS256 & Co.)
  17. Encrypt the JWT Payload (The Simple Way)
  18. Increase JWT Security Beyond the Signature
  19. Unsigned JSON Web Tokens (Unsecured JWS)
  20. JWK and JWKS Overview
  21. Provide a JWKS API Endpoint
  22. Create a JWK from a Shared Secret
  23. JWT Verification via JWKS API Endpoint
  24. What is JOSE in JWT
  25. Encrypt a JWT (the JWE Way)
  26. Authenticate Encrypted JWTs (JWE)
  27. Encrypted and Signed JWT (Nested JWT)
  28. Bringing Back JWT Decoding and Authentication
  29. Bringing Back JWT Claims in the JWT Payload
  1. How to Run Separate Frontend and Backend Servers Within a Single Project
  2. How to Use Server Labels
  3. How to Correctly Stop Your Server and Close Existing Connections
  1. Basic Authentication With Username and Password
  2. Authentication and Remember Me Using Cookies
  3. How to Set a Default Authentication Strategy
  4. Define Multiple Authentication Strategies for a Route
  5. Restrict User Access With Scopes
  6. Show „Insufficient Scope“ View for Routes With Restricted Access
  7. Access Restriction With Dynamic and Advanced Scopes
  8. hapi - How to Fix „unknown authentication strategy“
  9. Authenticate with GitHub And Remember the Login
  10. Authenticate with GitLab And Remember the User
  11. How to Combine Bell With Another Authentication Strategy
  12. Custom OAuth Bell Strategy to Connect With any Server
  13. Redirect to Previous Page After Login
  14. How to Implement a Complete Sign Up Flow With Email and Password
  15. How to Implement a Complete Login Flow
  16. Implement a Password-Reset Flow
  1. Views in hapi 9 (and above)
  2. How to Render and Reply Views
  3. How to Reply and Render Pug Views (Using Pug 2.0)
  4. How to Create a Dynamic Handlebars Layout Template
  5. Create and Use Handlebars Partial Views
  6. Create and Use Custom Handlebars Helpers
  7. Specify a Different Handlebars Layout for a Specific View
  8. How to Create Jade-Like Layout Blocks in Handlebars
  9. Use Vue.js Mustache Tags in Handlebars Templates
  10. How to Use Multiple Handlebars Layouts
  1. Extend Your Server Functionality With Plugins
  2. Create Your Own Custom Plugin
  3. How to Register Plugins for a Selected Server Instance
  4. hapi Plugin for Client Geo Location (by Future Studio 🚀)
  5. Increase Development Speed With Errors in the Browser or as JSON Response
  1. Route Handling and Drive Traffic to Your Server
  2. How to Serve Static Files (Images, JS, CSS, etc.)
  3. How to Use Query Parameters
  4. Optional Path Parameters
  5. Multi-Segment/Wildcard Path Parameters
  6. Ignore Trailing Slashes on Route Paths
  7. How to Fix “Unsupported Media Type”
  1. How to Access and Handle Request Payload
  2. Access Request Headers
  3. How to Manage Cookies and HTTP States Across Requests
  4. Detect and Get the Client IP Address
  5. How to Upload Files
  6. Quick Access to Logged In User in Route Handlers
  7. How to Fix “handler method did not return a value, a promise, or throw an error”
  8. How to Fix “X must return an error, a takeover response, or a continue signal”
  1. How to Reply a JSON Response
  2. How to Set Response Status Code
  3. How to Handle 404 Responses for Missing Routes
  1. Query Parameter Validation With Joi
  2. Path Parameter Validation With Joi
  3. Request Payload Validation With Joi
  4. Validate Query and Path Parameters, Payload and Headers All at Once on Your Routes
  5. Validate Request Headers With Joi
  6. Reply Custom View for Failed Validations
  7. Handle Failed Validations and Show Errors Details at Inputs
  8. How to Fix AssertionError, Cannot validate HEAD or GET requests
  1. Add CSRF Protection on Forms and API Endpoints
  1. Report Errors to Sentry
  2. Don’t Report Errors to Sentry in Development Mode
  3. Logging Fundamentals
  4. Log to Console With Good
  5. Log to File With Good
  1. Getting Started With Testing Using Lab and Code
  2. Run Tests with Assertions using Code
  3. Test Route Handlers by Injecting Requests
  4. Inject Request Payload, Headers and Parameters While Testing Route Handlers
  1. Zero-Downtime Deployments Using PM2

Prepare Your Project

At first, you need to install two dependencies: bell to simply integrate OAuth within your application for a given provider (e.g., GitLab, Twitter & Co.) and hapi-auth-cookie to remember the user’s successful login.

npm i -S bell hapi-auth-cookie

Once you’ve the two packages successfully installed, move on to the next step and create an OAuth application on GitLab.

