New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

State autoValue function overwrites existing cookie value #3831

Closed
stuartalexwhitehead opened this Issue Oct 16, 2018 · 4 comments

Comments

Projects
None yet
4 participants
@stuartalexwhitehead
Copy link

stuartalexwhitehead commented Oct 16, 2018

Are you sure this is an issue with the hapi core module or are you just looking for some help?

Yeah—either an issue with hapi core, or a doc issue within API.md.

Is this a security related issue?

Nah.

What are you trying to achieve or the steps to reproduce?

I’ve been configuring a state autoValue.

My goal is this: if the cookie does not exist, it should be set with an automatically generated value. If it does exist, the value should be left as-is.

The documentation in API.md describes this option:

autoValue - if present and the cookie was not received from the client or explicitly set by the route handler, the cookie is automatically added to the response with the provided value. The value can be a function with signature async function(request)

What was the result you received?

Using this sample script:

const Hapi = require('hapi');

const server = Hapi.server({
    port: 3000,
    host: 'localhost'
});

server.state('test-cookie', {
    isSecure: false,
    autoValue: async () => `${new Date().getTime()}`,
});

server.route({
    method: 'GET',
    path: '/',
    handler: () => 'Test Cookie',
});

const init = async () => {
    await server.start();
    console.log(`Server running at: ${server.info.uri}`);
};

init();
  1. First request made without a cookie: a new cookie is set, with value from autoValue
  2. Second request made with cookie: cookie is overwritten, with value from autoValue

screen shot 2018-10-17 at 12 29 13 pm

screen shot 2018-10-17 at 12 29 22 pm

What did you expect?

  1. First request made without a cookie: a new cookie is set, with value from autoValue
  2. Second request made with cookie: cookie value is left as-is

Context

  • node version: 10.12.0
  • hapi version: 17.6.0
  • os: Mac OSX High Sierra (10.13.6)
  • any other relevant information:
@kanongil

This comment has been minimized.

Copy link
Member

kanongil commented Oct 17, 2018

While your test is flawed (you need to set isSecure: false on the state), the issue is real, and autoValue is set, regardless of the client supplied cookie.

@kanongil kanongil added the bug label Oct 17, 2018

@stuartalexwhitehead

This comment has been minimized.

Copy link
Author

stuartalexwhitehead commented Oct 17, 2018

Ah true! My apologies, I’ve updated the sample for clarity (I originally tested behind an HTTPS proxy).

Thanks for the confirmation. Would you like any help to resolve?

@kanongil

This comment has been minimized.

Copy link
Member

kanongil commented Oct 23, 2018

A PR with one or more failing test cases is always welcome.

You can also take a stab at fixing the issue. It suspect a fix should be somewhat approachable.

dominykas added a commit to dominykas/hapi that referenced this issue Nov 17, 2018

@dominykas

This comment has been minimized.

Copy link
Contributor

dominykas commented Nov 17, 2018

Fixed in #3879

@hueniverse hueniverse added this to the 18.0.0 milestone Jan 6, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment