hapijs
Document requirement for cookie path when using paths other than /login
Context
- node version: 14.15.4
- module version: 11.0.2
What are you trying to achieve or the steps to reproduce ?
We wasted several hours trying to configure our login page to be something other than /login, in the example below we tried using /foo.login. After asking in the Hapi slack channel, it was pointed out to us that if you do not assign the cookie a path, it defaults to null and only works with the path /login and therefore breaks the code if you do not specify it as / for a different path. It would be appreciated if the documentation was updated with this an example or highlight that the path must be noted if you wish to using anything other than the default.
const Bcrypt = require('bcrypt');
// create a server with a host and port
const server = new Hapi.Server({
host: 'localhost',
port: 3000
})
const users = [
{
username: 'john',
password: '$2a$10$iqJSHD.BGr0E2IxQwYgJmeP3NvhPrXAeLSaGCj6IR/XU5QtjVu5Tm', // 'secret'
name: 'John Doe',
id: '2133d32a'
}
];
async function start () {
await server.register(require('@hapi/cookie'));
server.auth.strategy('session', 'cookie', {
cookie: {
name: 'sid-example',
password: '!wsYhFA*C2U6nz=Bu^%A@^F#SF3&kSR6',
isSecure: false,
path: '/'
},
redirectTo: '/foo/login',
validateFunc: async (request, session) => {
const account = await users.find(
(user) => (user.id === session.id)
);
if (!account) {
return { valid: false };
}
return { valid: true, credentials: account };
}
});
server.auth.default('session');
server.route([
{
method: 'GET',
path: '/',
handler: function (request, h) {
return 'Welcome to the restricted home page!';
}
},
{
method: 'GET',
path: '/foo/login',
handler: function (request, h) {
return ` <html>
<head>
<title>Login page</title>
</head>
<body>
<h3>Please Log In</h3>
<form method="post" action="/foo/login">
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br/>
<input type="submit" value="Login"></form>
</body>
</html>`;
},
options: {
auth: false
}
},
{
method: 'POST',
path: '/foo/login',
handler: async (request, h) => {
const { username, password } = request.payload;
const account = users.find(
(user) => user.username === username
);
if (!account || !(await Bcrypt.compare(password, account.password))) {
return h.view('/foo/login');
}
request.cookieAuth.set({ id: account.id });
return h.redirect('/');
},
options: {
auth: {
mode: 'try'
}
}
}
]);
// start your server
try {
await server.start()
} catch (err) {
console.error(err)
process.exit(1)
}
console.log('Server running at: ', server.info.uri)
}
start()
Thank you @tristanradams for raising the issue. Would you like to open a PR to improve the documentation?
I've spent hours to understand why the example didn't work when changing auth route path to be prefixed with /auth, I think it would be a good thing to just add the following to the example with a comment:
cookie: {
...
path: '/', // Required to use a different login route path (like /auth/login)
}
