Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

hapi-auth-cookie

Package Overview
Dependencies
Maintainers
4
Versions
30
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

hapi-auth-cookie - npm Package Compare versions

Comparing version 9.1.0 to 10.0.0

CHANGELOG.md

8

example/index.js

@@ -93,6 +93,8 @@ 'use strict';

server.auth.strategy('session', 'cookie', {
password: 'password-should-be-32-characters',
cookie: 'sid-example',
cookie: {
name: 'sid-example',
password: 'password-should-be-32-characters',
isSecure: false
},
redirectTo: '/login',
isSecure: false,
validateFunc: async (request, session) => {

@@ -99,0 +101,0 @@

110

lib/index.js

@@ -15,3 +15,3 @@ 'use strict';

requirements: {
hapi: '>=17.7.0'
hapi: '>=18.0.0'
},

@@ -26,18 +26,32 @@ register: (server, options) => {

internals.schema = Joi.object({
cookie: Joi.string().default('sid'),
password: Joi.alternatives(Joi.string(), Joi.object().type(Buffer)).required(),
ttl: Joi.number().integer().min(0).allow(null).when('keepAlive', { is: true, then: Joi.required() }),
domain: Joi.string().allow(null),
path: Joi.string().default('/'),
clearInvalid: Joi.boolean().default(false),
keepAlive: Joi.boolean().default(false),
isSameSite: Joi.valid('Strict', 'Lax').allow(false).default('Strict'),
isSecure: Joi.boolean().default(true),
isHttpOnly: Joi.boolean().default(true),
redirectTo: Joi.alternatives(Joi.string(), Joi.func()).allow(false),
appendNext: Joi.alternatives(Joi.string(), Joi.boolean(), Joi.object({ raw: Joi.boolean(), name: Joi.string() })).default(false),
validateFunc: Joi.func(),
appendNext: Joi.alternatives([
Joi.string(),
Joi.boolean(),
Joi.object({ raw: Joi.boolean(), name: Joi.string() })
])
.default(false),
cookie: Joi.object({
name: Joi.string().default('sid'),
encoding: Joi.valid('iron').default('iron'),
password: Joi.required(),
ignoreErrors: Joi.valid(true).default(true)
})
.unknown()
.default(),
keepAlive: Joi.boolean()
.when('cookie.ttl', { is: Joi.number().min(1), otherwise: Joi.forbidden() })
.default(false),
redirectTo: Joi.alternatives([
Joi.string(),
Joi.func()
])
.allow(false),
requestDecoratorName: Joi.string().default('cookieAuth'),
ignoreIfDecorated: Joi.boolean().default(true)
}).required();
validateFunc: Joi.func()
})
.required();

@@ -64,3 +78,3 @@

session[key] = value;
return h.state(settings.cookie, session);
return h.state(settings.name, session);
}

@@ -70,3 +84,3 @@

request.auth.artifacts = session;
h.state(settings.cookie, session);
h.state(settings.name, session);
}

@@ -83,7 +97,7 @@

delete session[key];
return h.state(settings.cookie, session);
return h.state(settings.name, session);
}
request.auth.artifacts = null;
h.unstate(settings.cookie);
h.unstate(settings.name);
}

@@ -96,3 +110,3 @@

Hoek.assert(session, 'No active session to modify ttl on');
h.state(settings.cookie, session, { ttl: msecs });
h.state(settings.name, session, { ttl: msecs });
}

@@ -104,26 +118,9 @@ };

const results = Joi.validate(options, internals.schema);
Hoek.assert(!results.error, results.error);
const settings = Joi.attempt(options, internals.schema);
settings.name = settings.cookie.name;
delete settings.cookie.name;
const settings = results.value;
server.state(settings.name, settings.cookie);
settings.cookie = server.states.cookies[settings.name];
const cookieOptions = {
encoding: 'iron',
password: settings.password,
isSecure: settings.isSecure, // Defaults to true
path: settings.path,
isSameSite: settings.isSameSite,
isHttpOnly: settings.isHttpOnly, // Defaults to true
clearInvalid: settings.clearInvalid,
ignoreErrors: true
};
if (settings.ttl) {
cookieOptions.ttl = settings.ttl;
}
if (settings.domain) {
cookieOptions.domain = settings.domain;
}
if (typeof settings.appendNext === 'boolean') {

