-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redirect only when auth is required #155
Conversation
Fixes hapijs#154. Because redirecting preempts the original route handler to protect it from unauthenticated requests, it doesn't make sense to redirect when routes explicitly want to process unauthenticated requests.
@sholladay Thanks for the PR. This feature was inherited with the project, so I'm not entirely sure what the motivation is for redirecting with optional auth. Since the feature exists, I'm not overly interested in making such a big change if we're overlooking some common case. Considering there is a flag that can be set to address your changes, I think it's best to leave everything as is. But I'm willing to think about it more. |
Nope. There is no flag that fixes the |
Hi @mrlannigan thanks for stepping up to maintain this module. Would you mind giving your thoughts on this and letting me know if there is any chance of getting this in? If so, I will fix the merge conflicts. I have been using a fork of this project because it's been too much of a burden to add boilerplate to every route and then explain to people on my team why the behavior is inconsistent for different auth modes. |
@sholladay Thanks for the contribution and #186. Over the next week, I will continue the conversation in the new PR. Closing this one. |
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions. |
Update: for hapi 17 support, see PR #186
Fixes #154.
Q: What's the purpose of
redirectTo
?A: Redirecting preempts the original route handler to protect it from unauthenticated requests.
Q: But what about routes that explicitly want to process unauthenticated requests? Isn't this the purpose of
optional
andtry
modes?A:
redirectTo
screws them up. Oops.Okay, so ... let's fix this and respect the auth mode.
This changes two closely related things. First and most importantly, it changes the behavior of
redirectTo
so that its effects only apply to auth moderequired
. Thus it no longer conflicts with the intent ofoptional
andtry
modes. Secondly, it removesredirectOnTry
.I removed
redirectOnTry
because:try
. I think everyone who is usingtry
just set this tofalse
, which is redundant now given the new behavior ofredirectTo
.redirectTo
makes this semver major anyway. Now is a good time to remove it so that migration is easier and more intuitive.The diff for the tests is poor. Basically just added a test for
optional
auth mode, fixed the one fortry
, and removed the obsoleteredirectOnTry
test. Also fixeduri
->url
(see this) and the weird executables while I was here. Happy to split things up if necessary.