Unable to fail-over to secondary auth strategy when cookie is invalid

[dpmott]

Per the Hapi docs:
https://hapijs.com/api#serverauthschemename-scheme

I should be able to provide Boom.unauthorized(null, 'Custom') to the callback of the validateFunc to cause Hapi to try the next auth strategy.

Unfortunately, hapi-auth-cookie ignores the 'err' parameter of the callback and forms its own Boom.unauthorized(), so there's no way to make this happen without code changes.

Standby, I'll submit a PR for this.

[devinivy]

Interesting! While this is a property of the auth scheme itself, hapi doesn't specify how auth scheme providers like hapi-auth-cookie should treat this in their respective APIs. You can see internally hapi-auth-cookie indicates to skip over the strategy if there's no cookie found: https://github.com/hapijs/hapi-auth-cookie/blob/master/lib/index.js#L152-L155

Overall, I see nothing wrong with this and it seems to make the auth providers more flexible, so I think it's cool. At the same time I personally haven't had a use for this.

[dpmott]

I'm trying to stack hapi-auth-cookie and hapi bell onto the same route. Everything that I read suggested that I should be able to do it, but I couldn't find a way without code changes.

Also, it seemed odd that the error response (if supplied) was discarded by hapi-auth-cookie, so this fixes that, too. =)

[dpmott]

Should I be doing anything else to move the PR forward?

[lock]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.