Hapijs validate params before authentication

Question

I'm getting a bit confused about how Hapi handles validation, according to the request lifecycle (http://hapijs.com/api#request-lifecycle) validation of params / queries only happens after authentication has been done.

Does it make sense to do so? For example, I'm working on a public API, but I do not want to go through all the authentication logic if the request params are invalid.

Say a request with the following validation:

validate: { 
    name: Joi.string().required()
}

Why would the API go through the trouble of authenticating the user when the request will be invalid due to name not being send?

Or is this me just misunderstanding the request lifecycle?

Answer 1

When validation fails, hapi returns information about why the validation failed. In your example, the route requires a parameter called name. For security reasons you might not want to tell an unauthenticated user that this route requires this parameter. That gives away a lot of information right?

For me personally I think there are a few reasons why authentication is done first:

1. What's more important, telling the user they are not authorized to access an endpoint, or that their request was invalid? I think authorization is more important.

2. For security reasons, don't reveal any more information than is absolutely necessary.

3. Once you establish your authentication method, the amount of "work" to authenticate a request is the same, but validation can vary a lot between requests. One route might have many parameters that need to be validated. So if you had to average out the cost of a failed request, authentication might be cheaper over many, many requests. (see JWT authentication)