@@ -138,16 +135,5 @@ settings.appendNext = (settings.appendNext ? 'next' : '');

server.state(settings.cookie, cookieOptions);
const decoration = (request) => new internals.CookieAuth(request, settings);
server.decorate('request', settings.requestDecoratorName, decoration, { apply: true });
const decoration = (request) => {
return new internals.CookieAuth(request, settings);
};
// Check if the request object should be decorated
const isDecorated = server.decorations.request.indexOf(settings.requestDecoratorName) >= 0;
if (!settings.ignoreIfDecorated || !isDecorated) {
server.decorate('request', settings.requestDecoratorName, decoration, { apply: true });
}
server.ext('onPreAuth', (request, h) => {

@@ -168,3 +154,3 @@

const session = request.state[settings.cookie];
const session = request.state[settings.name];
if (!session) {

@@ -176,3 +162,3 @@ return unauthenticated(Boom.unauthorized(null, 'cookie'));

if (settings.keepAlive) {
h.state(settings.cookie, session);
h.state(settings.name, session);
}

@@ -198,3 +184,3 @@

if (settings.keepAlive) {
h.state(settings.cookie, session);
h.state(settings.name, session);
}

@@ -208,4 +194,4 @@

if (settings.clearInvalid) {
h.unstate(settings.cookie);
if (settings.cookie.clearInvalid) {
h.unstate(settings.name);
}

@@ -245,3 +231,3 @@

else {
uri += settings.appendNext + '=' + encodeURIComponent(request.url.path);
uri += settings.appendNext + '=' + encodeURIComponent(request.url.pathname + request.url.search);
}

@@ -248,0 +234,0 @@ }

6

package.json
{
"name": "hapi-auth-cookie",
"description": "Cookie authentication plugin",
"version": "9.1.0",
"version": "10.0.0",
"repository": "git://github.com/hapijs/hapi-auth-cookie",

@@ -22,4 +22,4 @@ "main": "lib/index.js",

"code": "5.x.x",
"hapi": "17.x.x",
"lab": "16.x.x"
"hapi": "18.x.x",
"lab": "18.x.x"
},

@@ -26,0 +26,0 @@ "scripts": {

226

README.md

@@ -22,16 +22,17 @@ ### hapi-auth-cookie

- `cookie` - the cookie name. Defaults to `'sid'`.
- `password` - used for Iron cookie encoding. Should be at least 32 characters long.
- `ttl` - sets the cookie expires time in milliseconds. Defaults to single browser session (ends
when browser closes). Required when `keepAlive` is `true`.
- `domain` - sets the cookie Domain value. Defaults to none.
- `path` - sets the cookie path value. Defaults to `/`.
- `clearInvalid` - if `true`, any authentication cookie that fails validation will be marked as
expired in the response and cleared. Defaults to `false`.
- `cookie` - an object with the following:
- `name` - the cookie name. Defaults to `'sid'`.
- `password` - used for Iron cookie encoding. Should be at least 32 characters long.
- `ttl` - sets the cookie expires time in milliseconds. Defaults to single browser session (ends
when browser closes). Required when `keepAlive` is `true`.
- `domain` - sets the cookie Domain value. Defaults to none.
- `path` - sets the cookie path value. Defaults to none.
- `clearInvalid` - if `true`, any authentication cookie that fails validation will be marked as
expired in the response and cleared. Defaults to `false`.
- `isSameSite` - if `false` omitted. Other options `Strict` or `Lax`. Defaults to `Strict`.
- `isSecure` - if `false`, the cookie is allowed to be transmitted over insecure connections which
exposes it to attacks. Defaults to `true`.
- `isHttpOnly` - if `false`, the cookie will not include the 'HttpOnly' flag. Defaults to `true`.
- `keepAlive` - if `true`, automatically sets the session cookie after validation to extend the
current session for a new `ttl` duration. Defaults to `false`.
- `isSameSite` - if `false` omitted. Other options `Strict` or `Lax`. Defaults to `Strict`.
- `isSecure` - if `false`, the cookie is allowed to be transmitted over insecure connections which
exposes it to attacks. Defaults to `true`.
- `isHttpOnly` - if `false`, the cookie will not include the 'HttpOnly' flag. Defaults to `true`.
- `redirectTo` - optional login URI or function `function(request)` that returns a URI to redirect unauthenticated requests to. Note that it will only