Register new OAuth Application on GitLab

Using GitLab in your application to authenticate users requires a dedicated OAuth application on GitLab. This step is required, because you want users to explicitly authenticate for your application, not anyone else’s.

Once the user grants your application access to the user’s data, GitLab will request a provided URL and sends the credentials as payload.

In this tutorial we’ll create an OAuth application on gitlab.com, but you can use your self-hosted GitLab as well. To point bell to a self-hosted GitLab instance, please refer to the provider configuration details.

To create your OAuth application on GitLab, move over to your GitLab settings and visit the „Applications“ tab.

Register new GitLab OAuth Application

Provide a name and please keep an eye on the Redirect URI, because this URL is called once the user grants your application access to their data. And you want GitLab to call an URL that belongs to your application :)

During development you can use a localhost address. The picture above depicts http://localhost:3000/auth/gitlab as the redirect URL and we need to listen on that route within our server to handle the call properly.

Click Save application to create it.

New GitLab OAuth Application

Alright, there you go. Keep this tab open, because you need the values for Application Id and Secret in a minute. Verify the Callback url if everything is correct. Please use your own values and don’t use them from the screenshot. The app won’t be available at the time you’re reading this :)

Create a gitlab Authentication Strategy

In the first step, you’ve installed bell and now you’ll create a new authentication strategy based on the bell scheme.

You can choose whatever strategy name you want, we’ll use gitlab for the rest of this tutorial. That it’s easily referable and you immediately know what’s behind this strategy.

We suggest to create a dedicated authentication plugin and add your strategy this way:

async function register (server, options) {  
  // declare and install dependency to bell
  await server.register({
    plugin: require('bell')
  })

  /**
   * Register 'gitlab' authentication strategy
   */
  server.auth.strategy('gitlab', 'bell', {
    provider: 'gitlab',
    password: 'ThisIsASecretCookiePasswordForGitLab',
    clientId: 'your-application-id',
    clientSecret: 'your-secret',
    isSecure: process.env.NODE_ENV === 'production'
  })

  server.log('info', 'Auth strategy created: »gitlab«')
  server.log('info', 'Plugin registered: authentication with strategy »gitlab«')
}

exports.plugin = {  
  register,
  name: 'authentication',
  version: '1.0.0'
}

With bell, you’ve multiple settings that can be configured while creating the strategy. The settings from above are sufficient to integrate GitLab with your application.

The gitlab provider is a predefined provider in bell that sets the required OAuth URLs to complete the OAuth flow. If you self-host GitLab, adjust the bell settings to point to your domain so that the correct GitLab instance is referenced.

clientId and clientSecret are the values of your GitLab OAuth application. On GitLab, the values are called Application Id and Secret. Both values are required to identify your application and the callback with the user’s data as response payload.

The password is used for a cookie that will be set and isSecure defines whether the cookie is used on encrypted (HTTPS) routes.

Add a Route That Requires gitlab Authentication Strategy

The authentication strategy is prepared, now go ahead and add a route that requires the gitlab strategy. Remember the callback URL from the GitLab OAuth application? The path for the new route needs to match the defined URL.

Above, you’ve seen that we used http://localhost:3000/auth/gitlab for the GitLab callback URL. Now you need to add a route on path /auth/gitlab to your server.

server.route({  
  method: 'GET',
  path: '/auth/gitlab',
  config: {
    auth: 'gitlab',
    handler: (request, h) => {
      if (request.auth.isAuthenticated) {
        const user = request.auth.credentials.profile
        const data = {
          name: user.name,
          username: user.username,
          avatar: user.avatar_url
        }

        return h.view('authenticated', data)
      }

      return h.view('index', {
        error: 'Could not authenticate with GitLab.'
      }).code(400)
    }
  }
})

With gitlab as the required authentication strategy, bell makes sure you’re redirected to GitLab first where you’re asked to grant the given application access to your data. You only need to allow the access once, afterwards each authentication request will finish without further questions for this app (unless you revoke access to this app).

Once you allow the created OAuth application to use your GitLab data, bell continues and finishes the OAuth flow and ultimately your endpoint is called.

Within your route, the GitLab data is available within request.auth.credentials, including an API access token if you need to call the GitLab API separately.

The GitLab profile credentials are stored within a nested object request.auth.credentials.profile. Pick the data you need and finally show the resource that is secured with GitLab authentication.

Test Your Code

If you’ve taken the presented snippets from above and put them into your application, test your integration and hopefully everything goes smooth.

