Protect auth calls. Closes #1513

hapijs · Mar 24, 2014 · f694a36 · f694a36
1 parent e6950eb
commit f694a36
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 14 deletions.
diff --git a/lib/auth.js b/lib/auth.js
@@ -171,22 +171,27 @@ internals.Auth.prototype._authenticate = function (request, next) {
         var strategy = config.strategies[strategyPos];
         ++strategyPos;
 
-        // Generate reply interface
+        request._protect.run(validate, function (enter, exit) {
 
-        var savedResults = undefined;
-        var transfer = function (err) {
+            var savedResults = undefined;
+            var transfer = function (err) {
 
-            validate(strategy, err, savedResults);
-        };
+                exit(strategy, err, savedResults);
+            };
 
-        var root = function (err, result) {
+            var root = function (err, result) {
 
-            savedResults = result;
-            return (err ? reply._root(err) : validate(strategy, err, result));
-        };
+                savedResults = result;
+                return (err ? reply._root(err) : exit(strategy, err, result));
+            };
+
+            var reply = Handler.replyInterface(request, transfer, root);
+
+            enter(function () {
 
-        var reply = Handler.replyInterface(request, transfer, root);
-        return self._strategies[strategy].authenticate(request, reply);
+                self._strategies[strategy].authenticate.call(null, request, reply);
+            });
+        });
     };
 
     var validate = function (strategy, err, result) {
@@ -315,14 +320,23 @@ internals.Auth.payload = function (request, next) {
         return next();
     }
 
-    var strategy = auth._strategies[request.auth.strategy];
-    strategy.payload(request, function (err) {
+    var finalize = function (err) {
 
         if (err === false) {
             return next(config.payload === 'optional' ? null : Boom.unauthorized('Missing payload authentication'));
         }
 
         return next(err);
+    };
+
+    var strategy = auth._strategies[request.auth.strategy];
+
+    request._protect.run(finalize, function (enter, exit) {
+
+        enter(function () {
+
+            strategy.payload.call(null, request, exit);
+        });
     });
 };
 
@@ -345,5 +359,11 @@ internals.Auth.response = function (request, next) {
         return next();
     }
 
-    strategy.response(request, next);
+    request._protect.run(next, function (enter, exit) {
+
+        enter(function () {
+
+            strategy.response.call(null, request, exit);
+        });
+    });
 };
diff --git a/test/auth.js b/test/auth.js
@@ -579,6 +579,20 @@ describe('Auth', function () {
             done();
         });
     });
+
+    it('fails when options default to null', function (done) {
+
+        var server = new Hapi.Server({ debug: false });
+        server.auth.scheme('custom', internals.implementation);
+        server.auth.strategy('default', 'custom', true);
+        server.route({ method: 'GET', path: '/', handler: function (request, reply) { reply(request.auth.credentials.user); } });
+
+        server.inject({ url: '/', headers: { authorization: 'Custom steve' } }, function (res) {
+
+            expect(res.statusCode).to.equal(500);
+            done();
+        });
+    });
 });