Realms and authentication strategies

[jonathansamines]

Support plan

• is this issue currently blocking your project? (yes/no): No
• is this issue affecting a production system? (yes/no): No

Context

• node version: v14.15.4
• module version: v20.0.3
• environment (e.g. node, browser, native): Node
• used with (e.g. hapi application, another framework, standalone, ...): hapi application
• any other relevant information:

How can we help?

While building an authentication strategy, I found myself depending on the current realm "parent" relationship, which I had originally assumed to work just like in plugins. Turns out, it works quite differently for authentication strategies:

'use strict';

const Hapi = require('@hapi/hapi');
const assert = require('assert');

function scheme(server) {
  return {
    authenticate(request, h) {
      const credentials = {
        plugin: server.realm.plugin,
        parentPlugin: server.realm.parent.plugin,
      };

      return h.authenticated({ credentials });
    },
  };
}

async function run() {
  const server = Hapi.server();

  const Plugin = {
    name: 'plugin',
    async register(srv) {
      const Nested = {
        name: 'nested',
        register(srv2) {
          srv2.auth.scheme('scheme-nested', scheme);
        },
      };

      srv.auth.scheme('scheme-plugin', scheme);

      await srv.register(Nested);
    },
  };

  await server.register(Plugin);

  server.auth.scheme('scheme', scheme);
  server.auth.strategy('strategy', 'scheme');
  server.auth.strategy('strategy-plugin', 'scheme-plugin');
  server.auth.strategy('strategy-nested', 'scheme-nested');

  const routes = [['/test', 'strategy'], ['/test-plugin', 'strategy-plugin'], ['/test-nested', 'strategy-nested']];

  for (const [path, strategy] of routes) {
    server.route({
      method: 'GET',
      path,
      options: {
        auth: strategy,
        handler(request) {
          return request.auth.credentials;
        },
      },
    });
  }

  const { result } = await server.inject('/test');
  const { result: resultPlugin } = await server.inject('/test-plugin');
  const { result: resultNested } = await server.inject('/test-nested');

  assert.strictEqual(result.plugin, undefined);
  assert.strictEqual(resultPlugin.plugin, undefined);
  assert.strictEqual(resultNested.plugin, undefined);

  assert.strictEqual(result.parentPlugin, 'nested');
  assert.strictEqual(resultPlugin.parentPlugin, undefined);
  assert.strictEqual(resultNested.parentPlugin, undefined);
}

run()
  .catch((error) => {
    console.error(error);
    process.exit(1);
  });

I had a hard time understanding why the test above passed, but after some consideration I found that authentication strategies "parent" realm relationship would refer to the latest "realm" created, regardless of where in the plugin tree it was registered.

Not sure that is the expected behavior or not, but a better documentation of how authentication strategies realm's work would have helped. Would you accept a pull request adding a bit of additional information to the "server.realm" section?

[devinivy]

I took a look at this, and there's definitely a bug at play as it relates to the realm of the strategy. As part of this we should clarify the expected behavior in the docs too 👍