Registering two strategies

[antony]

Hi,

I have a scenario whereby I have a consumer api and a merchant api. These APIs use different cookies - one called 'merchant' and one called 'consumer'.

I notice from the documentation that the cookie-auth 'scheme' cannot be registered more than once (due to request decoration). Does this therefore imply that I can't set up two strategies (using server.auth.strategy(...)), one for consumer and one for merchant, and use:

auth: {
  strategy: 'merchant' // or consumer
}

to validate authentication on different routes?

The reason I ask is that since registering the consumer strategy, it seems that my merchant login endpoint is returning a cookie named after the consumer strategy, even though the route auth configuration is correct.

If so - is there a way around this with some code changes to the module? Or would it require a significant rework?

Thanks in advance,
Antony

[jaybrueder]

Also a problem I am facing right now!

[mtharrison]

Can you show a small example of code to illustrate the issue? You should be able to register as many strategies as you like, provided you only want to authenticate with one of them per route.

[jaybrueder]

Here is an example form my project.

I want to define two auth strategies. One for the User model and one for the Admin model.

//excerpt von server.js
server.register(require('hapi-auth-cookie'), function (err) {
    if (err) console.log(err);

    server.auth.strategy('user', 'cookie', {
      password: 'abcdefghijklmnopqrstuvwxyz123456',
      redirectTo: '/login',
      isSecure: false
    });

    server.auth.strategy('admin', 'cookie', {
      password: 'abcdefghijklmnopqrstuvwxyz654321',
      redirectTo: '/admin/login',
      isSecure: false
    });

});

If I try to start the server with this code, I get the following error message:

/Users/jaybrueder/repositories/hapi_project/node_modules/hapi/node_modules/hoek/lib/index.js:732
    throw new Error(msgs.join(' ') || 'Unknown error');
    ^

Error: State already defined: sid
    at Object.exports.contain.exports.reachTemplate.exports.assert.condition [as assert] (/Users/jaybrueder/repositories/hapi_project/node_modules/hapi/node_modules/hoek/lib/index.js:732:11)

The authentication works perfectly with only one authentication strategy in place.

I am fairly new to the Hapi framework and NodeJS in general. So this could very well be just a simple beginners mistake. However, I would be happy for any help.

[jaybrueder]

I am using:

"hapi": "^13.0.0",
"hapi-auth-cookie": "^6.0.0"

[antony]

I am using the same versions, and my code is almost identical.

I am currently working around the problem by using two different connections, which seems to isolate the plugin's strategies, and resolve the issue nicely, but I really need to use both cookies on one connection (albeit different routes).

My code doesn't fail at the same point though. I have a lot of tests around it and the exact issue is that my assertions state that upon login using 'try' auth, I get back the last-created cookieName

I.e. if I log in as a merchant (merchantCookie: 'Fe26**...', I get back consumerCookie: 'Fe26**...

the last initiated configuration overwrites the first.

I'll post code tomorrow if this isn't clear.

[mtharrison]

My mistake, it looks like the decoration is added to the request object globally for the first registered strategy. Any future use of request.cookieAuth will refer back to that strategy. Some changes would have to be made, but feels like this scheme should be able to support multiple strategies IMO, thoughts @jaw187?

One of the things that the API would need to support is specifying for which strategy you're setting a cookie for in a handler.

@antony an alternative approach for your auth system could be to use a single session cookie but assign different scopes to users to limit their access. I'm guessing it's possible for someone to both be a merchant and a consumer?

scopes reference:

1. https://blog.andyet.com/2015/06/16/harnessing-hapi-scopes/
2. http://stackoverflow.com/a/29053887/1402929

[antony]

@mtharrison Nope, they can either be a merchant or consumer, not both.

Looking at Hapi scopes - perfect!

[jaw187]

Just so we're all on the same page. The original error is due to the strategies not setting the cookie options, which will default to 'sid'. However the issue as reported is real since the implementation decorates request with the same name each time the strategy is registered. It was a pretty easy change which I've thrown together and will submit a PR for right now.

[lock]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.