Make `session` the default auth strategy

[StuAA78]

Hapi gives us the ability to apply an authentication strategy to all endpoints automatically, giving us a "secure by default" approach to authentication. Now that we have an authentication plugin which registers the session cookie authentication strategy, we can apply the strategy to all our routes by adding the following line of code:

server.auth.default('session')

It's up to us whether we do this within the AuthenticationPlugin or if we do it in our server.js. Either way, once we've applied authentication to all routes by default, we may need to amend certain routes to specifically opt-out of this. To do this, we simply need to follow the lead of our root controller (which has already had authentication disabled) and add auth: false to the route's options:

{
  method: 'GET',
  path: '/',
  handler: RootController.index,
  options: {
    auth: false
  }
}

[Cruikshanks]

Done! See Enable and config authentication as default

We did it in app/plugins/auth.plugin.js (the plugin) if anyone was wondering 😁