Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document requirement for cookie path when using paths other than /login #234

Open
tristanradams opened this issue Feb 8, 2021 · 2 comments
Labels
documentation Non-code related changes

Comments

@tristanradams
Copy link

Context

  • node version: 14.15.4
  • module version: 11.0.2

What are you trying to achieve or the steps to reproduce ?

We wasted several hours trying to configure our login page to be something other than /login, in the example below we tried using /foo.login. After asking in the Hapi slack channel, it was pointed out to us that if you do not assign the cookie a path, it defaults to null and only works with the path /login and therefore breaks the code if you do not specify it as / for a different path. It would be appreciated if the documentation was updated with this an example or highlight that the path must be noted if you wish to using anything other than the default.

const Bcrypt = require('bcrypt');

// create a server with a host and port
const server = new Hapi.Server({
    host: 'localhost',
    port: 3000
})

const users = [
    {
        username: 'john',
        password: '$2a$10$iqJSHD.BGr0E2IxQwYgJmeP3NvhPrXAeLSaGCj6IR/XU5QtjVu5Tm',   // 'secret'
        name: 'John Doe',
        id: '2133d32a'
    }
];


async function start () {
    await server.register(require('@hapi/cookie'));

    server.auth.strategy('session', 'cookie', {
        cookie: {
            name: 'sid-example',
            password: '!wsYhFA*C2U6nz=Bu^%A@^F#SF3&kSR6',
            isSecure: false,
            path: '/'
        },
        redirectTo: '/foo/login',
        validateFunc: async (request, session) => {

            const account = await users.find(
                (user) => (user.id === session.id)
            );

            if (!account) {

                return { valid: false };
            }

            return { valid: true, credentials: account };
        }
    });

    server.auth.default('session');

    server.route([
        {
            method: 'GET',
            path: '/',
            handler: function (request, h) {

                return 'Welcome to the restricted home page!';
            }
        },
        {
            method: 'GET',
            path: '/foo/login',
            handler: function (request, h) {

                return ` <html>
                            <head>
                                <title>Login page</title>
                            </head>
                            <body>
                                <h3>Please Log In</h3>
                                <form method="post" action="/foo/login">
                                    Username: <input type="text" name="username"><br>
                                    Password: <input type="password" name="password"><br/>
                                <input type="submit" value="Login"></form>
                            </body>
                        </html>`;
            },
            options: {
                auth: false
            }
        },
        {
            method: 'POST',
            path: '/foo/login',
            handler: async (request, h) => {

                const { username, password } = request.payload;
                const account = users.find(
                    (user) => user.username === username
                );

                if (!account || !(await Bcrypt.compare(password, account.password))) {

                    return h.view('/foo/login');
                }

                request.cookieAuth.set({ id: account.id });

                return h.redirect('/');
            },
            options: {
                auth: {
                    mode: 'try'
                }
            }
        }
    ]);



    // start your server
    try {
        await server.start()
    } catch (err) {
        console.error(err)
        process.exit(1)
    }



    console.log('Server running at: ', server.info.uri)
}

start()
@tristanradams tristanradams added the documentation Non-code related changes label Feb 8, 2021
@Nargonath
Copy link
Member

Thank you @tristanradams for raising the issue. Would you like to open a PR to improve the documentation?

@Gastonite
Copy link

Gastonite commented Oct 26, 2023

I've spent hours to understand why the example didn't work when changing auth route path to be prefixed with /auth, I think it would be a good thing to just add the following to the example with a comment:

cookie: {
  ...
  path: '/', // Required to use a different login route path (like /auth/login)
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Non-code related changes
Projects
None yet
Development

No branches or pull requests

3 participants