cookie not being parsed into request.headers instead still in request.state.crumb

[fullstackwebdev]

Hi,

I think I am missing something because when I reach line https://github.com/hapijs/crumb/blob/master/lib/index.js#L159

it cannot find the value for the crumb header. It is not assign the value to headers[X-CSRF-Token]

if I change this line to include || request.state.crumb it works.

            const header = request.headers[settings.headerName.toLowerCase()] || request.state.crumb;

it works fine

What puts the cookie into request.headers['X-CSRF-Token"]?

Here is a screenshot showing the modified code || request.state.crumb but hovering over request.headers to show it is missing, and then fails.

npm ls | grep hapi

├─┬ hapi@17.7.0
├─┬ hapi-align-json@2.0.0
├─┬ hapi-auth-cookie@9.0.0
...
{
            // A https://github.com/hapijs/crumb
            plugin  : crumb,
            options : {
                restful       : true,
                cookieOptions : {
                    // A https://hapijs.com/api#serverstatename-options
                    isSecure : false
                },
                logUnauthorized : true,
                //enforce         : false
            }
        }

I tried true/false for various options

[spanditcaa]

@fullstackwebdev per the readme,

restful - RESTful mode that validates crumb tokens from "X-CSRF-Token" request header for POST, PUT, PATCH and DELETE server routes. Disables payload/query crumb validation. Defaults to false.

In this scenario, your front end - either client side or a server side layer ahead of a restful hapi API server would set the crumb value as the "X-CSRF-token" header. It is lowercased in crumb as hapi transforms all headers to lowercase.

[lock[bot]]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.