@@ -86,121 +87,164 @@ trigger when the authentication mode is `'required'`. To enable or disable redirections for a specific route,

const Hapi = require('hapi');
const internals = {};
let uuid = 1; // Use seq instead of proper unique identifiers for demo only
const users = {
john: {
id: 'john',
// Simulate database for demo
internals.users = [
{
id: 1,
name: 'john',
password: 'password',
name: 'John Doe'
},
];
internals.renderHtml = {
login: (message) => {
return `
<html><head><title>Login page</title></head><body>
${message ? '<h3>' + message + '</h3><br/>' : ''}
<form method="post" action="/login">
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br/>
<input type="submit" value="Login"></form>
</body></html>
`;
},
home: (name) => {
return `
<html><head><title>Login page</title></head><body>
<h3>Welcome ${name}! You are logged in!</h3>
<form method="get" action="/logout">
<input type="submit" value="Logout">
</form>
</body></html>
`;
}
};
const home = (request, h) => {
return '<html><head><title>Login page</title></head><body><h3>Welcome ' +
request.auth.credentials.name +
'!</h3><br/><form method="get" action="/logout">' +
'<input type="submit" value="Logout">' +
'</form></body></html>';
};
internals.server = async function () {
const login = async (request, h) => {
const server = Hapi.server({ port: 8000 });
if (request.auth.isAuthenticated) {
return h.redirect('/');
}
await server.register(require('hapi-auth-cookie'));
let message = '';
let account = null;
server.auth.strategy('session', 'cookie', {
if (request.method === 'post') {
cookie: {
name: 'sid-example',
if (!request.payload.username ||
!request.payload.password) {
// Don't forget to change it to your own secret password!
password: 'password-should-be-32-characters',
message = 'Missing username or password';
}
else {
account = users[request.payload.username];
if (!account ||
account.password !== request.payload.password) {
// For working via HTTP in localhost
isSecure: false
},
message = 'Invalid username or password';
}
}
}
redirectTo: '/login',
if (request.method === 'get' ||
message) {
validateFunc: async (request, session) => {
return '<html><head><title>Login page</title></head><body>' +
(message ? '<h3>' + message + '</h3><br/>' : '') +
'<form method="post" action="/login">' +
'Username: <input type="text" name="username"><br>' +
'Password: <input type="password" name="password"><br/>' +
'<input type="submit" value="Login"></form></body></html>';
}
const account = internals.users.find((user) => (user.id = session.id));
const sid = String(++uuid);
if (!account) {
// Must return { valid: false } for invalid cookies
return { valid: false };
}
await request.server.app.cache.set(sid, { account }, 0);
request.cookieAuth.set({ sid });
return { valid: true, credentials: account };
}
});
return h.redirect('/');
};
server.auth.default('session');
const logout = (request, h) => {
server.route([
{
method: 'GET',
path: '/',
options: {
handler: (request, h) => {
request.server.app.cache.drop(request.state['sid-example'].sid);
request.cookieAuth.clear();
return h.redirect('/');
};
return internals.renderHtml.home(request.auth.credentials.name);
}
}
},
{
method: 'GET',
path: '/login',
options: {
auth: {
mode: 'try'
},
plugins: {
'hapi-auth-cookie': {
redirectTo: false
}
},
handler: async (request, h) => {
const server = Hapi.server({ port: 8000 });
if (request.auth.isAuthenticated) {
return h.redirect('/');
}
exports.start = async () => {
return internals.renderHtml.login();
}
}
},
{
method: 'POST',
path: '/login',
options: {
auth: {
mode: 'try'
},
handler: async (request, h) => {
await server.register(require('../'));
const { username, password } = request.payload;
if (!username || !password) {
return internals.renderHtml.login('Missing username or password');
}
const cache = server.cache({ segment: 'sessions', expiresIn: 3 * 24 * 60 * 60 * 1000 });
server.app.cache = cache;
// Try to find user with given credentials
server.auth.strategy('session', 'cookie', {
password: 'password-should-be-32-characters',
cookie: 'sid-example',
redirectTo: '/login',
isSecure: false,
validateFunc: async (request, session) => {
const account = internals.users.find(
(user) => user.name === username && user.password === password
);
const cached = await cache.get(session.sid);
const out = {
valid: !!cached
};
if (!account) {
return internals.renderHtml.login('Invalid username or password');
}
if (out.valid) {
out.credentials = cached.account;
request.cookieAuth.set({ id: account.id });
return h.redirect('/');
}
}
},
{
method: 'GET',
path: '/logout',
options: {
handler: (request, h) => {
return out;
request.cookieAuth.clear();
return h.redirect('/');
}
}
}
});
server.auth.default('session');
server.route([
{ method: 'GET', path: '/', options: { handler: home } },
{ method: ['GET', 'POST'], path: '/login', options: { handler: login, auth: { mode: 'try' }, plugins: { 'hapi-auth-cookie': { redirectTo: false } } } },
{ method: 'GET', path: '/logout', options: { handler: logout } }
]);
await server.start();
console.log(`Server started at: ${server.info.uri}`);
};
internals.start = async function () {
internals.start = async function() {
try {
await exports.start();
await internals.server();
}

