search

hapijs / hapi

The Simple, Secure Framework Developers Trust
https://hapi.dev
Other
14.63k stars 1.34k forks source link

Sandbox default auth strategy #4155

Open brianle1301 opened 4 years ago

brianle1301 commented 4 years ago

Support plan

Context

What problem are you trying to solve?

I want to sandbox the default strategy set in a plugin. Since server.auth.strategy() is sandboxed, it would make sense to sandbox server.auth.default() as well. In my case, I have 2 plugins, one for the API and the other is for the site renderer. The API has session strategy by default, but because server.auth.default() is not sandboxed, all the routes registered by the renderer have the same default strategy.

(There are of course several workarounds to this issue such as using server.rules() or set auth: false in the renderer, but I would like to see a more consistent sandboxing behaviour).

const Api = {
     name: 'api',
     register(server) {
         await server.register(Cookie);
         server.auth.strategy('session', 'cookie', {});
         server.auth.default('session');
     }
};

const Renderer = {
      name: 'renderer',
      register(server) {
           server.routes({ path: '/{p*}', method: 'GET', handler() {} });      // Uses session by default
      }
};

function bootstrap() {
    const server = new Hapi.Server();

    await server.register(Api, Renderer);
}

bootstrap();

Do you have a new or modified API suggestion to solve the problem?

N/A

devinivy commented 4 years ago

I agree that it would be great for there to be a way to set a default auth strategy locally to a plugin. And furthermore, it would be great to unify the different ways of talking about when something acts server-wide, within a plugin, or within a plugin but "inheriting" via the plugin registration ("realm") hierarchy. Here are a few examples of different behaviors:

It is a fair amount of work, but some day it might be nice to take this all in and unify some of these behaviors/APIs as well as the language we use around them.

brianle1301 commented 4 years ago

@devinivy I'm sure server.auth.strategy is sandboxed. Not sure about server.auth.scheme though

devinivy commented 4 years ago

I think this is a valid discussion about server.auth.default() whether or not server.auth.strategy() is sandboxed, but I do believe that it is not sandboxed. Perhaps it seems that way because you are trying to use the strategy in one plugin before it is defined in another. This example gives us a server that initializes properly, though:

    const server = Hapi.server();

    await server.register({
        name: 'x',
        register: (srv) => {

            srv.auth.scheme('my-scheme', () => ({ authenticate: () => null }));
            srv.auth.strategy('my-strategy', 'my-scheme');
        }
    });

    await server.register({
        name: 'y',
        register: (srv) => {

            srv.route({
                method: 'get',
                path: '/',
                options: {
                    auth: 'my-strategy',
                    handler: () => null
                }
            });
        }
    });

    await server.initialize();
brianle1301 commented 4 years ago

Oh yeah @devinivy you're right. Would be nice if it is sandboxed as well.