Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

State autoValue function overwrites existing cookie value #3831

Closed
stuartalexwhitehead opened this issue Oct 16, 2018 · 5 comments
Closed

State autoValue function overwrites existing cookie value #3831

stuartalexwhitehead opened this issue Oct 16, 2018 · 5 comments
Assignees
Labels
Milestone

Comments

@stuartalexwhitehead
Copy link

@stuartalexwhitehead stuartalexwhitehead commented Oct 16, 2018

Are you sure this is an issue with the hapi core module or are you just looking for some help?

Yeah—either an issue with hapi core, or a doc issue within API.md.

Is this a security related issue?

Nah.

What are you trying to achieve or the steps to reproduce?

I’ve been configuring a state autoValue.

My goal is this: if the cookie does not exist, it should be set with an automatically generated value. If it does exist, the value should be left as-is.

The documentation in API.md describes this option:

autoValue - if present and the cookie was not received from the client or explicitly set by the route handler, the cookie is automatically added to the response with the provided value. The value can be a function with signature async function(request)

What was the result you received?

Using this sample script:

const Hapi = require('hapi');

const server = Hapi.server({
    port: 3000,
    host: 'localhost'
});

server.state('test-cookie', {
    isSecure: false,
    autoValue: async () => `${new Date().getTime()}`,
});

server.route({
    method: 'GET',
    path: '/',
    handler: () => 'Test Cookie',
});

const init = async () => {
    await server.start();
    console.log(`Server running at: ${server.info.uri}`);
};

init();
  1. First request made without a cookie: a new cookie is set, with value from autoValue
  2. Second request made with cookie: cookie is overwritten, with value from autoValue

screen shot 2018-10-17 at 12 29 13 pm

screen shot 2018-10-17 at 12 29 22 pm

What did you expect?

  1. First request made without a cookie: a new cookie is set, with value from autoValue
  2. Second request made with cookie: cookie value is left as-is

Context

  • node version: 10.12.0
  • hapi version: 17.6.0
  • os: Mac OSX High Sierra (10.13.6)
  • any other relevant information:
@kanongil
Copy link
Contributor

@kanongil kanongil commented Oct 17, 2018

While your test is flawed (you need to set isSecure: false on the state), the issue is real, and autoValue is set, regardless of the client supplied cookie.

@kanongil kanongil added the bug label Oct 17, 2018
@stuartalexwhitehead
Copy link
Author

@stuartalexwhitehead stuartalexwhitehead commented Oct 17, 2018

Ah true! My apologies, I’ve updated the sample for clarity (I originally tested behind an HTTPS proxy).

Thanks for the confirmation. Would you like any help to resolve?

@kanongil
Copy link
Contributor

@kanongil kanongil commented Oct 23, 2018

A PR with one or more failing test cases is always welcome.

You can also take a stab at fixing the issue. It suspect a fix should be somewhat approachable.

dominykas added a commit to dominykas/hapi that referenced this issue Nov 17, 2018
@dominykas
Copy link
Contributor

@dominykas dominykas commented Nov 17, 2018

Fixed in #3879

@hueniverse hueniverse added this to the 18.0.0 milestone Jan 6, 2019
@lock
Copy link

@lock lock bot commented Jan 9, 2020

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

4 participants