@@ -207,0 +251,0 @@ catch (err) {

486

test/index.js
'use strict';
const Boom = require('boom');
const Code = require('code');
const Hapi = require('hapi');

@@ -11,7 +12,10 @@ const Hoek = require('hoek');

const internals = {};
const internals = {
cookieRx: /(?:[^\x00-\x20\(\)<>@\,;\:\\"\/\[\]\?\=\{\}\x7F]+)\s*=\s*(?:([^\x00-\x20\"\,\;\\\x7F]*))/
};
const lab = exports.lab = Lab.script();
const { describe, it, expect } = lab;
const { describe, it } = lab;
const { expect } = Code;

@@ -29,3 +33,3 @@

server.auth.strategy('session', 'cookie', {});
}).to.throw(Error);
}).to.throw();
});

@@ -40,3 +44,3 @@

server.auth.strategy('session', 'cookie', { password: 'password-should-be-32-characters' });
server.auth.strategy('session', 'cookie', { cookie: { password: 'password-should-be-32-characters' } });
server.auth.default('session');

@@ -53,3 +57,3 @@ }).to.not.throw();

server.auth.strategy('session', 'cookie', { password: Buffer.from('foobar') });
server.auth.strategy('session', 'cookie', { cookie: { password: Buffer.from('foobar') } });
}).to.not.throw();

@@ -66,3 +70,3 @@ });

server.auth.strategy('session', 'cookie', { validateFunc: 'not a function' });
}).to.throw(Error);
}).to.throw();
});

@@ -78,6 +82,8 @@

server.auth.strategy('session', 'cookie', {
password: 'password-should-be-32-characters',
keepAlive: true
cookie: {
password: 'password-should-be-32-characters',
keepAlive: true
}
});
}).to.throw(Error);
}).to.throw();
});

@@ -91,7 +97,9 @@

server.auth.strategy('session', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
domain: 'example.com',
cookie: 'special',
clearInvalid: true,
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
domain: 'example.com',
clearInvalid: true,
name: 'special'
},
validateFunc: function (request, session) {

@@ -119,3 +127,3 @@

expect(header[0]).to.contain('Max-Age=60');
const cookie = header[0].match(/(?:[^\x00-\x20\(\)<>@\,;\:\\"\/\[\]\?\=\{\}\x7F]+)\s*=\s*(?:([^\x00-\x20\"\,\;\\\x7F]*))/);
const cookie = header[0].match(internals.cookieRx);

@@ -153,7 +161,9 @@ const res2 = await server.inject({ method: 'GET', url: '/resource', headers: { cookie: 'special=' + cookie[1] } });

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
domain: 'example.com',
cookie: 'special',
clearInvalid: true,
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
domain: 'example.com',
name: 'special'
},
validateFunc: function (request, session) {

@@ -179,3 +189,3 @@

path: '/multiple',
config: {
options: {
auth: {

@@ -205,7 +215,9 @@ mode: 'try',

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
domain: 'example.com',
cookie: 'special',
clearInvalid: true,
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
domain: 'example.com',
name: 'special'
},
validateFunc: function (request, session) {

@@ -226,3 +238,3 @@

method: 'GET', path: '/login/{user}',
config: {
options: {
auth: { mode: 'try' },

@@ -251,3 +263,3 @@ handler: function (request, h) {

expect(header[0]).to.contain('Max-Age=60');
const cookie = header[0].match(/(?:[^\x00-\x20\(\)<>@\,;\:\\"\/\[\]\?\=\{\}\x7F]+)\s*=\s*(?:([^\x00-\x20\"\,\;\\\x7F]*))/);
const cookie = header[0].match(internals.cookieRx);

@@ -258,3 +270,3 @@ const res2 = await server.inject({ method: 'GET', url: '/logout', headers: { cookie: 'special=' + cookie[1] } });

expect(res2.result).to.equal('logged-out');
expect(res2.headers['set-cookie'][0]).to.equal('special=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict; Domain=example.com; Path=/');
expect(res2.headers['set-cookie'][0]).to.equal('special=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict; Domain=example.com');
});

@@ -268,7 +280,9 @@

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
domain: 'example.com',
cookie: 'special',
clearInvalid: true,
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
domain: 'example.com',
name: 'special'
},
validateFunc: function (request, session) {

@@ -295,7 +309,6 @@

expect(header[0]).to.contain('Max-Age=60');
const cookie = header[0].match(/(?:[^\x00-\x20\(\)<>@\,;\:\\"\/\[\]\?\=\{\}\x7F]+)\s*=\s*(?:([^\x00-\x20\"\,\;\\\x7F]*))/);
const cookie = header[0].match(internals.cookieRx);
const res2 = await server.inject({ method: 'GET', url: '/resource', headers: { cookie: 'special=' + cookie[1] } });
expect(res2.headers['set-cookie'][0]).to.equal('special=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict; Domain=example.com; Path=/');
expect(res2.headers['set-cookie'][0]).to.equal('special=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict; Domain=example.com');
expect(res2.statusCode).to.equal(401);

@@ -310,7 +323,9 @@ });

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
domain: 'example.com',
cookie: 'special',
clearInvalid: false,
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: false,
ttl: 60 * 1000,
domain: 'example.com',
name: 'special'
},
validateFunc: function (request, session) {

@@ -337,3 +352,3 @@

expect(header[0]).to.contain('Max-Age=60');
const cookie = header[0].match(/(?:[^\x00-\x20\(\)<>@\,;\:\\"\/\[\]\?\=\{\}\x7F]+)\s*=\s*(?:([^\x00-\x20\"\,\;\\\x7F]*))/);
const cookie = header[0].match(internals.cookieRx);

@@ -352,6 +367,8 @@ const res2 = await server.inject({ method: 'GET', url: '/resource', headers: { cookie: 'special=' + cookie[1] } });

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: 'special',
clearInvalid: true
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
name: 'special'
}
});

@@ -368,3 +385,3 @@ server.auth.default('default');

expect(header[0]).to.contain('Max-Age=60');
const cookie = header[0].match(/(?:[^\x00-\x20\(\)<>@\,;\:\\"\/\[\]\?\=\{\}\x7F]+)\s*=\s*(?:([^\x00-\x20\"\,\;\\\x7F]*))/);
const cookie = header[0].match(internals.cookieRx);

@@ -383,6 +400,8 @@ const res2 = await server.inject({ method: 'GET', url: '/resource', headers: { cookie: 'special=' + cookie[1] } });

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: 'special',
clearInvalid: true,
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
name: 'special'
},
validateFunc: function (request, session) {

@@ -403,3 +422,3 @@

expect(header[0]).to.contain('Max-Age=60');
const cookie = header[0].match(/(?:[^\x00-\x20\(\)<>@\,;\:\\"\/\[\]\?\=\{\}\x7F]+)\s*=\s*(?:([^\x00-\x20\"\,\;\\\x7F]*))/);
const cookie = header[0].match(internals.cookieRx);

@@ -435,5 +454,7 @@ const res2 = await server.inject({ method: 'GET', url: '/resource', headers: { cookie: 'special=' + cookie[1] } });

server.auth.strategy('first', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: 'first',
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
name: 'first'
},
validateFunc: function (request, session) {

@@ -449,3 +470,3 @@

method: 'GET', path: '/login/{user}',
config: {
options: {
handler: function (request, h) {

@@ -461,3 +482,3 @@

method: 'GET', path: '/resource',
config: {
options: {
auth: { mode: 'required', strategies: ['first', 'second'] },

@@ -477,3 +498,3 @@ handler: function (request, h) {

expect(header[0]).to.contain('Max-Age=60');
const cookie = header[0].match(/(?:[^\x00-\x20\(\)<>@\,;\:\\"\/\[\]\?\=\{\}\x7F]+)\s*=\s*(?:([^\x00-\x20\"\,\;\\\x7F]*))/);
const cookie = header[0].match(internals.cookieRx);

