hapi
hapi copied to clipboard
Published
20 hours ago •
hapijs
hapijs
Error responses include state
trafficstars
Support plan
- is this issue currently blocking your project? (yes/no): no
- is this issue affecting a production system? (yes/no): no
Context
- node version:
- module version with issue: 20.2.0
- last module version without issue:
- environment (e.g. node, browser, native): node
- used with (e.g. hapi application, another framework, standalone, ...):
- any other relevant information:
The 'set-cookie header is generated for responses here:
https://github.com/hapijs/hapi/blob/7b4d7d89bb5be734aa23b75a89117ae279c4069e/lib/headers.js#L104-L110
It does not use information from response to generate this. Only from the request.
What are you trying to achieve or the steps to reproduce?
Created a test case to demonstrate:
it('does not set cookie on response errors', async () => {
const server = Hapi.server();
server.state('data', { encoding: 'base64json' });
server.route({ method: 'GET', path: '/', handler: (request, h) => h.response('ok').state('data', { b: 3 }) });
server.ext('onPostHandler', () => Hoek.wait(50), { timeout: 1 });
const res = await server.inject('/');
expect(res.statusCode).to.equal(500);
expect(res.headers['set-cookie']).to.not.exist();
});
What was the result you got?
Expected [ 'data=eyJiIjozfQ==; Secure; HttpOnly; SameSite=Strict' ] to not exist
What result did you expect?
Pass.
I caught it during my recent investigations into abort handling. Here I found that autoValue is unintentionally called twice when it returns an error, since it calls it again when trying to marshal an error.