We’ve created a sample project to authenticate your hapi app with GitLab and published over at GitHub. It adds basic view support and has two views: one that requires you to authenticate with GitLab and another one shown once the authentication flow completed successfully.

If you’ve completed the GitLab integration within your application, start your server and visit the route that requires GitLab authentication. The following screen uses the mentioned sample project from above.

Sign in with GitLab view

Click the link to „Authenticate with GitLab“ which results in the OAuth web flow that redirects you to GitLab and asks for permission to access your personal user data.

Authorize Application on GitLab

Once you click „Authorize“, you’ll be redirected to the defined app’s callback url and with that to your application. Within your route handler, do the required processing and use the user credentials for good.

Signed in with GitLab

The sample application shows a simple greeting and your GitLab avatar. We’ve also added an extra functionality to save a cookie and remember the user’s login.

The following paragraph shows you how to leverage hapi-auth-cookie to remember the user.

Remember the User with hapi-auth-cookie

The downside of the previous implementation is that all requests to your routes that require the gitlab authentication strategy will do the roundtrip to GitLab, ask for an authorization grant and get back to your route handler once the OAuth flow finished.

Add a second authentication strategy within your server that uses a session cookie for authentication. Combine third-party authentication with bell and hapi-auth-cookie by using a cookie that gets set once your GitLab authentication is successful.

Therefore, extend the authentication plugin from above with a new session strategy:

async function register (server, options) {  
  // declare and install dependency to bell
  await server.register([
    {
      plugin: require('bell')
    },
    {
      plugin: require('hapi-auth-cookie')
    }
  ])

  /**
   * Register session based auth strategy to store
   * credentials received from GitLab and keep
   * the user logged in
   */
  server.auth.strategy('session', 'cookie', {
    password: 'ThisIsASecretPasswordForTheAuthCookie',
    redirectTo: '/',
    isSecure: process.env.NODE_ENV === 'production'
  })

  server.log('info', 'Auth strategy created: »session«')

  /**
   * Register 'gitlab' authentication strategy
   */
  server.auth.strategy('gitlab', 'bell', {
    provider: 'gitlab',
    password: 'ThisIsASecretCookiePasswordForGitLab',
    clientId: 'your-application-id',
    clientSecret: 'your-secret',
    isSecure: process.env.NODE_ENV === 'production'
  })

  server.log('info', 'Auth strategy created: »gitlab«')

  server.log('info', 'Plugin registered: authentication with strategies »session« and »gitlab«')

}

exports.plugin = {  
  register,
  name: 'authentication',
  version: '1.0.0'
}

With the session strategy in place, you can add a single line of code to your route handler on path /auth/gitlab to store the desired data and remember the user.

server.route({  
  method: 'GET',
  path: '/auth/gitlab',
  config: {
    auth: 'github',
    handler: (request, h) => {
      if (request.auth.isAuthenticated) {
        const user = request.auth.credentials.profile
        const data = {
          name: user.name,
          username: user.username,
          avatar: user.avatar_url
        }

        request.cookieAuth.set(data)     // <-- new line to set the session cookie

        return h.view('authenticated', data)
      }

      return h.view('index', {
        error: 'Could not authenticate with GitLab.'
      }).code(400)
    }
  }
})

The snippet above saves the name, username, and avatar properties into the session cookie. You can add other fields as well.

Now you can use the session strategy for all routes that require authentication. Check for an existing cookie and use the stored data. If the session cookie is invalid or expired, redirect to your route that requires GitLab authentication so that the user does the OAuth flow and finally creates a new session.

Sample Code and Project

We’ve published a sample project for this tutorial on GitHub containing the code that is used to integrate a hapi project with GitLab. If you feel stuck with the integration in your own application, sneak peek at our code snippets to get a grasp on how to do the connection. We hope that helps :)

Outlook

You made it :)

With assistance of this tutorial, you’re able to integrate your hapi app with GitLab and use the OAuth flow to access user credentials. And you don’t necessarily need to implement your own login and signup boilerplate. With bell and the GitLab integration there are the foundations to authenticate users for secured resources on your platform.

We’re happy to hear your thoughts and comments. Please don’t hesitate to use the comments below or find us on Twitter @futurestud_io. Let us know what you think!

Enjoy coding & make it rock!

Additional Resources

Marcus Pöhls

Marcus is a fullstack JS developer. He’s passionate about the hapi framework for Node.js and loves to build web apps and APIs. Creator of Futureflix and the “learn hapi” learning path.

Explore the Library

Find interesting tutorials and solutions for your problems.

Android

Node.js

Server

Miscellaneous