@@ -495,6 +516,8 @@ const res2 = await server.inject({ method: 'GET', url: '/resource', headers: { cookie: 'first=' + cookie[1] } });

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
domain: 'example.com',
cookie: 'special',
clearInvalid: true,
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
domain: 'example.com',
name: 'special'
},
validateFunc: function (request, session) {

@@ -515,3 +538,3 @@

method: 'GET', path: '/login/{user}',
config: {
options: {
auth: { mode: 'try' },

@@ -540,8 +563,10 @@ handler: function (request, h) {

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
domain: 'example.com',
cookie: 'special',
path: '/example-path',
clearInvalid: true,
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
domain: 'example.com',
path: '/example-path',
name: 'special'
},
validateFunc: function (request, session) {

@@ -564,3 +589,3 @@

expect(header[0]).to.contain('Max-Age=60');
const cookie = header[0].match(/(?:[^\x00-\x20\(\)<>@\,;\:\\"\/\[\]\?\=\{\}\x7F]+)\s*=\s*(?:([^\x00-\x20\"\,\;\\\x7F]*))/);
const cookie = header[0].match(internals.cookieRx);

@@ -579,8 +604,10 @@ const res2 = await server.inject({ method: 'GET', url: '/resource', headers: { cookie: 'special=' + cookie[1] } });

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
domain: 'example.com',
cookie: 'special',
path: '/subpath',
clearInvalid: true,
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
domain: 'example.com',
path: '/subpath',
name: 'special'
},
validateFunc: function (request, session) {

@@ -597,3 +624,3 @@

method: 'GET', path: '/subpath/login/{user}',
config: {
options: {
auth: { mode: 'try' },

@@ -621,3 +648,3 @@ handler: function (request, h) {

expect(header[0]).to.contain('Max-Age=60');
const cookie = header[0].match(/(?:[^\x00-\x20\(\)<>@\,;\:\\"\/\[\]\?\=\{\}\x7F]+)\s*=\s*(?:([^\x00-\x20\"\,\;\\\x7F]*))/);
const cookie = header[0].match(internals.cookieRx);
expect(header[0]).to.contain('Path=/subpath');

@@ -637,7 +664,9 @@

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
domain: 'example.com',
cookie: 'special',
clearInvalid: true,
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
domain: 'example.com',
name: 'special'
},
keepAlive: true

@@ -654,3 +683,3 @@ });

expect(header[0]).to.contain('Max-Age=60');
const cookie = header[0].match(/(?:[^\x00-\x20\(\)<>@\,;\:\\"\/\[\]\?\=\{\}\x7F]+)\s*=\s*(?:([^\x00-\x20\"\,\;\\\x7F]*))/);
const cookie = header[0].match(internals.cookieRx);

@@ -671,7 +700,9 @@ const res2 = await server.inject({ method: 'GET', url: '/resource', headers: { cookie: 'special=' + cookie[1] } });

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
domain: 'example.com',
cookie: 'special',
clearInvalid: true,
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
domain: 'example.com',
name: 'special'
},
keepAlive: true,

@@ -699,3 +730,3 @@ validateFunc: function (request, session) {

expect(header[0]).to.contain('Max-Age=60');
const cookie = header[0].match(/(?:[^\x00-\x20\(\)<>@\,;\:\\"\/\[\]\?\=\{\}\x7F]+)\s*=\s*(?:([^\x00-\x20\"\,\;\\\x7F]*))/);
const cookie = header[0].match(internals.cookieRx);

@@ -712,19 +743,2 @@ const res2 = await server.inject({ method: 'GET', url: '/resource', headers: { cookie: 'special=' + cookie[1] } });

it('errors if ignoreIfDecorated is false and the request object is already decorated', async () => {
const password = 'password-should-be-32-characters';
const ignoreIfDecorated = false;
const options = { password, ignoreIfDecorated };
const server = Hapi.server();
await server.register(require('../'));
server.auth.strategy('default', 'cookie', options);
expect(() => {
server.auth.strategy('default', 'cookie', options);
}).to.throw(Error);
});
describe('set()', () => {

@@ -738,6 +752,8 @@

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: 'special',
clearInvalid: true
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
name: 'special'
}
});

@@ -748,3 +764,3 @@ server.auth.default('default');

method: 'GET', path: '/login/{user}',
config: {
options: {
auth: { mode: 'try' },

