Setting `plugins.crumb: false` on a route does not disable crumb validation

[fjeldstad]

Runtime

node.js

Runtime version

20

Module version

9.0.1

Last module version without issue

No response

Used with

hapi

Any other relevant information

From the documentation:

Additionally, some configuration can be passed on a per-route basis. Disable Crumb for a particular route by passing false instead of a configuration object.

This test case verifies the expected behaviour with regards to setting route.options.plugins.crumb: false:

it('does not validate crumb when route.options.plugins.crumb is false', async () => {
    const server = Hapi.server();
    server.route({
        method: 'POST',
        path: '/1',
        options: {
            plugins: {
                crumb: false
            }
        },
        handler: (request, h) => 'test'
    });
    const plugins = [
        {
            plugin: Crumb,
        }
    ];
    await server.register(plugins);
    const headers = {
        'X-API-Token': 'test'
    };
    const res = await server.inject({
        method: 'POST',
        url: '/1',
        headers
    });
    const header = res.headers['set-cookie'];
    expect(res.statusCode).to.equal(200);
    expect(header).to.not.exist();
});

What are you trying to achieve or the steps to reproduce?

I want to disable crumb validation/generation for a specific route, without using the skip option (to keep concerns separated). I therefore set route.options.plugins.crumb: false as suggested by the documentation.

What was the result you got?

The crumb validation runs and a new cookie value is returned.

What result did you expect?

The crumb validation should not run, no cookie should be set.