Under certain circumstances, the server would throw a TypeError, thus generating a 500 response instead of a 403 (or 404) one. This fixes the problem.
In particular, when the plugin is enabled by default on all routes, all non-existent routes would throw the following error
TypeError: Cannot read property 'role' of null
at Object.exports.checkRoles ([...]\hapi-authorization\lib\acl.js:19:31)
[...]
and result in a 500 status code in the response
{
"statusCode": 500,
"error": "Internal Server Error",
"message": "An internal server error occurred"
}
instead of the intended 403 or 404 one.
I simply added one more check to make sure the user object exists and is non-empty before trying to access its members.
I chose to leave the response status code as 403 as not disclosing existing routes helps maintain higher security.
I originally tested this against the NPM version of the package, which is slightly different from the Git version, so I had to edit some more code in order to make it work as intended.
I also fixed a couple of linting errors on my way.
Under certain circumstances, the server would throw a
TypeError, thus generating a 500 response instead of a 403 (or 404) one. This fixes the problem.In particular, when the plugin is enabled by default on all routes, all non-existent routes would throw the following error
and result in a 500 status code in the response
instead of the intended 403 or 404 one. I simply added one more check to make sure the
userobject exists and is non-empty before trying to access its members. I chose to leave the response status code as 403 as not disclosing existing routes helps maintain higher security.I originally tested this against the NPM version of the package, which is slightly different from the Git version, so I had to edit some more code in order to make it work as intended. I also fixed a couple of linting errors on my way.