@@ -776,6 +792,8 @@ handler: function (request, h) {

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: 'special',
clearInvalid: true
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
name: 'special'
}
});

@@ -786,3 +804,3 @@ server.auth.default('default');

method: 'GET', path: '/login/{user}',
config: {
options: {
auth: { mode: 'try' },

@@ -807,3 +825,3 @@ handler: function (request, h) {

const pattern = /(?:[^\x00-\x20\(\)<>@\,;\:\\"\/\[\]\?\=\{\}\x7F]+)\s*=\s*(?:([^\x00-\x20\"\,\;\\\x7F]*))/;
const pattern = internals.cookieRx;
expect(res.result).to.equal('steve');

@@ -826,6 +844,8 @@ const header = res.headers['set-cookie'];

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: 'special',
clearInvalid: true
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
name: 'special'
}
});

@@ -836,3 +856,3 @@ server.auth.default('default');

method: 'GET', path: '/login/{user}',
config: {
options: {
auth: { mode: 'try' },

@@ -864,6 +884,8 @@ handler: function (request, h) {

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: 'special',
clearInvalid: true
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
name: 'special'
}
});

@@ -874,3 +896,3 @@ server.auth.default('default');

method: 'GET', path: '/login/{user}',
config: {
options: {
auth: { mode: 'try' },

@@ -902,6 +924,8 @@ handler: function (request, h) {

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: 'special',
clearInvalid: true
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
name: 'special'
}
});

@@ -912,3 +936,3 @@ server.auth.default('default');

method: 'GET', path: '/login/{user}',
config: {
options: {
auth: { mode: 'try' },

@@ -943,6 +967,8 @@ handler: function (request, h) {

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: 'special',
clearInvalid: true
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
name: 'special'
}
});

@@ -953,3 +979,3 @@ server.auth.default('default');

method: 'GET', path: '/login/{user}',
config: {
options: {
auth: { mode: 'try' },

@@ -974,3 +1000,3 @@ handler: function (request, h) {

const pattern = /(?:[^\x00-\x20\(\)<>@\,;\:\\"\/\[\]\?\=\{\}\x7F]+)\s*=\s*(?:([^\x00-\x20\"\,\;\\\x7F]*))/;
const pattern = internals.cookieRx;
expect(res.result).to.equal('steve');

@@ -993,6 +1019,8 @@ const header = res.headers['set-cookie'];

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: 'special',
clearInvalid: true
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
name: 'special'
}
});

@@ -1003,3 +1031,3 @@ server.auth.default('default');

method: 'GET', path: '/login/{user}',
config: {
options: {
auth: { mode: 'try' },

@@ -1031,6 +1059,8 @@ handler: function (request, h) {

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: 'special',
clearInvalid: true
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
name: 'special'
}
});

@@ -1041,3 +1071,3 @@ server.auth.default('default');

method: 'GET', path: '/login/{user}',
config: {
options: {
auth: { mode: 'try' },

@@ -1069,6 +1099,8 @@ handler: function (request, h) {

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: 'special',
clearInvalid: true
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000,
name: 'special'
}
});

@@ -1079,3 +1111,3 @@ server.auth.default('default');

method: 'GET', path: '/login/{user}',
config: {
options: {
auth: { mode: 'try' },

@@ -1110,6 +1142,8 @@ handler: function (request, h) {

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 1000,
cookie: 'special',
clearInvalid: true
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 1000,
name: 'special'
}
});

@@ -1120,3 +1154,3 @@ server.auth.default('default');

method: 'GET', path: '/login/{user}',
config: {
options: {
auth: { mode: 'try' },

@@ -1142,3 +1176,3 @@ handler: function (request, h) {

const pattern = /(?:[^\x00-\x20\(\)<>@\,;\:\\"\/\[\]\?\=\{\}\x7F]+)\s*=\s*(?:([^\x00-\x20\"\,\;\\\x7F]*))/;
const pattern = internals.cookieRx;
expect(res.result).to.equal('steve');

@@ -1164,4 +1198,6 @@ const header = res.headers['set-cookie'];

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000
},
redirectTo: 'http://example.com/login',

@@ -1191,4 +1227,6 @@ appendNext: true

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000
},
redirectTo: (request) => 'http://example.com/login?widget=' + request.query.widget,

