State autoValue function overwrites existing cookie value

[stuartalexwhitehead]

Are you sure this is an issue with the hapi core module or are you just looking for some help?

Yeah—either an issue with hapi core, or a doc issue within API.md.

Is this a security related issue?

Nah.

What are you trying to achieve or the steps to reproduce?

I’ve been configuring a state autoValue.

My goal is this: if the cookie does not exist, it should be set with an automatically generated value. If it does exist, the value should be left as-is.

The documentation in API.md describes this option:

autoValue - if present and the cookie was not received from the client or explicitly set by the route handler, the cookie is automatically added to the response with the provided value. The value can be a function with signature async function(request)

What was the result you received?

Using this sample script:

const Hapi = require('hapi');

const server = Hapi.server({
    port: 3000,
    host: 'localhost'
});

server.state('test-cookie', {
    isSecure: false,
    autoValue: async () => `${new Date().getTime()}`,
});

server.route({
    method: 'GET',
    path: '/',
    handler: () => 'Test Cookie',
});

const init = async () => {
    await server.start();
    console.log(`Server running at: ${server.info.uri}`);
};

init();

1. First request made without a cookie: a new cookie is set, with value from autoValue
2. Second request made with cookie: cookie is overwritten, with value from autoValue

What did you expect?

1. First request made without a cookie: a new cookie is set, with value from autoValue
2. Second request made with cookie: cookie value is left as-is

Context

• node version: 10.12.0
• hapi version: 17.6.0
• os: Mac OSX High Sierra (10.13.6)
• any other relevant information:

[kanongil]

While your test is flawed (you need to set isSecure: false on the state), the issue is real, and autoValue is set, regardless of the client supplied cookie.

[stuartalexwhitehead]

Ah true! My apologies, I’ve updated the sample for clarity (I originally tested behind an HTTPS proxy).

Thanks for the confirmation. Would you like any help to resolve?

[kanongil]

A PR with one or more failing test cases is always welcome.

You can also take a stab at fixing the issue. It suspect a fix should be somewhat approachable.

[dominykas]

Fixed in #3879

[lock]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.