@@ -1218,4 +1256,6 @@ appendNext: true

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000
},
redirectTo: false,

@@ -1246,4 +1286,6 @@ appendNext: true

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000
},
redirectTo: () => false,

@@ -1257,5 +1299,10 @@ appendNext: true

path: '/',
handler: function (request, h) {
options: {
plugins: {
'hapi-auth-cookie': {}
},
handler: function (request, h) {
return h.response('never');
return h.response('never');
}
}

@@ -1275,4 +1322,6 @@ });

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000
},
redirectTo: 'http://example.com/login',

@@ -1290,3 +1339,3 @@ appendNext: true

},
config: {
options: {
plugins: {

@@ -1311,4 +1360,6 @@ 'hapi-auth-cookie': {

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000
},
redirectTo: 'http://example.com/login?mode=1',

@@ -1338,4 +1389,6 @@ appendNext: true

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000
},
redirectTo: 'http://example.com/login?mode=1',

@@ -1362,7 +1415,9 @@ appendNext: false

const server = new Hapi.Server();
await server.register(require('../'));
await server.register(require('../'));
server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000
},
redirectTo: 'http://example.com/login?mode=1',

@@ -1399,4 +1454,6 @@ appendNext: true

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000
},
redirectTo: 'http://example.com/login?mode=1',

@@ -1433,4 +1490,6 @@ appendNext: { raw: true }

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000
},
redirectTo: 'http://example.com/login?mode=1',

@@ -1460,4 +1519,6 @@ appendNext: { name: 'return_to' }

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000
},
redirectTo: 'http://example.com/login?mode=1',

@@ -1487,4 +1548,6 @@ appendNext: 'done'

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000
},
redirectTo: 'http://example.com/login',

@@ -1496,3 +1559,3 @@ appendNext: true

server.route({
method: 'GET', path: '/', config: { auth: { mode: 'required' } }, handler: function (request, h) {
method: 'GET', path: '/', options: { auth: { mode: 'required' } }, handler: function (request, h) {

@@ -1515,4 +1578,6 @@ return h.response('required');

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000
},
redirectTo: 'http://example.com/login',

@@ -1524,3 +1589,3 @@ appendNext: true

server.route({
method: 'GET', path: '/', config: { auth: { mode: 'try' } }, handler: function (request, h) {
method: 'GET', path: '/', options: { auth: { mode: 'try' } }, handler: function (request, h) {

@@ -1542,4 +1607,6 @@ return h.response('try');

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
cookie: {
password: 'password-should-be-32-characters',
ttl: 60 * 1000
},
redirectTo: 'http://example.com/login',

@@ -1551,3 +1618,3 @@ appendNext: true

server.route({
method: 'GET', path: '/', config: { auth: { mode: 'optional' } }, handler: function (request, h) {
method: 'GET', path: '/', options: { auth: { mode: 'optional' } }, handler: function (request, h) {

@@ -1570,5 +1637,7 @@ return h.response('optional');

server.auth.strategy('default', 'cookie', {
password: 'password-should-be-32-characters',
ttl: 60 * 1000,
clearInvalid: true
cookie: {
password: 'password-should-be-32-characters',
clearInvalid: true,
ttl: 60 * 1000
}
});

@@ -1584,3 +1653,3 @@ server.auth.default('default');

expect(res.statusCode).to.equal(401);
expect(res.headers['set-cookie'][0]).to.equal('sid=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict; Path=/');
expect(res.headers['set-cookie'][0]).to.equal('sid=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict');
});

@@ -1596,5 +1665,7 @@

const options = {
cookie: 'cookieAuth',
requestDecoratorName: 'cookieAuth',
password: 'password-should-be-32-characters'
cookie: {
password: 'password-should-be-32-characters',
name: 'cookieAuth'
},
requestDecoratorName: 'cookieAuth'
};

@@ -1607,5 +1678,7 @@ server.auth.strategy('default', 'cookie', options);

const options = {
cookie: 'anotherCookieAuth',
requestDecoratorName: 'anotherCookieAuth',
password: 'password-should-be-32-characters'
cookie: {
password: 'password-should-be-32-characters',
name: 'anotherCookieAuth'
},
requestDecoratorName: 'anotherCookieAuth'
};

@@ -1615,3 +1688,2 @@ server.auth.strategy('notDefault', 'cookie', options);

});
});
LICENSE

Sorry, the diff of this file is not supported yet

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc