[ { "path": ".github/workflows/ci-module.yml", "content": "name: ci\n\non:\n push:\n branches:\n - v21\n - master\n pull_request:\n workflow_dispatch:\n\njobs:\n test:\n uses: hapijs/.github/.github/workflows/ci-module.yml@master\n with:\n min-node-version: 14\n" }, { "path": ".gitignore", "content": "**/node_modules\n**/package-lock.json\n\ncoverage.*\n\n**/.DS_Store\n**/._*\n\n**/*.pem\n\n**/.vs\n**/.vscode\n**/.idea\n" }, { "path": ".npmrc", "content": "save=false\n\n" }, { "path": "API.md", "content": "\n## Server\n\nThe server object is the main application container. The server manages all incoming requests\nalong with all the facilities provided by the framework. Each server supports a single connection\n(e.g. listen to port `80`).\n\n### `server([options])`\n\nCreates a new server object where:\n- `options` - (optional) a [server configuration object](#server.options).\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nconst server = Hapi.server({ load: { sampleInterval: 1000 } });\n```\n\n### Server options\n\nThe server options control the behavior of the server object. Note that the options object is\ndeeply cloned (with the exception of [`listener`](#server.options.listener) which is shallowly\ncopied) and should not contain any values that are unsafe to perform deep copy on.\n\nAll options are optionals.\n\n#### `server.options.address`\n\nDefault value: `'::'` if IPv6 is available, otherwise `'0.0.0.0'` (i.e. all available network interfaces).\n\nSets the hostname or IP address the server will listen on. If not configured, defaults to\n[`host`](#server.options.host) if present, otherwise to all available network interfaces. Set to\n`'127.0.0.1'`, `'::1'`, or `'localhost'` to restrict the server to only those coming from the same host.\n\n#### `server.options.app`\n\nDefault value: `{}`.\n\nProvides application-specific configuration which can later be accessed via\n[`server.settings.app`](#server.settings). The framework does not interact with this object. It is\nsimply a reference made available anywhere a `server` reference is provided.\n\nNote the difference between `server.settings.app` which is used to store static configuration\nvalues and [`server.app`](#server.app) which is meant for storing run-time state.\n\n#### `server.options.autoListen`\n\nDefault value: `true`.\n\nUsed to disable the automatic initialization of the [`listener`](#server.options.listener). When\n`false`, indicates that the [`listener`](#server.options.listener) will be started manually outside\nthe framework.\n\nCannot be set to `false` along with a [`port`](#server.options.port) value.\n\n#### `server.options.cache`\n\nDefault value: `{ provider: { constructor: require('@hapi/catbox-memory'), options: { partition: 'hapi-cache' } } }`.\n\nSets up server-side caching providers. Every server includes a default cache for storing\napplication state. By default, a simple memory-based cache is created which has limited capacity\nand capabilities.\n\n**hapi** uses [**catbox**](https://hapi.dev/family/catbox/api) for its cache implementation which\nincludes support for common storage solutions (e.g. Redis, MongoDB, Memcached, Riak, among others).\nCaching is only utilized if [methods](#server.methods) and [plugins](#plugins) explicitly store\ntheir state in the cache.\n\nThe server cache configuration only defines the storage container itself. The configuration can be\nassigned one or more (array):\n\n- a class or prototype function (usually obtained by calling `require()` on a **catbox** strategy\n such as `require('@hapi/catbox-redis')`). A new **catbox** [client](https://hapi.dev/family/catbox/api#client)\n will be created internally using this constructor.\n\n- a configuration object with the following:\n\n - `engine` - a **catbox** engine object instance.\n\n - `name` - an identifier used later when provisioning or configuring caching for\n [server methods](#server.methods) or [plugins](#plugins). Each cache name must be unique.\n A single item may omit the `name` option which defines the default cache. If every cache\n includes a `name`, a default memory cache is provisioned as well.\n\n - `provider` - a class, a constructor function, or an object with the following:\n\n - `constructor` - a class or a prototype function.\n\n - `options` - (optional) a settings object passed as-is to the `constructor` with the following:\n\n - `partition` - (optional) string used to isolate cached data. Defaults to `'hapi-cache'`.\n - other constructor-specific options passed to the `constructor` on instantiation.\n\n - `shared` - if `true`, allows multiple cache users to share the same segment (e.g.\n multiple methods using the same cache storage container). Default to `false`.\n\n - One (and only one) of `engine` or `provider` is required per configuration object.\n\n#### `server.options.compression`\n\nDefault value: `{ minBytes: 1024 }`.\n\nDefines server handling of content encoding requests. If `false`, response content encoding is\ndisabled and no compression is performed by the server.\n\n##### `server.options.compression.minBytes`\n\nDefault value: '1024'.\n\nSets the minimum response payload size in bytes that is required for content encoding compression.\nIf the payload size is under the limit, no compression is performed.\n\n#### `server.options.debug`\n\nDefault value: `{ request: ['implementation'] }`.\n\nDetermines which logged events are sent to the console. This should only be used for development\nand does not affect which events are actually logged internally and recorded. Set to `false` to\ndisable all console logging, or to an object with:\n\n- `log` - a string array of server log tags to be displayed via `console.error()` when\n the events are logged via [`server.log()`](#server.log()) as well as\n internally generated [server logs](#server-logs). Defaults to no output.\n\n- `request` - a string array of request log tags to be displayed via `console.error()` when\n the events are logged via [`request.log()`](#request.log()) as well as\n internally generated [request logs](#request-logs). For example, to display all errors,\n set the option to `['error']`. To turn off all console debug messages set it to `false`.\n To display all request logs, set it to `'*'`.\n Defaults to uncaught errors thrown in external code (these errors are handled\n automatically and result in an Internal Server Error response) or runtime errors due to\n developer error.\n\nFor example, to display all errors, set the `log` or `request` to `['error']`. To turn off all\noutput set the `log` or `request` to `false`. To display all server logs, set the `log` or\n`request` to `'*'`. To disable all debug information, set `debug` to `false`.\n\n#### `server.options.host`\n\nDefault value: the operating system hostname and if not available, to `'localhost'`.\n\nThe public hostname or IP address. Used to set [`server.info.host`](#server.info) and\n[`server.info.uri`](#server.info) and as [`address`](#server.options.address) if none is provided.\n\n#### `server.options.info.remote`\n\nDefault value: `false`.\n\nIf `true`, the `request.info.remoteAddress` and `request.info.remotePort` are populated when the request is received which can consume more resource (but is ok if the information is needed, especially for aborted requests). When `false`, the fields are only populated upon demand (but will be `undefined` if accessed after the request is aborted).\n\n#### `server.options.listener`\n\nDefault value: none.\n\nAn optional node HTTP (or HTTPS) [`http.Server`](https://nodejs.org/api/http.html#http_class_http_server)\nobject (or an object with a compatible interface).\n\nIf the `listener` needs to be manually started, set [`autoListen`](#server.options.autolisten) to\n`false`.\n\nIf the `listener` uses TLS, set [`tls`](#server.options.tls) to `true`.\n\n#### `server.options.load`\n\nDefault value: `{ sampleInterval: 0, maxHeapUsedBytes: 0, maxRssBytes: 0, maxEventLoopDelay: 0, maxEventLoopUtilization: 0 }`.\n\nServer excessive load handling limits where:\n\n- `sampleInterval` - the frequency of sampling in milliseconds. When set to `0`, the other load options are ignored. Defaults to `0` (no sampling).\n\n- `maxHeapUsedBytes` - maximum V8 heap size over which incoming requests are rejected with an HTTP Server Timeout (503) response. Defaults to `0` (no limit).\n\n- `maxRssBytes` - maximum process RSS size over which incoming requests are rejected with an HTTP Server Timeout (503) response. Defaults to `0` (no limit).\n\n- `maxEventLoopDelay` - maximum event loop delay duration in milliseconds over which incoming requests are rejected with an HTTP Server Timeout (503) response. Defaults to `0` (no limit).\n\n- `maxEventLoopUtilization` - maximum event loop utilization value over which incoming requests are rejected with an HTTP Server Timeout (503) response. Defaults to `0` (no limit).\n\n#### `server.options.mime`\n\nDefault value: none.\n\nOptions passed to the [**mimos**](https://hapi.dev/family/mimos/api) module when generating the mime database used by the server (and accessed via [`server.mime`](#server.mime)):\n\n- `override` - an object hash that is merged into the built in mime information specified [here](https://github.com/jshttp/mime-db). Each key value pair represents a single mime object. Each override value must contain:\n\n - `key` - the lower-cased mime-type string (e.g. `'application/javascript'`).\n\n - `value` - an object following the specifications outlined [here](https://github.com/jshttp/mime-db#data-structure). Additional values include:\n\n - `type` - specify the `type` value of result objects, defaults to `key`.\n\n - `predicate` - method with signature `function(mime)` when this mime type is found in the database, this function will execute to allows customizations.\n\n```js\nconst options = {\n mime: {\n override: {\n 'node/module': {\n source: 'iana',\n compressible: true,\n extensions: ['node', 'module', 'npm'],\n type: 'node/module'\n },\n 'application/javascript': {\n source: 'iana',\n charset: 'UTF-8',\n compressible: true,\n extensions: ['js', 'javascript'],\n type: 'text/javascript'\n },\n 'text/html': {\n predicate: function(mime) {\n if (someCondition) {\n mime.foo = 'test';\n }\n else {\n mime.foo = 'bar';\n }\n return mime;\n }\n }\n }\n }\n};\n```\n\n#### `server.options.operations`\n\nDefault value: `{ cleanStop: true }`.\n\nDefines server handling of server operations:\n\n- `cleanStop` - if `true`, the server keeps track of open connections and properly closes them\n when the server is stopped. Under normal load, this should not interfere with server performance.\n However, under severe load connection monitoring can consume additional resources and aggravate\n the situation. If the server is never stopped, or if it is forced to stop without waiting for\n open connection to close, setting this to `false` can save resources that are not being utilized\n anyway. Defaults to `true`.\n\n#### `server.options.plugins`\n\nDefault value: `{}`.\n\nPlugin-specific configuration which can later be accessed via [`server.settings.plugins`](#server.settings).\n`plugins` is an object where each key is a plugin name and the value is the configuration.\nNote the difference between [`server.settings.plugins`](#server.settings) which is used to store\nstatic configuration values and [`server.plugins`](#server.plugins) which is meant for storing\nrun-time state.\n\n#### `server.options.port`\n\nDefault value: `0` (an ephemeral port).\n\nThe TCP port the server will listen to. Defaults the next available port when the server is started\n(and assigned to [`server.info.port`](#server.info)).\n\nIf `port` is a string containing a '/' character, it is used as a UNIX domain socket path.\nIf it starts with '\\\\.\\pipe', it is used as a Windows named pipe.\n\n#### `server.options.query`\n\nDefault value: `{}`.\n\nDefines server handling of the request path query component.\n\n##### `server.options.query.parser`\n\nDefault value: none.\n\nSets a query parameters parser method using the signature `function(query)` where:\n\n- `query` - an object containing the incoming [`request.query`](#request.query) parameters.\n- the method must return an object where each key is a parameter and matching value is the\n parameter value. If the method throws, the error is used as the response or returned when\n [`request.setUrl()`](#request.setUrl()) is called.\n\n```js\nconst Qs = require('qs');\n\nconst options = {\n query: {\n parser: (query) => Qs.parse(query)\n }\n};\n```\n\n#### `server.options.router`\n\nDefault value: `{ isCaseSensitive: true, stripTrailingSlash: false }`.\n\nControls how incoming request URIs are matched against the routing table:\n\n- `isCaseSensitive` - determines whether the paths '/example' and '/EXAMPLE' are considered\n different resources. Defaults to `true`.\n\n- `stripTrailingSlash` - removes trailing slashes on incoming paths. Defaults to `false`.\n\n#### `server.options.routes`\n\nDefault value: none.\n\nA [route options](#route-options) object used as the default configuration for every route.\n\n#### `server.options.state`\n\nDefault value:\n```js\n{\n strictHeader: true,\n ignoreErrors: false,\n isSecure: true,\n isHttpOnly: true,\n isSameSite: 'Strict',\n isPartitioned: false,\n encoding: 'none'\n}\n```\n\nSets the default configuration for every state (cookie) set explicitly via\n[`server.state()`](#server.state()) or implicitly (without definition) using the\n[state configuration](#server.state()) object.\n\n#### `server.options.tls`\n\nDefault value: none.\n\nUsed to create an HTTPS connection. The `tls` object is passed unchanged to the node\nHTTPS server as described in the [node HTTPS documentation](https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener).\n\nSet to `true` when passing a [`listener`](#server.options.listener) object that has been configured\nto use TLS directly.\n\n#### `server.options.uri`\n\nDefault value: constructed from runtime server information.\n\nThe full public URI without the path (e.g. 'http://example.com:8080'). If present, used as the\nserver [`server.info.uri`](#server.info), otherwise constructed from the server settings.\n\n### Server properties\n\n#### `server.app`\n\nAccess: read / write.\n\nProvides a safe place to store server-specific run-time application data without potential\nconflicts with the framework internals. The data can be accessed whenever the server is\naccessible. Initialized with an empty object.\n\n```js\nconst server = Hapi.server();\n\nserver.app.key = 'value';\n\nconst handler = function (request, h) {\n\n return request.server.app.key; // 'value'\n};\n```\n\n#### `server.auth.api`\n\nAccess: authentication strategy specific.\n\nAn object where each key is an authentication strategy name and the value is the exposed strategy\nAPI. Available only when the authentication scheme exposes an API by returning an `api` key in the\nobject returned from its implementation function.\n\n```js\nconst server = Hapi.server({ port: 80 });\n\nconst scheme = function (server, options) {\n\n return {\n api: {\n settings: {\n x: 5\n }\n },\n authenticate: function (request, h) {\n\n const authorization = request.headers.authorization;\n if (!authorization) {\n throw Boom.unauthorized(null, 'Custom');\n }\n\n return h.authenticated({ credentials: { user: 'john' } });\n }\n };\n};\n\nserver.auth.scheme('custom', scheme);\nserver.auth.strategy('default', 'custom');\n\nconsole.log(server.auth.api.default.settings.x); // 5\n```\n\n#### `server.auth.settings.default`\n\nAccess: read only.\n\nContains the default authentication configuration if a default strategy was set via\n[`server.auth.default()`](#server.auth.default()).\n\n#### `server.decorations`\n\nAccess: read only.\n\nProvides access to the decorations already applied to various framework interfaces. The object must\nnot be modified directly, but only through [`server.decorate`](#server.decorate()).\nContains:\n\n- `request` - decorations on the [request object](#request).\n- `response` - decorations on the [response object](#response-object).\n- `toolkit` - decorations on the [response toolkit](#response-toolkit).\n- `server` - decorations on the [server](#server) object.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nconst success = function () {\n\n return this.response({ status: 'ok' });\n};\n\nserver.decorate('toolkit', 'success', success);\nconsole.log(server.decorations.toolkit); // ['success']\n```\n\n#### `server.events`\n\nAccess: **podium** public interface.\n\nThe server events emitter. Utilizes the [**podium**](https://hapi.dev/family/podium/api) with support\nfor event criteria validation, channels, and filters.\n\nUse the following methods to interact with `server.events`:\n\n- [`server.event(events)`](#server.event()) - register application events.\n- [`server.events.emit(criteria, data)`](#server.events.emit()) - emit server events.\n- [`server.events.on(criteria, listener, context)`](#server.events.on()) - subscribe to all events.\n- [`server.events.once(criteria, listener, context)`](#server.events.once()) - subscribe to a single event.\n\nOther methods include: `server.events.removeListener(name, listener)`,\n`server.events.removeAllListeners(name)`, and `server.events.hasListeners(name)`.\n\n##### `'log'` Event\n\nThe `'log'` event type emits internal server events generated by the framework as well as\napplication events logged with [`server.log()`](#server.log()).\n\nThe `'log'` event handler uses the function signature `function(event, tags)` where:\n\n- `event` - an object with the following properties:\n - `timestamp` - the event timestamp.\n - `tags` - an array of tags identifying the event (e.g. `['error', 'http']`).\n - `channel` - set to `'internal'` for internally generated events, otherwise `'app'` for events\n generated by [`server.log()`](#server.log()).\n - `data` - event-specific information. Available when event data was provided and is not an\n error. Errors are passed via `error`.\n - `error` - the error object related to the event if applicable. Cannot appear together with\n `data`.\n\n- `tags` - an object where each `event.tag` is a key and the value is `true`. Useful for quick\n identification of events.\n\n```js\nserver.events.on('log', (event, tags) => {\n\n if (tags.error) {\n console.log(`Server error: ${event.error ? event.error.message : 'unknown'}`);\n }\n});\n```\n\nThe internally generated events are (identified by their `tags`):\n\n- `load` - logs the current server load measurements when the server rejects a request due to\n [high load](#server.options.load). The event data contains the process load metrics.\n\n- `connection` `client` `error` - a `clientError` event was received from the HTTP or HTTPS\n listener. The event data is the error object received.\n\n##### `'cachePolicy'` Event\n\nThe `'cachePolicy'` event type is emitted when a server [cache policy](https://hapi.dev/module/catbox/api#policy)\nis created via [`server.cache()`](#server.cache()) or a [`server.method()`](#server.method()) with caching enabled is registered.\nThe `'cachePolicy'` event handler uses the function signature `function(cachePolicy, cache, segment)` where:\n\n- `cachePolicy` - the catbox [cache policy](https://hapi.dev/module/catbox/api#policy).\n- `cache` - the [cache provision](#server.options.cache) name used when the policy was created or `undefined` if the default cache was used.\n- `segment` - the segment name used when the policy was created.\n\n```js\nserver.events.on('cachePolicy', (cachePolicy, cache, segment) => {\n\n console.log(`New cache policy created using cache: ${cache === undefined ? 'default' : cache} and segment: ${segment}`);\n});\n```\n\n##### `'request'` Event\n\nThe `'request'` event type emits internal request events generated by the framework as well as\napplication events logged with [`request.log()`](#request.log()).\n\nThe `'request'` event handler uses the function signature `function(request, event, tags)` where:\n\n- `request` - the [request object](#request).\n\n- `event` - an object with the following properties:\n - `timestamp` - the event timestamp.\n - `tags` - an array of tags identifying the event (e.g. `['error', 'http']`).\n - `channel` - one of\n - `'app'` - events generated by [`request.log()`](#request.log()).\n - `'error'` - emitted once per request if the response had a `500` status code.\n - `'internal'` - internally generated events.\n - `request` - the request [identifier](#request.info.id).\n - `data` - event-specific information. Available when event data was provided and is not an\n error. Errors are passed via `error`.\n - `error` - the error object related to the event if applicable. Cannot appear together with\n `data`.\n\n- `tags` - an object where each `event.tag` is a key and the value is `true`. Useful for quick\n identification of events.\n\n```js\nserver.events.on('request', (request, event, tags) => {\n\n if (tags.error) {\n console.log(`Request ${event.request} error: ${event.error ? event.error.message : 'unknown'}`);\n }\n});\n```\n\nTo listen to only one of the channels, use the event criteria object:\n\n```js\nserver.events.on({ name: 'request', channels: 'error' }, (request, event, tags) => {\n\n console.log(`Request ${event.request} failed`);\n});\n```\n\nThe internally generated events are (identified by their `tags`):\n\n- `accept-encoding` `error` - a request received contains an invalid Accept-Encoding header.\n- `auth` `unauthenticated` - no authentication scheme included with the request.\n- `auth` `unauthenticated` `response` `{strategy}` - the authentication strategy listed returned a non-error response (e.g. a redirect to a login page).\n- `auth` `unauthenticated` `error` `{strategy}` - the request failed to pass the listed authentication strategy (invalid credentials).\n- `auth` `unauthenticated` `missing` `{strategy}` - the request failed to pass the listed authentication strategy (no credentials found).\n- `auth` `unauthenticated` `try` `{strategy}` - the request failed to pass the listed authentication strategy in `'try'` mode and will continue.\n- `auth` `scope` `error` - the request authenticated but failed to meet the scope requirements.\n- `auth` `entity` `user` `error` - the request authenticated but included an application entity when a user entity was required.\n- `auth` `entity` `app` `error` - the request authenticated but included a user entity when an application entity was required.\n- `ext` `error` - an `onPostResponse` extension handler errored.\n- `handler` `error` - the route handler returned an error. Includes the execution duration and the error message.\n- `pre` `error` - a pre method was executed and returned an error. Includes the execution duration, assignment key, and error.\n- `internal` `error` - an HTTP 500 error response was assigned to the request.\n- `internal` `implementation` `error` - an incorrectly implemented [lifecycle method](#lifecycle-methods).\n- `request` `error` `abort` - the request aborted.\n- `request` `error` `close` - the request closed prematurely.\n- `request` `error` - the request stream emitted an error. Includes the error.\n- `request` `server` `timeout` `error` - the request took too long to process by the server. Includes the timeout configuration value and the duration.\n- `state` `error` - the request included an invalid cookie or cookies. Includes the cookies and error details.\n- `state` `response` `error` - the response included an invalid cookie which prevented generating a valid header. Includes the error.\n- `payload` `error` - failed processing the request payload. Includes the error.\n- `response` `error` - failed writing the response to the client. Includes the error.\n- `response` `error` `close` - failed writing the response to the client due to prematurely closed connection.\n- `response` `error` `aborted` - failed writing the response to the client due to prematurely aborted connection.\n- `response` `error` `cleanup` - failed freeing response resources.\n- `validation` `error` `{input}` - input (i.e. payload, query, params, headers) validation failed. Includes the error. Only emitted when `failAction` is set to `'log'`.\n- `validation` `response` `error` - response validation failed. Includes the error message. Only emitted when `failAction` is set to `'log'`.\n\n##### `'response'` Event\n\nThe `'response'` event type is emitted after the response is sent back to the client (or when the\nclient connection closed and no response sent, in which case [`request.response`](#request.response)\nis `null`). A single event is emitted per request. The `'response'` event handler uses the function\nsignature `function(request)` where:\n\n- `request` - the [request object](#request).\n\n```js\nserver.events.on('response', (request) => {\n\n console.log(`Response sent for request: ${request.info.id}`);\n});\n```\n\n##### `'route'` Event\n\nThe `'route'` event type is emitted when a route is added via [`server.route()`](#server.route()).\nThe `'route'` event handler uses the function signature `function(route)` where:\n\n- `route` - the [route information](#request.route). The `route` object must not be modified.\n\n```js\nserver.events.on('route', (route) => {\n\n console.log(`New route added: ${route.path}`);\n});\n```\n\n##### `'start'` Event\n\nThe `'start'` event type is emitted when the server is started using [`server.start()`](#server.start()).\nThe `'start'` event handler uses the function signature `function()`.\n\n```js\nserver.events.on('start', () => {\n\n console.log('Server started');\n});\n```\n\n##### `'closing'` Event\n\nThe `'closing'` event type is emitted when the server is stopped using [`server.stop()`](#server.stop()). It is triggered when incoming requests are no longer accepted but before all underlying active connections have been closed, and thus before the [`'stop'`](#server.events.stop) event is triggered.\nThe `'closing'` event handler uses the function signature `function()`.\n\n```js\nserver.events.on('closing', () => {\n\n console.log('Server is closing');\n});\n```\n\n##### `'stop'` Event\n\nThe `'stop'` event type is emitted when the server is stopped using [`server.stop()`](#server.stop()).\nThe `'stop'` event handler uses the function signature `function()`.\n\n```js\nserver.events.on('stop', () => {\n\n console.log('Server stopped');\n});\n```\n\n#### `server.info`\n\nAccess: read only.\n\nAn object containing information about the server where:\n\n- `id` - a unique server identifier (using the format '{hostname}:{pid}:{now base36}').\n\n- `created` - server creation timestamp.\n\n- `started` - server start timestamp (`0` when stopped).\n\n- `port` - the connection port based on the following rules:\n\n - before the server has been started: the configured [`port`](#server.options.port) value.\n - after the server has been started: the actual port assigned when no port is configured or was\n set to `0`.\n\n- `host` - The [`host`](#server.options.host) configuration value.\n\n- `address` - the active IP address the connection was bound to after starting. Set to `undefined`\n until the server has been started or when using a non TCP port (e.g. UNIX domain socket).\n\n- `protocol` - the protocol used:\n\n - `'http'` - HTTP.\n - `'https'` - HTTPS.\n - `'socket'` - UNIX domain socket or Windows named pipe.\n\n- `uri` - a string representing the connection (e.g. 'http://example.com:8080' or\n 'socket:/unix/domain/socket/path'). Contains the [`uri`](#server.options.uri) value if set,\n otherwise constructed from the available settings. If no [`port`](#server.options.port) is\n configured or is set to `0`, the `uri` will not include a port component until the server is\n started.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nconsole.log(server.info.port); // 80\n```\n\n#### `server.listener`\n\nAccess: read only and listener public interface.\n\nThe node HTTP server object.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst SocketIO = require('socket.io');\n\nconst server = Hapi.server({ port: 80 });\n\nconst io = SocketIO.listen(server.listener);\nio.sockets.on('connection', (socket) => {\n\n socket.emit({ msg: 'welcome' });\n});\n```\n\n#### `server.load`\n\nAccess: read only.\n\nAn object containing the process load metrics (when [`load.sampleInterval`](#server.options.load)\nis enabled):\n\n- `eventLoopDelay` - event loop delay milliseconds.\n- `eventLoopUtilization` - current event loop utilization value.\n- `heapUsed` - V8 heap usage.\n- `rss` - RSS memory usage.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ load: { sampleInterval: 1000 } });\n\nconsole.log(server.load.rss);\n```\n\n#### `server.methods`\n\nAccess: read only.\n\nServer methods are functions registered with the server and used throughout the application as a\ncommon utility. Their advantage is in the ability to configure them to use the built-in cache and\nshare across multiple request handlers without having to create a common module.\n\n`sever.methods` is an object which provides access to the methods registered via\n[server.method()](#server.method()) where each server method name is an object\nproperty.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server();\n\nserver.method('add', (a, b) => (a + b));\nconst result = server.methods.add(1, 2); // 3\n```\n\n#### `server.mime`\n\nAccess: read only and **mimos** public interface.\n\nProvides access to the server MIME database used for setting content-type information. The object\nmust not be modified directly but only through the [`mime`](#server.options.mime) server setting.\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nconst options = {\n mime: {\n override: {\n 'node/module': {\n source: 'steve',\n compressible: false,\n extensions: ['node', 'module', 'npm'],\n type: 'node/module'\n }\n }\n }\n};\n\nconst server = Hapi.server(options);\nconsole.log(server.mime.path('code.js').type) // 'application/javascript'\nconsole.log(server.mime.path('file.npm').type) // 'node/module'\n```\n\n#### `server.plugins`\n\nAccess: read / write.\n\nAn object containing the values exposed by each registered plugin where each key is a plugin name\nand the values are the exposed properties by each plugin using\n[`server.expose()`](#server.expose()). Plugins may set the value of the\n`server.plugins[name]` object directly or via the `server.expose()` method.\n\n```js\nexports.plugin = {\n name: 'example',\n register: function (server, options) {\n\n server.expose('key', 'value');\n server.plugins.example.other = 'other';\n\n console.log(server.plugins.example.key); // 'value'\n console.log(server.plugins.example.other); // 'other'\n }\n};\n```\n\n#### `server.realm`\n\nAccess: read only.\n\nThe realm object contains sandboxed server settings specific to each plugin or authentication\nstrategy. When registering a plugin or an authentication scheme, a `server` object reference is\nprovided with a new `server.realm` container specific to that registration. It allows each plugin\nto maintain its own settings without leaking and affecting other plugins.\n\nFor example, a plugin can set a default file path for local resources without breaking other\nplugins' configured paths. When calling [`server.bind()`](#server.bind()), the active realm's\n`settings.bind` property is set which is then used by routes and extensions added at the same level\n(server root or plugin).\n\nThe `server.realm` object contains:\n\n- `modifiers` - when the server object is provided as an argument to the plugin `register()`\n method, `modifiers` provides the registration preferences passed the\n [`server.register()`](#server.register()) method and includes:\n\n - `route` - routes preferences:\n\n - `prefix` - the route path prefix used by any calls to [`server.route()`](#server.route())\n from the server. Note that if a prefix is used and the route path is set to `'/'`, the\n resulting path will not include the trailing slash.\n - `vhost` - the route virtual host settings used by any calls to\n [`server.route()`](#server.route()) from the server.\n\n- `parent` - the realm of the parent server object, or `null` for the root server.\n\n- `plugin` - the active plugin name (empty string if at the server root).\n\n- `pluginOptions` - the plugin options passed at registration.\n\n- `plugins` - plugin-specific state to be shared only among activities sharing the same active\n state. `plugins` is an object where each key is a plugin name and the value is the plugin state.\n\n- `settings` - settings overrides:\n\n - `files.relativeTo`\n - `bind`\n\nThe `server.realm` object should be considered read-only and must not be changed directly except\nfor the `plugins` property which can be directly manipulated by each plugin, setting its properties\ninside `plugins[name]`.\n\n```js\nexports.register = function (server, options) {\n\n console.log(server.realm.modifiers.route.prefix);\n};\n```\n\n#### `server.registrations`\n\nAccess: read only.\n\nAn object of the currently registered plugins where each key is a registered plugin name and the\nvalue is an object containing:\n\n- `version` - the plugin version.\n- `name` - the plugin name.\n- `options` - (optional) options passed to the plugin during registration.\n\n#### `server.settings`\n\nAccess: read only.\n\nThe server configuration object after defaults applied.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({\n app: {\n key: 'value'\n }\n});\n\nconsole.log(server.settings.app); // { key: 'value' }\n```\n\n#### `server.states`\n\nAccess: read only and **statehood** public interface.\n\nThe server cookies manager.\n\n#### `server.states.settings`\n\nAccess: read only.\n\nThe server cookies manager settings. The settings are based on the values configured in\n[`server.options.state`](#server.options.state).\n\n#### `server.states.cookies`\n\nAccess: read only.\n\nAn object containing the configuration of each cookie added via [`server.state()`](#server.state())\nwhere each key is the cookie name and value is the configuration object.\n\n#### `server.states.names`\n\nAccess: read only.\n\nAn array containing the names of all configured cookies.\n\n#### `server.type`\n\nAccess: read only.\n\nA string indicating the listener type where:\n- `'socket'` - UNIX domain socket or Windows named pipe.\n- `'tcp'` - an HTTP listener.\n\n#### `server.version`\n\nAccess: read only.\n\nThe **hapi** module version number.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server();\n\nconsole.log(server.version); // '17.0.0'\n```\n\n### `server.auth.default(options)`\n\nSets a default strategy which is applied to every route where:\n\n- `options` - one of:\n\n - a string with the default strategy name\n - an authentication configuration object using the same format as the\n [route `auth` handler options](#route.options.auth).\n\nReturn value: none.\n\nThe default does not apply when a route config specifies `auth` as `false`, or has an\nauthentication strategy configured (contains the [`strategy`](#route.options.auth.strategy) or\n[`strategies`](#route.options.auth.strategies) authentication settings). Otherwise, the route\nauthentication config is applied to the defaults.\n\nNote that if the route has authentication configured, the default only applies at the time of\nadding the route, not at runtime. This means that calling `server.auth.default()` after adding a\nroute with some authentication config will have no impact on the routes added prior. However, the\ndefault will apply to routes added before `server.auth.default()` is called if those routes lack\nany authentication config.\n\nThe default auth strategy configuration can be accessed via [`server.auth.settings.default`](#server.auth.settings.default).\nTo obtain the active authentication configuration of a route, use `server.auth.lookup(request.route)`.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nserver.auth.scheme('custom', scheme);\nserver.auth.strategy('default', 'custom');\nserver.auth.default('default');\n\nserver.route({\n method: 'GET',\n path: '/',\n handler: function (request, h) {\n\n return request.auth.credentials.user;\n }\n});\n```\n\n### `server.auth.scheme(name, scheme)`\n\nRegisters an authentication scheme where:\n\n- `name` - the scheme name.\n- `scheme` - the method implementing the scheme with signature `function(server, options)` where:\n - `server` - a reference to the server object the scheme is added to. Each auth strategy is given its own [`server.realm`](#server.realm) whose parent is the realm of the `server` in the call to [`server.auth.strategy()`](#server.auth.strategy()).\n - `options` - (optional) the scheme `options` argument passed to\n [`server.auth.strategy()`](#server.auth.strategy()) when instantiation a strategy.\n\nReturn value: none.\n\nThe `scheme` function must return an [authentication scheme object](#authentication-scheme) when\ninvoked.\n\n#### Authentication scheme\n\nAn authentication scheme is an object with the following properties:\n\n- `api` - (optional) object which is exposed via the [`server.auth.api`](#server.auth.api) object.\n\n- `async authenticate(request, h)` - (required) a [lifecycle method](#lifecycle-methods) function\n called for each incoming request configured with the authentication scheme. The method is\n provided with two special toolkit methods for returning an authenticated or an unauthenticate\n result:\n - [`h.authenticated()`](#h.authenticated()) - indicate request authenticated successfully.\n - [`h.unauthenticated()`](#h.unauthenticated()) - indicate request failed to authenticate.\n\n- `async payload(request, h)` - (optional) a [lifecycle method](#lifecycle-methods) to authenticate\n the request payload.\n\n- `async response(request, h)` - (optional) a [lifecycle method](#lifecycle-methods) to decorate\n the response with authentication headers before the response headers or payload is written.\n\n- `async verify(auth)` - (optional) a method used to verify the authentication credentials provided\n are still valid (e.g. not expired or revoked after the initial authentication) where:\n - `auth` - the [`request.auth`](#request.auth) object containing the `credentials` and\n `artifacts` objects returned by the scheme's `authenticate()` method.\n - the method throws an `Error` when the credentials passed are no longer valid (e.g. expired or\n revoked). Note that the method does not have access to the original request, only to the\n credentials and artifacts produced by the `authenticate()` method.\n\n- `options` - (optional) an object with the following keys:\n - `payload` - if `true`, requires payload validation as part of the scheme and forbids routes\n from disabling payload auth validation. Defaults to `false`.\n\nWhen the scheme `authenticate()` method implementation throws an error or calls\n[`h.unauthenticated()`](#h.unauthenticated()), the specifics of the error affect whether additional\nauthentication strategies will be attempted (if configured for the route). If the error includes a\nmessage, no additional strategies will be attempted. If the `err` does not include a message but\ndoes include the scheme name (e.g. `Boom.unauthorized(null, 'Custom')`), additional strategies will\nbe attempted in the order of preference (defined in the route configuration). If authentication\nfails, the scheme names will be present in the 'WWW-Authenticate' header.\n\nWhen the scheme `payload()` method throws an error with a message, it means payload validation\nfailed due to bad payload. If the error has no message but includes a scheme name (e.g.\n`Boom.unauthorized(null, 'Custom')`), authentication may still be successful if the route\n[`auth.payload`](#route.options.auth.payload) configuration is set to `'optional'`.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nconst scheme = function (server, options) {\n\n return {\n authenticate: function (request, h) {\n\n const req = request.raw.req;\n const authorization = req.headers.authorization;\n if (!authorization) {\n throw Boom.unauthorized(null, 'Custom');\n }\n\n return h.authenticated({ credentials: { user: 'john' } });\n }\n };\n};\n\nserver.auth.scheme('custom', scheme);\n```\n\n### `server.auth.strategy(name, scheme, [options])`\n\nRegisters an authentication strategy where:\n\n- `name` - the strategy name.\n- `scheme` - the scheme name (must be previously registered using\n [`server.auth.scheme()`](#server.auth.scheme())).\n- `options` - scheme options based on the scheme requirements.\n\nReturn value: none.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nserver.auth.scheme('custom', scheme);\nserver.auth.strategy('default', 'custom');\n\nserver.route({\n method: 'GET',\n path: '/',\n options: {\n auth: 'default',\n handler: function (request, h) {\n\n return request.auth.credentials.user;\n }\n }\n});\n```\n\n### `await server.auth.test(strategy, request)`\n\nTests a request against an authentication strategy where:\n\n- `strategy` - the strategy name registered with [`server.auth.strategy()`](#server.auth.strategy()).\n- `request` - the [request object](#request).\n\nReturn value: an object containing the authentication `credentials` and `artifacts` if authentication\nwas successful, otherwise throws an error.\n\nNote that the `test()` method does not take into account the route authentication configuration. It\nalso does not perform payload authentication. It is limited to the basic strategy authentication\nexecution. It does not include verifying scope, entity, or other route properties.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nserver.auth.scheme('custom', scheme);\nserver.auth.strategy('default', 'custom');\n\nserver.route({\n method: 'GET',\n path: '/',\n handler: async function (request, h) {\n\n try {\n const { credentials, artifacts } = await request.server.auth.test('default', request);\n return { status: true, user: credentials.name };\n }\n catch (err) {\n return { status: false };\n }\n }\n});\n```\n\n\n### `await server.auth.verify(request)`\n\nVerify a request's authentication credentials against an authentication strategy where:\n\n- `request` - the [request object](#request).\n\nReturn value: nothing if verification was successful, otherwise throws an error.\n\nNote that the `verify()` method does not take into account the route authentication configuration\nor any other information from the request other than the `request.auth` object. It also does not\nperform payload authentication. It is limited to verifying that the previously valid credentials\nare still valid (e.g. have not been revoked or expired). It does not include verifying scope,\nentity, or other route properties.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nserver.auth.scheme('custom', scheme);\nserver.auth.strategy('default', 'custom');\n\nserver.route({\n method: 'GET',\n path: '/',\n handler: async function (request, h) {\n\n try {\n const credentials = await request.server.auth.verify(request);\n return { status: true, user: credentials.name };\n }\n catch (err) {\n return { status: false };\n }\n }\n});\n```\n\n### `server.bind(context)`\n\nSets a global context used as the default bind object when adding a route or an extension where:\n\n- `context` - the object used to bind `this` in [lifecycle methods](#lifecycle-methods) such as\n the [route handler](#route.options.handler) and [extension methods](#server.ext()). The context\n is also made available as [`h.context`](#h.context).\n\nReturn value: none.\n\nWhen setting a context inside a plugin, the context is applied only to methods set up by the\nplugin. Note that the context applies only to routes and extensions added after it has been set.\nIgnored if the method being bound is an arrow function.\n\n```js\nconst handler = function (request, h) {\n\n return this.message; // Or h.context.message\n};\n\nexports.plugin = {\n name: 'example',\n register: function (server, options) {\n\n const bind = {\n message: 'hello'\n };\n\n server.bind(bind);\n server.route({ method: 'GET', path: '/', handler });\n }\n};\n```\n\n### `server.cache(options)`\n\nProvisions a cache segment within the server cache facility where:\n\n- `options` - [**catbox** policy](https://hapi.dev/family/catbox/api#policy) configuration where:\n\n - `expiresIn` - relative expiration expressed in the number of milliseconds since the item was\n saved in the cache. Cannot be used together with `expiresAt`.\n\n - `expiresAt` - time of day expressed in 24h notation using the 'HH:MM' format, at which point\n all cache records expire. Uses local time. Cannot be used together with `expiresIn`.\n\n - `generateFunc` - a function used to generate a new cache item if one is not found in the\n cache when calling `get()`. The method's signature is `async function(id, flags)` where:\n\n - `id` - the `id` string or object provided to the `get()` method.\n - `flags` - an object used to pass back additional flags to the cache where:\n - `ttl` - the cache ttl value in milliseconds. Set to `0` to skip storing in the\n cache. Defaults to the cache global policy.\n\n - `staleIn` - number of milliseconds to mark an item stored in cache as stale and attempt to\n regenerate it when `generateFunc` is provided. Must be less than `expiresIn`.\n\n - `staleTimeout` - number of milliseconds to wait before checking if an item is stale.\n\n - `generateTimeout` - number of milliseconds to wait before returning a timeout error when the\n `generateFunc` function takes too long to return a value. When the value is eventually\n returned, it is stored in the cache for future requests. Required if `generateFunc` is\n present. Set to `false` to disable timeouts which may cause all `get()` requests to get stuck\n forever.\n\n - `generateOnReadError` - if `false`, an upstream cache read error will stop the `cache.get()`\n method from calling the generate function and will instead pass back the cache error. Defaults\n to `true`.\n\n - `generateIgnoreWriteError` - if `false`, an upstream cache write error when calling\n `cache.get()` will be passed back with the generated value when calling. Defaults to `true`.\n\n - `dropOnError` - if `true`, an error or timeout in the `generateFunc` causes the stale value\n to be evicted from the cache. Defaults to `true`.\n\n - `pendingGenerateTimeout` - number of milliseconds while `generateFunc` call is in progress\n for a given id, before a subsequent `generateFunc` call is allowed. Defaults to `0` (no\n blocking of concurrent `generateFunc` calls beyond `staleTimeout`).\n\n - `cache` - the cache name configured in [`server.cache`](#server.options.cache). Defaults to\n the default cache.\n\n - `segment` - string segment name, used to isolate cached items within the cache partition.\n When called within a plugin, defaults to '!name' where 'name' is the plugin name. When called\n within a server method, defaults to '#name' where 'name' is the server method name. Required\n when called outside of a plugin.\n\n - `shared` - if `true`, allows multiple cache provisions to share the same segment. Default to\n `false`.\n\nReturn value: a [**catbox** policy](https://hapi.dev/family/catbox/api#policy) object.\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n const cache = server.cache({ segment: 'countries', expiresIn: 60 * 60 * 1000 });\n await cache.set('norway', { capital: 'oslo' });\n const value = await cache.get('norway');\n}\n```\n\n### `await server.cache.provision(options)`\n\nProvisions a server cache as described in [`server.cache`](#server.options.cache) where:\n\n- `options` - same as the server [`cache`](#server.options.cache) configuration options.\n\nReturn value: none.\n\nNote that if the server has been initialized or started, the cache will be automatically started\nto match the state of any other provisioned server cache.\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n await server.initialize();\n await server.cache.provision({ provider: require('@hapi/catbox-memory'), name: 'countries' });\n\n const cache = server.cache({ cache: 'countries', expiresIn: 60 * 60 * 1000 });\n await cache.set('norway', { capital: 'oslo' });\n const value = await cache.get('norway');\n}\n```\n\n### `server.control(server)`\n\nLinks another server to the initialize/start/stop state of the current server by calling the\ncontrolled server `initialize()`/`start()`/`stop()` methods whenever the current server methods\nare called, where:\n\n- `server` - the **hapi** server object to be controlled.\n\n### `server.decoder(encoding, decoder)`\n\nRegisters a custom content decoding compressor to extend the built-in support for `'gzip'` and\n'`deflate`' where:\n\n- `encoding` - the decoder name string.\n\n- `decoder` - a function using the signature `function(options)` where `options` are the encoding\n specific options configured in the route [`payload.compression`](#route.options.payload.compression)\n configuration option, and the return value is an object compatible with the output of node's\n [`zlib.createGunzip()`](https://nodejs.org/api/zlib.html#zlib_zlib_creategunzip_options).\n\nReturn value: none.\n\n```js\nconst Zlib = require('zlib');\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80, routes: { payload: { compression: { special: { chunkSize: 16 * 1024 } } } } });\n\nserver.decoder('special', (options) => Zlib.createGunzip(options));\n```\n\n### `server.decorate(type, property, method, [options])`\n\nExtends various framework interfaces with custom methods where:\n\n- `type` - the interface being decorated. Supported types:\n\n - `'handler'` - adds a new handler type to be used in [routes handlers](#route.options.handler).\n - `'request'` - adds methods to the [Request object](#request).\n - `'response'` - adds methods to the [Response object](#response-object).\n - `'server'` - adds methods to the [Server](#server) object.\n - `'toolkit'` - adds methods to the [response toolkit](#response-toolkit).\n\n- `property` - the object decoration key name or symbol.\n\n- `method` - the extension function or other value.\n\n- `options` - (optional) supports the following optional settings:\n - `apply` - when the `type` is `'request'`, if `true`, the `method` function is invoked using\n the signature `function(request)` where `request` is the current request object and the\n returned value is assigned as the decoration.\n - `extend` - if `true`, overrides an existing decoration. The `method` must be a function with\n the signature `function(existing)` where:\n - `existing` - is the previously set decoration method value.\n - must return the new decoration function or value.\n - cannot be used to extend handler decorations.\n\nReturn value: none.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nconst success = function () {\n\n return this.response({ status: 'ok' });\n};\n\nserver.decorate('toolkit', 'success', success);\n\nserver.route({\n method: 'GET',\n path: '/',\n handler: function (request, h) {\n\n return h.success();\n }\n});\n```\n\nWhen registering a handler decoration, the `method` must be a function using the signature\n`function(route, options)` where:\n\n- `route` - the [route information](#request.route).\n- `options` - the configuration object provided in the handler config.\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nasync function example() {\n\n const server = Hapi.server({ host: 'localhost', port: 8000 });\n\n // Defines new handler for routes on this server\n\n const handler = function (route, options) {\n\n return function (request, h) {\n\n return 'new handler: ' + options.msg;\n }\n };\n\n server.decorate('handler', 'test', handler);\n\n server.route({\n method: 'GET',\n path: '/',\n handler: { test: { msg: 'test' } }\n });\n\n await server.start();\n}\n```\n\nThe `method` function can have a `defaults` object or function property. If the property is set to\nan object, that object is used as the default route config for routes using this handler. If the\nproperty is set to a function, the function uses the signature `function(method)` and returns the\nroute default configuration.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ host: 'localhost', port: 8000 });\n\nconst handler = function (route, options) {\n\n return function (request, h) {\n\n return 'new handler: ' + options.msg;\n }\n};\n\n// Change the default payload processing for this handler\n\nhandler.defaults = {\n payload: {\n output: 'stream',\n parse: false\n }\n};\n\nserver.decorate('handler', 'test', handler);\n```\n\n### `server.dependency(dependencies, [after])`\n\nUsed within a plugin to declare a required dependency on other [plugins](#plugins) required for\nthe current plugin to operate (plugins listed must be registered before the server is initialized\nor started) where:\n\n- `dependencies` - one of:\n - a single plugin name string.\n - an array of plugin name strings.\n - an object where each key is a plugin name and each matching value is a\n [version range string](https://www.npmjs.com/package/semver) which must match the registered\n plugin version.\n\n- `after` - (optional) a function that is called after all the specified dependencies have been\nregistered and before the server starts. The function is only called if the server is initialized\nor started. The function signature is `async function(server)` where:\n\n - `server` - the server the `dependency()` method was called on.\n\nReturn value: none.\n\nThe `after` method is identical to setting a server extension point on `'onPreStart'`.\n\nIf a circular dependency is detected, an exception is thrown (e.g. two plugins each has an `after`\nfunction to be called after the other).\n\n```js\nconst after = function (server) {\n\n // Additional plugin registration logic\n};\n\nexports.plugin = {\n name: 'example',\n register: function (server, options) {\n\n server.dependency('yar', after);\n }\n};\n```\n\nDependencies can also be set via the plugin `dependencies` property (does not support setting\n`after`):\n\n```js\nexports.plugin = {\n name: 'test',\n version: '1.0.0',\n dependencies: {\n yar: '1.x.x'\n },\n register: function (server, options) { }\n};\n```\n\nThe `dependencies` configuration accepts one of:\n - a single plugin name string.\n - an array of plugin name strings.\n - an object where each key is a plugin name and each matching value is a\n [version range string](https://www.npmjs.com/package/semver) which must match the registered\n plugin version.\n\n### `server.encoder(encoding, encoder)`\n\nRegisters a custom content encoding compressor to extend the built-in support for `'gzip'` and\n'`deflate`' where:\n\n- `encoding` - the encoder name string.\n\n- `encoder` - a function using the signature `function(options)` where `options` are the encoding\n specific options configured in the route [`compression`](#route.options.compression) option, and\n the return value is an object compatible with the output of node's\n [`zlib.createGzip()`](https://nodejs.org/api/zlib.html#zlib_zlib_creategzip_options).\n\nReturn value: none.\n\n```js\nconst Zlib = require('zlib');\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80, routes: { compression: { special: { chunkSize: 16 * 1024 } } } });\n\nserver.encoder('special', (options) => Zlib.createGzip(options));\n```\n\n### `server.event(events)`\n\nRegister custom application events where:\n\n- `events` - must be one of:\n\n - an event name string.\n\n - an event options object with the following optional keys (unless noted otherwise):\n\n - `name` - the event name string (required).\n\n - `channels` - a string or array of strings specifying the event channels available. Defaults to no channel restrictions (event updates can specify a channel or not).\n\n - `clone` - if `true`, the `data` object passed to [`server.events.emit()`](#server.events.emit()) is cloned before it is passed to the listeners (unless an override specified by each listener). Defaults to `false` (`data` is passed as-is).\n\n - `spread` - if `true`, the `data` object passed to [`server.event.emit()`](#server.event.emit()) must be an array and the `listener` method is called with each array element passed as a separate argument (unless an override specified by each listener). This should only be used when the emitted data structure is known and predictable. Defaults to `false` (`data` is emitted as a single argument regardless of its type).\n\n - `tags` - if `true` and the `criteria` object passed to [`server.event.emit()`](#server.event.emit()) includes `tags`, the tags are mapped to an object (where each tag string is the key and the value is `true`) which is appended to the arguments list at the end. A configuration override can be set by each listener. Defaults to `false`.\n\n - `shared` - if `true`, the same event `name` can be registered multiple times where the second registration is ignored. Note that if the registration config is changed between registrations, only the first configuration is used. Defaults to `false` (a duplicate registration will throw an error).\n\n - an array containing any of the above.\n\nReturn value: none.\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n server.event('test');\n server.events.on('test', (update) => console.log(update));\n await server.events.gauge('test', 'hello');\n}\n```\n\n### `server.events.emit(criteria, data)`\n\nEmits a custom application event to all the subscribed listeners where:\n\n- `criteria` - the event update criteria which must be one of:\n\n - the event name string.\n - an object with the following optional keys (unless noted otherwise):\n - `name` - the event name string (required).\n - `channel` - the channel name string.\n - `tags` - a tag string or array of tag strings.\n\n- `data` - the value emitted to the subscribers. If `data` is a function, the function signature is `function()` and it called once to generate (return value) the actual data emitted to the listeners. If no listeners match the event, the `data` function is not invoked.\n\nReturn value: none.\n\nNote that events must be registered before they can be emitted or subscribed to by calling [`server.event(events)`](#server.event()). This is done to detect event name misspelling and invalid event activities.\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n server.event('test');\n server.events.on('test', (update) => console.log(update));\n server.events.emit('test', 'hello');\n}\n```\n\n### `server.events.on(criteria, listener, context)`\n\nSubscribe to an event where:\n\n- `criteria` - the subscription criteria which must be one of:\n\n - event name string which can be any of the [built-in server events](#server.events) or a\n custom application event registered with [`server.event()`](#server.event()).\n\n - a criteria object with the following optional keys (unless noted otherwise):\n\n - `name` - (required) the event name string.\n\n - `channels` - a string or array of strings specifying the event channels to subscribe to.\n If the event registration specified a list of allowed channels, the `channels` array must\n match the allowed channels. If `channels` are specified, event updates without any\n channel designation will not be included in the subscription. Defaults to no channels\n filter.\n\n - `clone` - if `true`, the `data` object passed to [`server.event.emit()`](#server.event.emit())\n is cloned before it is passed to the `listener` method. Defaults to the event\n registration option (which defaults to `false`).\n\n - `count` - a positive integer indicating the number of times the `listener` can be called\n after which the subscription is automatically removed. A count of `1` is the same as\n calling `server.events.once()`. Defaults to no limit.\n\n - `filter` - the event tags (if present) to subscribe to which can be one of:\n\n - a tag string.\n - an array of tag strings.\n - an object with the following:\n\n - `tags` - a tag string or array of tag strings.\n - `all` - if `true`, all `tags` must be present for the event update to match the\n subscription. Defaults to `false` (at least one matching tag).\n\n - `spread` - if `true`, and the `data` object passed to [`server.event.emit()`](#server.event.emit())\n is an array, the `listener` method is called with each array element passed as a separate\n argument. This should only be used when the emitted data structure is known and\n predictable. Defaults to the event registration option (which defaults to `false`).\n\n - `tags` - if `true` and the `criteria` object passed to [`server.event.emit()`](#server.event.emit())\n includes `tags`, the tags are mapped to an object (where each tag string is the key and\n the value is `true`) which is appended to the arguments list at the end. Defaults to the\n event registration option (which defaults to `false`).\n\n- `listener` - the handler method set to receive event updates. The function signature depends on\n the event argument, and the `spread` and `tags` options.\n- `context` - an object that binds to the listener handler.\n\nReturn value: none.\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n server.event('test');\n server.events.on('test', (update) => console.log(update));\n server.events.emit('test', 'hello');\n}\n```\n\n### `server.events.once(criteria, listener, context)`\n\nSame as calling [`server.events.on()`](#server.events.on()) with the `count` option set to `1`.\n\nReturn value: none.\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n server.event('test');\n server.events.once('test', (update) => console.log(update));\n server.events.emit('test', 'hello');\n server.events.emit('test', 'hello'); // Ignored\n}\n```\n\n### `await server.events.once(criteria)`\n\nSame as calling [`server.events.on()`](#server.events.on()) with the `count` option set to `1`.\n\n Return value: a promise that resolves when the event is emitted.\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n server.event('test');\n const pending = server.events.once('test');\n server.events.emit('test', 'hello');\n const update = await pending;\n}\n```\n\n### `await server.events.gauge(criteria, data)`\n\nBehaves identically to [`server.events.emit()`](#server.events.emit()), but also returns an array of the results of all the event listeners that run. The return value is that of `Promise.allSettled()`, where each item in the resulting array is `{ status: 'fulfilled', value }` in the case of a successful handler, or `{ status: 'rejected', reason }` in the case of a handler that throws.\n\nPlease note that system errors such as a `TypeError` are not handled specially, and it's recommended to scrutinize any rejections using something like [bounce](https://hapi.dev/module/bounce/).\n\n### `server.expose(key, value, [options])`\n\nUsed within a plugin to expose a property via [`server.plugins[name]`](#server.plugins) where:\n\n- `key` - the key assigned ([`server.plugins[name][key]`](#server.plugins)).\n- `value` - the value assigned.\n- `options` - optional settings:\n - `scope` - controls how to handle the presence of a plugin scope in the name (e.g. `@hapi/test`):\n - `false` - the scope is removed (e.g. `@hapi/test` is changed to `test` under `server.plugins`). This is the default.\n - `true` - the scope is retained as-is (e.g. `@hapi/test` is used as `server.plugins['@hapi/test']`).\n - `'underscore'` - the scope is rewritten (e.g. `@hapi/test` is used as `server.plugins.hapi__test`).\n\nReturn value: none.\n\n```js\nexports.plugin =\n name: 'example',\n register: function (server, options) {\n\n server.expose('util', () => console.log('something'));\n }\n};\n```\n\n### `server.expose(obj)`\n\nMerges an object into to the existing content of [`server.plugins[name]`](#server.plugins) where:\n\n- `obj` - the object merged into the exposed properties container.\n\nReturn value: none.\n\n```js\nexports.plugin = {\n name: 'example',\n register: function (server, options) {\n\n server.expose({ util: () => console.log('something') });\n }\n};\n```\n\nNote that all the properties of `obj` are deeply cloned into [`server.plugins[name]`](#server.plugins),\nso avoid using this method for exposing large objects that may be expensive to clone or singleton\nobjects such as database client objects. Instead favor [`server.expose(key, value)`](#server.expose()),\nwhich only copies a reference to `value`.\n\n### `server.ext(events)`\n\nRegisters an extension function in one of the [request lifecycle](#request-lifecycle) extension\npoints where:\n\n- `events` - an object or array of objects with the following:\n\n - `type` - (required) the extension point event name. The available extension points include\n the [request extension points](#request-lifecycle) as well as the following server extension\n points:\n\n - `'onPreStart'` - called before the connection listeners are started.\n - `'onPostStart'` - called after the connection listeners are started.\n - `'onPreStop'` - called before the connection listeners are stopped.\n - `'onPostStop'` - called after the connection listeners are stopped.\n\n - `method` - (required) a function or an array of functions to be executed at a specified point\n during request processing. The required extension function signature is:\n\n - server extension points: `async function(server)` where:\n\n - `server` - the server object.\n - `this` - the object provided via `options.bind` or the current active context set\n with [`server.bind()`](#server.bind()).\n\n - request extension points: a [lifecycle method](#lifecycle-methods).\n\n - `options` - (optional) an object with the following:\n\n - `before` - a string or array of strings of plugin names this method must execute before\n (on the same event). Otherwise, extension methods are executed in the order added.\n\n - `after` - a string or array of strings of plugin names this method must execute after (on\n the same event). Otherwise, extension methods are executed in the order added.\n\n - `bind` - a context object passed back to the provided method (via `this`) when called.\n Ignored if the method is an arrow function.\n\n - `sandbox` - if set to `'plugin'` when adding a [request extension points](#request-lifecycle)\n the extension is only added to routes defined by the current plugin. Not allowed when\n configuring route-level extensions, or when adding server extensions. Defaults to\n `'server'` which applies to any route added to the server the extension is added to.\n\n - `timeout` - number of milliseconds to wait for the `method` to complete before returning\n a timeout error. Defaults to no timeout.\n\nReturn value: none.\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n\n server.ext({\n type: 'onRequest',\n method: function (request, h) {\n\n // Change all requests to '/test'\n\n request.setUrl('/test');\n return h.continue;\n }\n });\n\n server.route({ method: 'GET', path: '/test', handler: () => 'ok' });\n await server.start();\n\n // All requests will get routed to '/test'\n}\n```\n\n### `server.ext(event, [method, [options]])`\n\nRegisters a single extension event using the same properties as used in [`server.ext(events)`](#server.ext()), but passed as arguments.\n\nThe `method` may be omitted (if `options` isn't present) or passed `null` which will cause the function to return a promise. The promise is resolved with the `request` object on the first invocation of the extension point. This is primarily used for writing tests without having to write custom handlers just to handle a single event.\n\nReturn value: a promise if `method` is omitted, otherwise `undefined`.\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n\n server.ext('onRequest', function (request, h) {\n\n // Change all requests to '/test'\n\n request.setUrl('/test');\n return h.continue;\n });\n\n server.route({ method: 'GET', path: '/test', handler: () => 'ok' });\n await server.start();\n\n // All requests will get routed to '/test'\n}\n```\n\n### `await server.initialize()`\n\nInitializes the server (starts the caches, finalizes plugin registration) but does not start\nlistening on the connection port.\n\nReturn value: none.\n\nNote that if the method fails and throws an error, the server is considered to be in an undefined\nstate and should be shut down. In most cases it would be impossible to fully recover as the various\nplugins, caches, and other event listeners will get confused by repeated attempts to start the\nserver or make assumptions about the healthy state of the environment. It is recommended to abort\nthe process when the server fails to start properly. If you must try to resume after an error, call\n[`server.stop()`](#server.stop()) first to reset the server state.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst Hoek = require('@hapi/hoek');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n await server.initialize();\n}\n```\n\n### `await server.inject(options)`\n\nInjects a request into the server simulating an incoming HTTP request without making an actual\nsocket connection. Injection is useful for testing purposes as well as for invoking routing logic\ninternally without the overhead and limitations of the network stack.\n\nThe method utilizes the [**shot**](https://hapi.dev/family/shot/api) module for performing\ninjections, with some additional options and response properties:\n\n- `options` - can be assigned a string with the requested URI, or an object with:\n\n - `method` - (optional) the request HTTP method (e.g. `'POST'`). Defaults to `'GET'`.\n\n - `url` - (required) the request URL. If the URI includes an authority\n (e.g. `'example.com:8080'`), it is used to automatically set an HTTP 'Host' header, unless\n one was specified in `headers`.\n\n - `authority` - (optional) a string specifying the HTTP 'Host' header value. Only used if 'Host'\n is not specified in `headers` and the `url` does not include an authority component.\n Default is inferred from runtime server information.\n\n - `headers` - (optional) an object with optional request headers where each key is the header\n name and the value is the header content. Defaults to no additions to the default **shot**\n headers.\n\n - `payload` - (optional) an string, buffer or object containing the request payload. In case of\n an object it will be converted to a string for you. Defaults to no payload. Note that payload\n processing defaults to `'application/json'` if no 'Content-Type' header provided.\n\n - `auth` - (optional) an object containing parsed authentication credentials where:\n\n - `strategy` - (required) the authentication strategy name matching the provided\n credentials.\n\n - `credentials` - (required) a credentials object containing authentication information.\n The `credentials` are used to bypass the default authentication strategies, and are\n validated directly as if they were received via an authentication scheme.\n\n - `artifacts` - (optional) an artifacts object containing authentication artifact\n information. The `artifacts` are used to bypass the default authentication strategies,\n and are validated directly as if they were received via an authentication scheme.\n Defaults to no artifacts.\n\n - `payload` - (optional) disables payload authentication when set to false.\n Only required when an authentication strategy requires payload authentication.\n Defaults to `true`.\n\n - `app` - (optional) sets the initial value of `request.app`, defaults to `{}`.\n\n - `plugins` - (optional) sets the initial value of `request.plugins`, defaults to `{}`.\n\n - `allowInternals` - (optional) allows access to routes with `options.isInternal` set to `true`.\n Defaults to `false`.\n\n - `remoteAddress` - (optional) sets the remote address for the incoming connection.\n\n - `simulate` - (optional) an object with options used to simulate client request stream\n conditions for testing:\n\n - `error` - if `true`, emits an `'error'` event after payload transmission (if any).\n Defaults to `false`.\n\n - `close` - if `true`, emits a `'close'` event after payload transmission (if any).\n Defaults to `false`.\n\n - `end` - if `false`, does not end the stream. Defaults to `true`.\n\n - `split` - indicates whether the request payload will be split into chunks. Defaults to\n `undefined`, meaning payload will not be chunked.\n\n - `validate` - (optional) if `false`, the `options` inputs are not validated. This is\n recommended for run-time usage of `inject()` to make it perform faster where input validation\n can be tested separately.\n\nReturn value: a response object with the following properties:\n\n- `statusCode` - the HTTP status code.\n\n- `headers` - an object containing the headers set.\n\n- `payload` - the response payload string.\n\n- `rawPayload` - the raw response payload buffer.\n\n- `raw` - an object with the injection request and response objects:\n\n - `req` - the simulated node request object.\n - `res` - the simulated node response object.\n\n- `result` - the raw handler response (e.g. when not a stream or a view) before it is\n serialized for transmission. If not available, the value is set to `payload`. Useful for\n inspection and reuse of the internal objects returned (instead of parsing the response\n string).\n\n- `request` - the [request object](#request).\n\nThrows a Boom error if the request processing fails. The partial response object is exposed on\nthe `data` property.\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n server.route({ method: 'GET', path: '/', handler: () => 'Success!' });\n\n const res = await server.inject('/');\n console.log(res.result); // 'Success!'\n}\n```\n\n### `server.log(tags, [data, [timestamp]])`\n\nLogs server events that cannot be associated with a specific request. When called the server emits\na `'log'` event which can be used by other listeners or [plugins](#plugins) to record the\ninformation or output to the console. The arguments are:\n\n- `tags` - (required) a string or an array of strings (e.g. `['error', 'database', 'read']`) used\n to identify the event. Tags are used instead of log levels and provide a much more expressive\n mechanism for describing and filtering events. Any logs generated by the server internally\n include the `'hapi'` tag along with event-specific information.\n\n- `data` - (optional) an message string or object with the application data being logged. If `data`\n is a function, the function signature is `function()` and it called once to generate (return\n value) the actual data emitted to the listeners. If no listeners match the event, the `data`\n function is not invoked.\n\n- `timestamp` - (optional) an timestamp expressed in milliseconds. Defaults to `Date.now()` (now).\n\nReturn value: none.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nserver.events.on('log', (event, tags) => {\n\n if (tags.error) {\n console.log(event);\n }\n});\n\nserver.log(['test', 'error'], 'Test event');\n```\n\n### `server.lookup(id)`\n\nLooks up a route configuration where:\n\n- `id` - the [route identifier](#route.options.id).\n\nReturn value: the [route information](#request.route) if found, otherwise `null`.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server();\nserver.route({\n method: 'GET',\n path: '/',\n options: {\n id: 'root',\n handler: () => 'ok'\n }\n});\n\nconst route = server.lookup('root');\n```\n\n### `server.match(method, path, [host])`\n\nLooks up a route configuration where:\n\n- `method` - the HTTP method (e.g. 'GET', 'POST').\n- `path` - the requested path (must begin with '/').\n- `host` - (optional) hostname (to match against routes with `vhost`).\n\nReturn value: the [route information](#request.route) if found, otherwise `null`.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server();\nserver.route({\n method: 'GET',\n path: '/',\n options: {\n id: 'root',\n handler: () => 'ok'\n }\n});\n\nconst route = server.match('get', '/');\n```\n\n### `server.method(name, method, [options])`\n\nRegisters a [server method](#server.methods) where:\n\n- `name` - a unique method name used to invoke the method via [`server.methods[name]`](#server.method).\n\n- `method` - the method function with a signature `async function(...args, [flags])` where:\n - `...args` - the method function arguments (can be any number of arguments or none).\n - `flags` - when caching is enabled, an object used to set optional method result flags. This\n parameter is provided automatically and can only be accessed/modified within the method\n function. It cannot be passed as an argument.\n - `ttl` - `0` if result is valid but cannot be cached. Defaults to cache policy.\n\n- `options` - (optional) configuration object:\n\n - `bind` - a context object passed back to the method function (via `this`) when called.\n Defaults to active context (set via [`server.bind()`](#server.bind()) when the method is\n registered. Ignored if the method is an arrow function.\n\n - `cache` - the same cache configuration used in [`server.cache()`](#server.cache()). The\n `generateTimeout` option is required, and the `generateFunc` options is not allowed.\n\n - `generateKey` - a function used to generate a unique key (for caching) from the arguments\n passed to the method function (the `flags` argument is not passed as input). The server\n will automatically generate a unique key if the function's arguments are all of types\n `'string'`, `'number'`, or `'boolean'`. However if the method uses other types of arguments,\n a key generation function must be provided which takes the same arguments as the function and\n returns a unique string (or `null` if no key can be generated).\n\nReturn value: none.\n\nMethod names can be nested (e.g. `utils.users.get`) which will automatically create the full path\nunder [`server.methods`](#server.methods) (e.g. accessed via `server.methods.utils.users.get`).\n\nWhen configured with caching enabled, `server.methods[name].cache` is assigned an object with the\nfollowing properties and methods:\n - `await drop(...args)` - a function that can be used to clear the cache for a given key.\n - `stats` - an object with cache statistics, see **catbox** for stats documentation.\n\nSimple arguments example:\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n\n const add = (a, b) => (a + b);\n server.method('sum', add, { cache: { expiresIn: 2000, generateTimeout: 100 } });\n\n console.log(await server.methods.sum(4, 5)); // 9\n}\n```\n\nObject argument example:\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n\n const addArray = function (array) {\n\n let sum = 0;\n array.forEach((item) => {\n\n sum += item;\n });\n\n return sum;\n };\n\n const options = {\n cache: { expiresIn: 2000, generateTimeout: 100 },\n generateKey: (array) => array.join(',')\n };\n\n server.method('sumObj', addArray, options);\n\n console.log(await server.methods.sumObj([5, 6])); // 11\n}\n```\n\n### `server.method(methods)`\n\nRegisters a server method function as described in [`server.method()`](#server.method()) using a\nconfiguration object where:\n\n- `methods` - an object or an array of objects where each one contains:\n\n - `name` - the method name.\n - `method` - the method function.\n - `options` - (optional) settings.\n\nReturn value: none.\n\n```js\nconst add = function (a, b) {\n\n return a + b;\n};\n\nserver.method({\n name: 'sum',\n method: add,\n options: {\n cache: {\n expiresIn: 2000,\n generateTimeout: 100\n }\n }\n});\n```\n\n### `server.path(relativeTo)`\n\nSets the path prefix used to locate static resources (files and view templates) when relative paths\nare used where:\n\n- `relativeTo` - the path prefix added to any relative file path starting with `'.'`.\n\nReturn value: none.\n\nNote that setting a path within a plugin only applies to resources accessed by plugin methods.\nIf no path is set, the server default [route configuration](#server.options.routes)\n[`files.relativeTo`](#route.options.files) settings is used. The path only applies to routes added\nafter it has been set.\n\n```js\nexports.plugin = {\n name: 'example',\n register: function (server, options) {\n\n // Assuming the Inert plugin was registered previously\n\n server.path(__dirname + '../static');\n server.route({ path: '/file', method: 'GET', handler: { file: './test.html' } });\n }\n};\n```\n\n### `await server.register(plugins, [options])`\n\nRegisters a plugin where:\n\n- `plugins` - one or an array of:\n\n - a [plugin object](#plugins).\n\n - an object with the following:\n - `plugin` - a [plugin object](#plugins).\n - `options` - (optional) options passed to the plugin during registration.\n - `once`, `routes` - (optional) plugin-specific registration options as defined below.\n\n- `options` - (optional) registration options (different from the options passed to the\n registration function):\n\n - `once` - if `true`, subsequent registrations of the same plugin are skipped without error.\n Cannot be used with plugin options. Defaults to `false`.\n If not set to `true`, an error will be thrown the second time a plugin is registered on the server.\n\n - `routes` - modifiers applied to each route added by the plugin:\n\n - `prefix` - string added as prefix to any route path (must begin with `'/'`). If a plugin\n registers a child plugin the `prefix` is passed on to the child or is added in front of\n the child-specific prefix.\n - `vhost` - virtual host string (or array of strings) applied to every route. The\n outer-most `vhost` overrides the any nested configuration.\n\nReturn value: a reference to the `server`.\n\n```js\nasync function example() {\n\n await server.register({ plugin: require('plugin_name'), options: { message: 'hello' } });\n}\n```\n\n### `server.route(route)`\n\nAdds a route where:\n\n- `route` - a route configuration object or an array of configuration objects where each object\n contains:\n\n - `path` - (required) the absolute path used to match incoming requests (must begin with '/').\n Incoming requests are compared to the configured paths based on the server's\n [`router`](#server.options.router) configuration. The path can include named parameters\n enclosed in `{}` which will be matched against literal values in the request as described in\n [Path parameters](#path-parameters).\n\n - `method` - (required) the HTTP method. Typically one of 'GET', 'POST', 'PUT', 'PATCH',\n 'DELETE', or 'OPTIONS'. Any HTTP method is allowed, except for 'HEAD'. Use `'*'` to match\n against any HTTP method (only when an exact match was not found, and any match with a\n specific method will be given a higher priority over a wildcard match). Can be assigned an\n array of methods which has the same result as adding the same route with different methods\n manually.\n\n - `vhost` - (optional) a domain string or an array of domain strings for limiting the route to\n only requests with a matching host header field. Matching is done against the hostname part\n of the header only (excluding the port). Defaults to all hosts.\n\n - `handler` - (required when [`handler`](#route.options.handler) is not set) the route\n handler function called to generate the response after successful authentication and\n validation.\n\n - `options` - additional [route options](#route-options). The `options` value can be an object\n or a function that returns an object using the signature `function(server)` where `server` is\n the server the route is being added to and `this` is bound to the current\n [realm](#server.realm)'s `bind` option.\n\n - `rules` - route custom rules object. The object is passed to each rules processor registered\n with [`server.rules()`](#server.rules()). Cannot be used if\n [`route.options.rules`](#route.options.rules) is defined.\n\nReturn value: none.\n\nNote that the `options` object is deeply cloned (with the exception of `bind` which is shallowly\ncopied) and cannot contain any values that are unsafe to perform deep copy on.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\n// Handler in top level\n\nserver.route({ method: 'GET', path: '/status', handler: () => 'ok' });\n\n// Handler in config\n\nconst user = {\n cache: { expiresIn: 5000 },\n handler: function (request, h) {\n\n return { name: 'John' };\n }\n};\n\nserver.route({ method: 'GET', path: '/user', options: user });\n\n// An array of routes\n\nserver.route([\n { method: 'GET', path: '/1', handler: function (request, h) { return 'ok'; } },\n { method: 'GET', path: '/2', handler: function (request, h) { return 'ok'; } }\n]);\n```\n\n#### Path parameters\n\nParameterized paths are processed by matching the named parameters to the content of the incoming\nrequest path at that path segment. For example, `'/book/{id}/cover'` will match `'/book/123/cover'` and\n`request.params.id` will be set to `'123'`. Each path segment (everything between the opening `'/'`\nand the closing `'/'` unless it is the end of the path) can only include one named parameter. A\nparameter can cover the entire segment (`'/{param}'`) or part of the segment (`'/file.{ext}'`). A path\nparameter may only contain letters, numbers and underscores, e.g. `'/{file-name}'` is invalid\nand `'/{file_name}'` is valid.\n\nAn optional `'?'` suffix following the parameter name indicates an optional parameter (only allowed\nif the parameter is at the ends of the path or only covers part of the segment as in\n`'/a{param?}/b'`). For example, the route `'/book/{id?}'` matches `'/book/'` with the value of\n`request.params.id` set to an empty string `''`.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nconst getAlbum = function (request, h) {\n\n return 'You asked for ' +\n (request.params.song ? request.params.song + ' from ' : '') +\n request.params.album;\n};\n\nserver.route({\n path: '/{album}/{song?}',\n method: 'GET',\n handler: getAlbum\n});\n```\n\nIn addition to the optional `?` suffix, a parameter name can also specify the number of matching\nsegments using the `*` suffix, followed by a number greater than 1. If the number of expected parts\ncan be anything, then use `*` without a number (matching any number of segments can only be used in\nthe last path segment).\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nconst getPerson = function (request, h) {\n\n const nameParts = request.params.name.split('/');\n return { first: nameParts[0], last: nameParts[1] };\n};\n\nserver.route({\n path: '/person/{name*2}', // Matches '/person/john/doe'\n method: 'GET',\n handler: getPerson\n});\n```\n\n#### Path matching order\n\nThe router iterates through the routing table on each incoming request and executes the first (and\nonly the first) matching route. Route matching is done based on the combination of the request path\nand the HTTP verb (e.g. 'GET, 'POST'). The query is excluded from the routing logic. Requests are\nmatched in a deterministic order where the order in which routes are added does not matter.\n\nRoutes are matched based on the specificity of the route which is evaluated at each segment of the\nincoming request path. Each request path is split into its segment (the parts separated by `'/'`).\nThe segments are compared to the routing table one at a time and are matched against the most\nspecific path until a match is found. If no match is found, the next match is tried.\n\nWhen matching routes, string literals (no path parameter) have the highest priority, followed by\nmixed parameters (`'/a{p}b'`), parameters (`'/{p}'`), and then wildcard (`/{p*}`).\n\nNote that mixed parameters are slower to compare as they cannot be hashed and require an array\niteration over all the regular expressions representing the various mixed parameter at each\nrouting table node.\n\n#### Catch all route\n\nIf the application needs to override the default Not Found (404) error response, it can add a\ncatch-all route for a specific method or all methods. Only one catch-all route can be defined.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nconst handler = function (request, h) {\n\n return h.response('The page was not found').code(404);\n};\n\nserver.route({ method: '*', path: '/{p*}', handler });\n```\n\n### `server.rules(processor, [options])`\n\nDefines a route rules processor for converting route rules object into route configuration where:\n\n- `processor` - a function using the signature `function(rules, info)` where:\n - `rules` - the [custom object](#route.options.rules) defined in your routes configuration for you to use its values.\n - `info` - an object with the following properties:\n - `method` - the route method.\n - `path` - the route path.\n - `vhost` - the route virtual host (if any defined).\n - returns a route config object.\n\n- `options` - optional settings:\n - `validate` - rules object validation:\n - `schema` - **joi** schema.\n - `options` - optional **joi** validation options. Defaults to `{ allowUnknown: true }`.\n\nNote that the root server and each plugin server instance can only register one rules processor.\nIf a route is added after the rules are configured, it will not include the rules config. Routes\nadded by plugins apply the rules to each of the parent realms' rules from the root to the route's\nrealm. This means the processor defined by the plugin overrides the config generated by the root\nprocessor if they overlap. Similarly, the route's own config overrides the config produced by the rules processors.\n\n```js\nconst validateSchema = {\n auth: Joi.string(),\n myCustomPre: Joi.array().min(2).items(Joi.string()),\n payload: Joi.object()\n};\n\nconst myPreHelper = (name) => {\n\n return {\n method: (request, h) => {\n\n return `hello ${name || 'world'}!`;\n },\n assign: 'myPreHelper'\n };\n};\n\nconst processor = (rules, info) => {\n\n if (!rules) {\n return null;\n }\n\n const options = {};\n\n if (rules.auth) {\n options.auth = {\n strategy: rules.auth,\n validate: {\n entity: 'user'\n }\n };\n }\n\n if (rules.myCustomPre) {\n options.pre = [\n myPreHelper(...rules.myCustomPre)\n ];\n }\n\n if (rules.payload) {\n options.validate = { payload: Joi.object(rules.payload) };\n }\n\n return options;\n};\n\nserver.rules(processor, {\n validate: { schema: validateSchema }\n});\n\nserver.route({\n method: 'GET',\n path: '/',\n rules: {\n auth: 'jwt',\n myCustomPre: ['arg1', 'arg2'],\n payload: { a: Joi.boolean(), b: Joi.string() }\n },\n options: {\n id: 'my-route'\n }\n});\n```\n\n### `await server.start()`\n\nStarts the server by listening for incoming requests on the configured port (unless the connection\nwas configured with [`autoListen`](#server.options.autoListen) set to `false`).\n\nReturn value: none.\n\nNote that if the method fails and throws an error, the server is considered to be in an undefined\nstate and should be shut down. In most cases it would be impossible to fully recover as the various\nplugins, caches, and other event listeners will get confused by repeated attempts to start the\nserver or make assumptions about the healthy state of the environment. It is recommended to abort\nthe process when the server fails to start properly. If you must try to resume after an error, call\n[`server.stop()`](#server.stop()) first to reset the server state.\n\nIf a started server is started again, the second call to `server.start()` is ignored. No events\nwill be emitted and no extension points invoked.\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n await server.start();\n console.log('Server started at: ' + server.info.uri);\n}\n```\n\n### `server.state(name, [options])`\n\n[HTTP state management](https://tools.ietf.org/html/rfc6265) uses client cookies to persist a state\nacross multiple requests. Registers a cookie definitions where:\n\n- `name` - the cookie name string.\n\n- `options` - are the optional cookie settings:\n\n - `ttl` - time-to-live in milliseconds. Defaults to `null` (session time-life - cookies are deleted when the browser is closed).\n\n - `isSecure` - sets the 'Secure' flag. Defaults to `true`.\n\n - `isHttpOnly` - sets the 'HttpOnly' flag. Defaults to `true`.\n\n - `isSameSite` - sets the ['SameSite' flag](https://www.owasp.org/index.php/SameSite). The value must be one of:\n\n - `false` - no flag.\n - `'Strict'` - sets the value to `'Strict'` (this is the default value).\n - `'Lax'` - sets the value to `'Lax'`.\n - `'None'` - sets the value to `'None'`.\n\n - `isPartitioned` - sets the ['Partitioned' flag](https://developers.google.com/privacy-sandbox/3pcd/chips). Defaults to `false`. Requires `isSecure` to be `true` and `isSameSite` to be `'None'`.\n\n - `path` - the path scope. Defaults to `null` (no path).\n\n - `domain` - the domain scope. Defaults to `null` (no domain).\n\n - `autoValue` - if present and the cookie was not received from the client or explicitly set by the route handler, the cookie is automatically added to the response with the provided value. The value can be a function with signature `async function(request)` where:\n\n - `request` - the [request object](#request).\n\n - `encoding` - encoding performs on the provided value before serialization. Options are:\n\n - `'none'` - no encoding. When used, the cookie value must be a string. This is the default value.\n - `'base64'` - string value is encoded using Base64.\n - `'base64json'` - object value is JSON-stringified then encoded using Base64.\n - `'form'` - object value is encoded using the _x-www-form-urlencoded_ method.\n - `'iron'` - Encrypts and sign the value using [**iron**](https://hapi.dev/family/iron/api).\n\n - `sign` - an object used to calculate an HMAC for cookie integrity validation. This does not provide privacy, only a mean to verify that the cookie value was generated by the server. Redundant when `'iron'` encoding is used. Options are:\n\n - `integrity` - algorithm options. Defaults to [`require('iron').defaults.integrity`](https://hapi.dev/family/iron/api/#options).\n - `password` - password used for HMAC key generation (must be at least 32 characters long).\n\n - `password` - password used for `'iron'` encoding (must be at least 32 characters long).\n\n - `iron` - options for `'iron'` encoding. Defaults to [`require('iron').defaults`](https://hapi.dev/family/iron/api/#options).\n\n - `ignoreErrors` - if `true`, errors are ignored and treated as missing cookies.\n\n - `clearInvalid` - if `true`, automatically instruct the client to remove invalid cookies. Defaults to `false`.\n\n - `strictHeader` - if `false`, allows any cookie value including values in violation of [RFC 6265](https://tools.ietf.org/html/rfc6265). Defaults to `true`.\n\n - `passThrough` - used by proxy plugins (e.g. [**h2o2**](https://hapi.dev/family/h2o2/api)).\n\n - `contextualize` - a function using the signature `async function(definition, request)` used to override a request-specific cookie settings where:\n\n - `definition` - a copy of the `options` to be used for formatting the cookie that can be manipulated by the function to customize the request cookie header. Note that changing the `definition.contextualize` property will be ignored.\n - `request` - the current request object.\n\nReturn value: none.\n\nState defaults can be modified via the [server.options.state](#server.options.state) configuration\noption.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\n// Set cookie definition\n\nserver.state('session', {\n ttl: 24 * 60 * 60 * 1000, // One day\n isSecure: true,\n path: '/',\n encoding: 'base64json'\n});\n\n// Set state in route handler\n\nconst handler = function (request, h) {\n\n let session = request.state.session;\n if (!session) {\n session = { user: 'joe' };\n }\n\n session.last = Date.now();\n\n return h.response('Success').state('session', session);\n};\n```\n\nRegistered cookies are automatically parsed when received. Parsing rules depends on the route\n[`state.parse`](#route.options.state) configuration. If an incoming registered cookie fails parsing,\nit is not included in [`request.state`](#request.state), regardless of the\n[`state.failAction`](#route.options.state.failAction) setting. When [`state.failAction`](#route.options.state.failAction)\nis set to `'log'` and an invalid cookie value is received, the server will emit a\n[`'request'` event](#server.events.request). To capture these errors subscribe to the `'request'`\nevent on the `'internal'` channel and filter on `'error'` and `'state'` tags:\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nserver.events.on({ name: 'request', channels: 'internal' }, (request, event, tags) => {\n\n if (tags.error && tags.state) {\n console.error(event);\n }\n});\n```\n\n### `server.states.add(name, [options])`\n\nAccess: read only.\n\nSame as calling [`server.state()`](#server.state()).\n\n### `await server.states.format(cookies)`\n\nFormats an HTTP 'Set-Cookie' header based on the [`server.options.state`](#server.options.state)\nwhere:\n\n- `cookies` - a single object or an array of object where each contains:\n - `name` - the cookie name.\n - `value` - the cookie value.\n - `options` - cookie configuration to override the server settings.\n\nReturn value: a header string.\n\nNote that this utility uses the server configuration but does not change the server state. It is\nprovided for manual cookie formatting (e.g. when headers are set manually).\n\n### `await server.states.parse(header)`\n\nParses an HTTP 'Cookies' header based on the [`server.options.state`](#server.options.state) where:\n\n- `header` - the HTTP header.\n\nReturn value: an object where each key is a cookie name and value is the parsed cookie.\n\nNote that this utility uses the server configuration but does not change the server state. It is\nprovided for manual cookie parsing (e.g. when server parsing is disabled).\n\n### `await server.stop([options])`\n\nStops the server's listener by refusing to accept any new connections or requests (existing\nconnections will continue until closed or timeout), where:\n\n- `options` - (optional) object with:\n\n - `timeout` - sets the timeout in millisecond before forcefully terminating any open\n connections that arrived before the server stopped accepting new connections. The timeout\n only applies to waiting for existing connections to close, and not to any\n [`'onPreStop'` or `'onPostStop'` server extensions](#server.ext.args()) which can\n delay or block the stop operation indefinitely. Ignored if\n [`server.options.operations.cleanStop`](#server.options.operations) is `false`. Note that if\n the server is set as a [group controller](#server.control()), the timeout is per controlled\n server and the controlling server itself. Defaults to `5000` (5 seconds).\n\nReturn value: none.\n\n```js\nconst Hapi = require('@hapi/hapi');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n await server.start();\n await server.stop({ timeout: 60 * 1000 });\n console.log('Server stopped');\n}\n```\n\n### `server.table([host])`\n\nReturns a copy of the routing table where:\n\n- `host` - (optional) host to filter routes matching a specific virtual host. Defaults to all\n virtual hosts.\n\nReturn value: an array of routes where each route contains:\n- `settings` - the route config with defaults applied.\n- `method` - the HTTP method in lower case.\n- `path` - the route path.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\nserver.route({ method: 'GET', path: '/example', handler: () => 'ok' });\n\nconst table = server.table();\n```\n\n### `server.validator(validator)`\n\nRegisters a server validation module used to compile raw validation rules into validation schemas for all routes where:\n\n- `validator` - the validation module (e.g. **joi**).\n\nReturn value: none.\n\nNote: the validator is only used when validation rules are not pre-compiled schemas. When a validation rules is a function or schema object, the rule is used as-is and the validator is not used. When setting a validator inside a plugin, the validator is only applied to routes set up by the plugin and plugins registered by it.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst Joi = require('joi');\n\nasync function example() {\n\n const server = Hapi.server({ port: 80 });\n server.validator(Joi);\n}\n```\n\n## Route options\n\nEach route can be customized to change the default behavior of the request lifecycle.\n\n### `route.options.app`\n\nApplication-specific route configuration state. Should not be used by [plugins](#plugins) which\nshould use `options.plugins[name]` instead.\n\n### `route.options.auth`\n\nRoute authentication configuration. Value can be:\n\n- `false` to disable authentication if a default strategy is set.\n\n- a string with the name of an authentication strategy registered with\n [`server.auth.strategy()`](#server.auth.strategy()). The strategy will be\n set to `'required'` mode.\n\n- an [authentication configuration object](#authentication-options).\n\n#### `route.options.auth.access`\n\nDefault value: none.\n\nAn object or array of objects specifying the route access rules. Each rule is evaluated against an\nincoming request and access is granted if at least one of the rules matches. Each rule object must\ninclude at least one of [`scope`](#route.options.auth.access.scope) or\n[`entity`](#route.options.auth.access.entity).\n\n#### `route.options.auth.access.scope`\n\nDefault value: `false` (no scope requirements).\n\nThe application scope required to access the route. Value can be a scope string or an\narray of scope strings. When authenticated, the credentials object `scope` property must contain\nat least one of the scopes defined to access the route.\n\nIf a scope string begins with a `+` character, that scope is required. If a scope string begins\nwith a `!` character, that scope is forbidden. For example, the scope `['!a', '+b', 'c', 'd']`\nmeans the incoming request credentials' `scope` must not include 'a', must include 'b', and must\ninclude one of 'c' or 'd'.\n\nYou may also access properties on the request object (`query`, `params`, `payload`, and\n`credentials`) to populate a dynamic scope by using the '{' and '}' characters around the property\nname, such as `'user-{params.id}'`.\n\n#### `route.options.auth.access.entity`\n\nDefault value: `'any'`.\n\nThe required authenticated entity type. If set, must match the `entity` value of the request\nauthenticated credentials. Available values:\n\n- `'any'` - the authentication can be on behalf of a user or application.\n- `'user'` - the authentication must be on behalf of a user which is identified by the presence of\n a `'user'` attribute in the `credentials` object returned by the authentication strategy.\n- `'app'` - the authentication must be on behalf of an application which is identified by the lack\n of presence of a `user` attribute in the `credentials` object returned by the authentication\n strategy.\n\n#### `route.options.auth.mode`\n\nDefault value: `'required'`.\n\nThe authentication mode. Available values:\n\n- `'required'` - authentication is required.\n- `'optional'` - authentication is optional - the request must include valid credentials or no\n credentials at all.\n- `'try'` - similar to `'optional'`, any request credentials are attempted authentication, but if\n the credentials are invalid, the request proceeds regardless of the authentication error.\n\n#### `route.options.auth.payload`\n\nDefault value: `false`, unless the scheme requires payload authentication.\n\nIf set, the incoming request payload is authenticated after it is processed. Requires a strategy\nwith payload authentication support (e.g. [Hawk](https://hapi.dev/family/hawk/api)). Cannot be\nset to a value other than `'required'` when the scheme sets the authentication `options.payload` to\n`true`.\n\nAvailable values:\n\n- `false` - no payload authentication.\n- `'required'` - payload authentication required.\n- `'optional'` - payload authentication performed only when the client includes payload\n authentication information (e.g. `hash` attribute in Hawk).\n\n#### `route.options.auth.strategies`\n\nDefault value: the default strategy set via [`server.auth.default()`](#server.auth.default()).\n\nAn array of string strategy names in the order they should be attempted. Cannot be used together\nwith [`strategy`](#route.options.auth.strategy).\n\n#### `route.options.auth.strategy`\n\nDefault value: the default strategy set via [`server.auth.default()`](#server.auth.default()).\n\nA string strategy names. Cannot be used together with [`strategies`](#route.options.auth.strategies).\n\n### `route.options.bind`\n\nDefault value: `null`.\n\nAn object passed back to the provided `handler` (via `this`) when called. Ignored if the method is\nan arrow function.\n\n### `route.options.cache`\n\nDefault value: `{ privacy: 'default', statuses: [200], otherwise: 'no-cache' }`.\n\nIf the route method is 'GET', the route can be configured to include HTTP caching directives in the\nresponse. Caching can be customized using an object with the following options:\n\n- `privacy` - determines the privacy flag included in client-side caching using the 'Cache-Control'\n header. Values are:\n\n - `'default'` - no privacy flag.\n - `'public'` - mark the response as suitable for public caching.\n - `'private'` - mark the response as suitable only for private caching.\n\n- `expiresIn` - relative expiration expressed in the number of milliseconds since the\n item was saved in the cache. Cannot be used together with `expiresAt`.\n\n- `expiresAt` - time of day expressed in 24h notation using the 'HH:MM' format, at which\n point all cache records for the route expire. Cannot be used together with `expiresIn`.\n\n- `statuses` - an array of HTTP response status code numbers (e.g. `200`) which are allowed to\n include a valid caching directive.\n\n- `otherwise` - a string with the value of the 'Cache-Control' header when caching is disabled.\n\nThe default `Cache-Control: no-cache` header can be disabled by setting `cache` to `false`.\n\n### `route.options.compression`\n\nAn object where each key is a content-encoding name and each value is an object with the desired\nencoder settings. Note that decoder settings are set in [`compression`](#route.options.payload.compression).\n\n### `route.options.cors`\n\nDefault value: `false` (no CORS headers).\n\nThe [Cross-Origin Resource Sharing](https://www.w3.org/TR/cors/) protocol allows browsers to make\ncross-origin API calls. CORS is required by web applications running inside a browser which are\nloaded from a different domain than the API server. To enable, set `cors` to `true`, or to an\nobject with the following options:\n\n- `origin` - an array of allowed origin servers strings ('Access-Control-Allow-Origin'). The array\n can contain any combination of fully qualified origins along with origin strings containing a\n wildcard `'*'` character, or a single `'*'` origin string. If set to `'ignore'`, any incoming\n Origin header is ignored (present or not) and the 'Access-Control-Allow-Origin' header is set to\n `'*'`. Defaults to any origin `['*']`.\n\n- `maxAge` - number of seconds the browser should cache the CORS response\n ('Access-Control-Max-Age'). The greater the value, the longer it will take before the browser\n checks for changes in policy. Defaults to `86400` (one day).\n\n- `headers` - a strings array of allowed headers ('Access-Control-Allow-Headers'). Defaults to\n `['Accept', 'Authorization', 'Content-Type', 'If-None-Match']`.\n\n- `additionalHeaders` - a strings array of additional headers to `headers`. Use this to keep the\n default headers in place.\n\n- `exposedHeaders` - a strings array of exposed headers ('Access-Control-Expose-Headers').\n Defaults to `['WWW-Authenticate', 'Server-Authorization']`.\n\n- `additionalExposedHeaders` - a strings array of additional headers to `exposedHeaders`. Use this\n to keep the default headers in place.\n\n- `credentials` - if `true`, allows user credentials to be sent\n ('Access-Control-Allow-Credentials'). Defaults to `false`.\n\n - `preflightStatusCode` - the status code used for CORS preflight responses, either `200` or `204`.\n Defaults to `200`.\n\n### `route.options.description`\n\nDefault value: none.\n\nRoute description used for generating documentation (string).\n\nThis setting is not available when setting server route defaults using\n[`server.options.routes`](#server.options.routes).\n\n### `route.options.ext`\n\nDefault value: none.\n\nRoute-level [request extension points](#request-lifecycle) by setting the option to an object with\na key for each of the desired extension points (`'onRequest'` is not allowed), and the value is the\nsame as the [`server.ext(events)`](#server.ext()) `event` argument.\n\n### `route.options.files`\n\nDefault value: `{ relativeTo: '.' }`.\n\nDefines the behavior for accessing files:\n\n- `relativeTo` - determines the folder relative paths are resolved against.\n\n### `route.options.handler`\n\nDefault value: none.\n\nThe route handler function performs the main business logic of the route and sets the response.\n`handler` can be assigned:\n\n- a [lifecycle method](#lifecycle-methods).\n\n- an object with a single property using the name of a handler type registered with the\n [`server.decorate()`](#server.decorate()) method. The matching property value is passed\n as options to the registered handler generator.\n\n```js\nconst handler = function (request, h) {\n\n return 'success';\n};\n```\n\nNote: handlers using a fat arrow style function cannot be bound to any `bind` property. Instead,\nthe bound context is available under [`h.context`](#h.context).\n\n### `route.options.id`\n\nDefault value: none.\n\nAn optional unique identifier used to look up the route using [`server.lookup()`](#server.lookup()).\nCannot be assigned to routes added with an array of methods.\n\n### `route.options.isInternal`\n\nDefault value: `false`.\n\nIf `true`, the route cannot be accessed through the HTTP listener but only through the\n[`server.inject()`](#server.inject()) interface with the `allowInternals` option set to `true`.\nUsed for internal routes that should not be accessible to the outside world.\n\n### `route.options.json`\n\nDefault value: none.\n\nOptional arguments passed to `JSON.stringify()` when converting an object or error response to a\nstring payload or escaping it after stringification. Supports the following:\n\n- `replacer` - the replacer function or array. Defaults to no action.\n\n- `space` - number of spaces to indent nested object keys. Defaults to no indentation.\n\n- `suffix` - string suffix added after conversion to JSON string. Defaults to no suffix.\n\n- `escape` - calls [`Hoek.jsonEscape()`](https://hapi.dev/family/hoek/api/#escapejsonstring)\n after conversion to JSON string. Defaults to `false`.\n\n### `route.options.log`\n\nDefault value: `{ collect: false }`.\n\nRequest logging options:\n\n- `collect` - if `true`, request-level logs (both internal and application) are collected and\n accessible via [`request.logs`](#request.logs).\n\n### `route.options.notes`\n\nDefault value: none.\n\nRoute notes used for generating documentation (string or array of strings).\n\nThis setting is not available when setting server route defaults using\n[`server.options.routes`](#server.options.routes).\n\n### `route.options.payload`\n\nDetermines how the request payload is processed.\n\n#### `route.options.payload.allow`\n\nDefault value: allows parsing of the following mime types:\n- application/json\n- application/*+json\n- application/octet-stream\n- application/x-www-form-urlencoded\n- multipart/form-data\n- text/*\n\nA string or an array of strings with the allowed mime types for the endpoint. Use this settings to\nlimit the set of allowed mime types. Note that allowing additional mime types not listed above will\nnot enable them to be parsed, and if [`parse`](#route.options.payload.parse) is `true`, the request\nwill result in an error response.\n\n#### `route.options.payload.compression`\n\nDefault value: none.\n\nAn object where each key is a content-encoding name and each value is an object with the desired\ndecoder settings. Note that encoder settings are set in [`compression`](#server.options.compression).\n\n#### `route.options.payload.defaultContentType`\n\nDefault value: `'application/json'`.\n\nThe default content type if the 'Content-Type' request header is missing.\n\n#### `route.options.payload.failAction`\n\nDefault value: `'error'` (return a Bad Request (400) error response).\n\nA [`failAction` value](#lifecycle-failAction) which determines how to handle payload parsing\nerrors.\n\n#### `route.options.payload.maxBytes`\n\nDefault value: `1048576` (1MB).\n\nLimits the size of incoming payloads to the specified byte count. Allowing very large payloads may\ncause the server to run out of memory.\n\n#### `route.options.payload.maxParts`\n\nDefault value: `1000`.\n\nLimits the number of parts allowed in multipart payloads.\n\n#### `route.options.payload.multipart`\n\nDefault value: `false`.\n\nOverrides payload processing for multipart requests. Value can be one of:\n\n- `false` - disable multipart processing (this is the default value).\n\n- `true` - enable multipart processing using the [`output`](#route.options.payload.output) value.\n\n- an object with the following required options:\n\n - `output` - same as the [`output`](#route.options.payload.output) option with an additional\n value option:\n - `annotated` - wraps each multipart part in an object with the following keys:\n\n - `headers` - the part headers.\n - `filename` - the part file name.\n - `payload` - the processed part payload.\n\n#### `route.options.payload.output`\n\nDefault value: `'data'`.\n\nThe processed payload format. The value must be one of:\n\n- `'data'` - the incoming payload is read fully into memory. If [`parse`](#route.options.payload.parse)\n is `true`, the payload is parsed (JSON, form-decoded, multipart) based on the 'Content-Type'\n header. If [`parse`](#route.options.payload.parse) is `false`, a raw `Buffer` is returned.\n\n- `'stream'` - the incoming payload is made available via a `Stream.Readable` interface. If the\n payload is 'multipart/form-data' and [`parse`](#route.options.payload.parse) is `true`, field\n values are presented as text while files are provided as streams. File streams from a\n 'multipart/form-data' upload will also have a `hapi` property containing the `filename` and\n `headers` properties. Note that payload streams for multipart payloads are a synthetic interface\n created on top of the entire multipart content loaded into memory. To avoid loading large\n multipart payloads into memory, set [`parse`](#route.options.payload.parse) to `false` and handle\n the multipart payload in the handler using a streaming parser (e.g. [**pez**](https://hapi.dev/family/pez/api)).\n\n- `'file'` - the incoming payload is written to temporary file in the directory specified by the\n [`uploads`](#route.options.payload.uploads) settings. If the payload is 'multipart/form-data' and\n [`parse`](#route.options.payload.parse) is `true`, field values are presented as text while files\n are saved to disk. Note that it is the sole responsibility of the application to clean up the\n files generated by the framework. This can be done by keeping track of which files are used (e.g.\n using the `request.app` object), and listening to the server `'response'` event to perform\n cleanup.\n\n#### `route.options.payload.override`\n\nDefault value: none.\n\nA mime type string overriding the 'Content-Type' header value received.\n\n#### `route.options.payload.parse`\n\nDefault value: `true`.\n\nDetermines if the incoming payload is processed or presented raw. Available values:\n\n- `true` - if the request 'Content-Type' matches the allowed mime types set by\n [`allow`](#route.options.payload.allow) (for the whole payload as well as parts), the payload is\n converted into an object when possible. If the format is unknown, a Bad Request (400) error\n response is sent. Any known content encoding is decoded.\n\n- `false` - the raw payload is returned unmodified.\n\n- `'gunzip'` - the raw payload is returned unmodified after any known content encoding is decoded.\n\n#### `route.options.payload.protoAction`\n\nDefault value: `'error'`.\n\nSets handling of incoming payload that may contain a prototype poisoning security attack. Available\nvalues:\n\n- `'error'` - returns a `400` bad request error when the payload contains a prototype.\n\n- `'remove'` - sanitizes the payload to remove the prototype.\n\n- `'ignore'` - disables the protection and allows the payload to pass as received. Use this option\n only when you are sure that such incoming data cannot pose any risks to your application.\n\n#### `route.options.payload.timeout`\n\nDefault value: to `10000` (10 seconds).\n\nPayload reception timeout in milliseconds. Sets the maximum time allowed for the client to transmit\nthe request payload (body) before giving up and responding with a Request Timeout (408) error\nresponse.\n\nSet to `false` to disable.\n\n#### `route.options.payload.uploads`\n\nDefault value: `os.tmpdir()`.\n\nThe directory used for writing file uploads.\n\n### `route.options.plugins`\n\nDefault value: `{}`.\n\nPlugin-specific configuration. `plugins` is an object where each key is a plugin name and the value\nis the plugin configuration.\n\n### `route.options.pre`\n\nDefault value: none.\n\nThe `pre` option allows defining methods for performing actions before the handler is called. These\nmethods allow breaking the handler logic into smaller, reusable components that can be shared\nacross routes, as well as provide a cleaner error handling of prerequisite operations (e.g. load\nrequired reference data from a database).\n\n`pre` is assigned an ordered array of methods which are called serially in order. If the `pre`\narray contains another array of methods as one of its elements, those methods are called in\nparallel. Note that during parallel execution, if any of the methods error, return a\n[takeover response](#takeover-response), or abort signal, the other parallel methods will continue\nto execute but will be ignored once completed.\n\n`pre` can be assigned a mixed array of:\n\n- an array containing the elements listed below, which are executed in parallel.\n\n- an object with:\n - `method` - a [lifecycle method](#lifecycle-methods).\n - `assign` - key name used to assign the response of the method to in [`request.pre`](#request.pre)\n and [`request.preResponses`](#request.preResponses).\n - `failAction` - A [`failAction` value](#lifecycle-failAction) which determine what to do when\n a pre-handler method throws an error. If `assign` is specified and the `failAction` setting\n is not `'error'`, the error will be assigned.\n\n- a method function - same as including an object with a single `method` key.\n\nNote that pre-handler methods do not behave the same way other [lifecycle methods](#lifecycle-methods)\ndo when a value is returned. Instead of the return value becoming the new response payload, the\nvalue is used to assign the corresponding [`request.pre`](#request.pre) and\n[`request.preResponses`](#request.preResponses) properties. Otherwise, the handling of errors,\n[takeover response](#takeover-response) response, or abort signal behave the same as any other\n[lifecycle methods](#lifecycle-methods).\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nconst pre1 = function (request, h) {\n\n return 'Hello';\n};\n\nconst pre2 = function (request, h) {\n\n return 'World';\n};\n\nconst pre3 = function (request, h) {\n\n return request.pre.m1 + ' ' + request.pre.m2;\n};\n\nserver.route({\n method: 'GET',\n path: '/',\n options: {\n pre: [\n [\n // m1 and m2 executed in parallel\n { method: pre1, assign: 'm1' },\n { method: pre2, assign: 'm2' }\n ],\n { method: pre3, assign: 'm3' },\n ],\n handler: function (request, h) {\n\n return request.pre.m3 + '!\\n';\n }\n }\n});\n```\n\n### `route.options.response`\n\nProcessing rules for the outgoing response.\n\n#### `route.options.response.disconnectStatusCode`\n\n Default value: `499`.\n\nThe default HTTP status code used to set a response error when the request is closed or aborted\nbefore the response is fully transmitted. Value can be any integer greater or equal to `400`. The\ndefault value `499` is based on the non-standard nginx \"CLIENT CLOSED REQUEST\" error. The value is\nonly used for logging as the request has already ended.\n\n#### `route.options.response.emptyStatusCode`\n\n Default value: `204`.\n\nThe default HTTP status code when the payload is considered empty. Value can be `200` or `204`.\nNote that a `200` status code is converted to a `204` only at the time of response transmission\n(the response status code will remain `200` throughout the request lifecycle unless manually set).\n\n#### `route.options.response.failAction`\n\nDefault value: `'error'` (return an Internal Server Error (500) error response).\n\nA [`failAction` value](#lifecycle-failAction) which defines what to do when a response fails\npayload validation.\n\n#### `route.options.response.modify`\n\nDefault value: `false`.\n\nIf `true`, applies the validation rule changes to the response payload.\n\n#### `route.options.response.options`\n\nDefault value: none.\n\n[**joi**](https://joi.dev/api) options object pass to the validation function. Useful to set global options such as `stripUnknown` or `abortEarly`. If a custom validation function is defined via [`schema`](#route.options.response.schema) or [`status`](#route.options.response.status) then `options` can an arbitrary object that will be passed to this function as the second argument.\n\n#### `route.options.response.ranges`\n\nDefault value: `true`.\n\nIf `false`, payload [range](https://tools.ietf.org/html/rfc7233#section-3) support is disabled.\n\n#### `route.options.response.sample`\n\nDefault value: `100` (all responses).\n\nThe percent of response payloads validated (0 - 100). Set to `0` to disable all validation.\n\n#### `route.options.response.schema`\n\nDefault value: `true` (no validation).\n\nThe default response payload validation rules (for all non-error responses) expressed as one of:\n\n- `true` - any payload allowed (no validation).\n\n- `false` - no payload allowed.\n\n- a [**joi**](https://joi.dev/api) validation object. The [`options`](#route.options.response.options)\n along with the request context (`{ headers, params, query, payload, state, app, auth }`) are passed to\n the validation function.\n\n- a validation function using the signature `async function(value, options)` where:\n\n - `value` - the pending response payload.\n - `options` - The [`options`](#route.options.response.options) along with the request context\n (`{ headers, params, query, payload, state, app, auth }`).\n\n - if the function returns a value and [`modify`](#route.options.response.modify) is `true`,\n the value is used as the new response. If the original response is an error, the return\n value is used to override the original error `output.payload`. If an error is thrown, the\n error is processed according to [`failAction`](#route.options.response.failAction).\n\n#### `route.options.response.status`\n\nDefault value: none.\n\nValidation schemas for specific HTTP status codes. Responses (excluding errors) not matching the\nlisted status codes are validated using the default [`schema`](#route.options.response.schema).\n\n`status` is set to an object where each key is a 3 digit HTTP status code and the value has the\nsame definition as [`schema`](#route.options.response.schema).\n\n### `route.options.rules`\n\nDefault value: none.\n\nA custom rules object passed to each rules processor registered with [`server.rules()`](#server.rules()).\n\n### `route.options.security`\n\nDefault value: `false` (security headers disabled).\n\nSets common security headers. To enable, set `security` to `true` or to an object with the\nfollowing options:\n\n- `hsts` - controls the 'Strict-Transport-Security' header, where:\n\n - `true` - the header will be set to `max-age=15768000`. This is the default value.\n - a number - the maxAge parameter will be set to the provided value.\n\n - an object with the following fields:\n - `maxAge` - the max-age portion of the header, as a number. Default is `15768000`.\n - `includeSubDomains` - a boolean specifying whether to add the `includeSubDomains` flag to\n the header.\n - `preload` - a boolean specifying whether to add the `'preload'` flag (used to submit\n domains inclusion in Chrome's HTTP Strict Transport Security (HSTS) preload list) to the\n header.\n\n- `xframe` - controls the 'X-Frame-Options' header, where:\n\n - `true` - the header will be set to `'DENY'`. This is the default value.\n - `'deny'` - the headers will be set to `'DENY'`.\n - `'sameorigin'` - the headers will be set to `'SAMEORIGIN'`.\n\n - an object for specifying the 'allow-from' rule, where:\n - `rule` - one of:\n - `'deny'`\n - `'sameorigin'`\n - `'allow-from'`\n - `source` - when `rule` is `'allow-from'` this is used to form the rest of the header,\n otherwise this field is ignored. If `rule` is `'allow-from'` but `source` is unset, the\n rule will be automatically changed to `'sameorigin'`.\n\n- `xss` - controls the 'X-XSS-Protection' header, where:\n\n - `'disabled'` - the header will be set to `'0'`. This is the default value.\n - `'enabled'` - the header will be set to `'1; mode=block'`.\n - `false` - the header will be omitted.\n\n Note: when enabled, this setting can create a security vulnerabilities in versions of Internet Explorer\n below 8, unpatched versions of IE8, and browsers that employ an XSS filter/auditor. See\n [here](https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/),\n [here](https://technet.microsoft.com/library/security/ms10-002), and\n [here](https://blog.innerht.ml/the-misunderstood-x-xss-protection/) for more information.\n\n- `noOpen` - boolean controlling the 'X-Download-Options' header for Internet Explorer, preventing\n downloads from executing in your context. Defaults to `true` setting the header to `'noopen'`.\n\n- `noSniff` - boolean controlling the 'X-Content-Type-Options' header. Defaults to `true` setting\n the header to its only and default option, `'nosniff'`.\n\n- `referrer` - controls the ['Referrer-Policy'](https://www.w3.org/TR/referrer-policy/) header, which has the following possible values.\n - `false` - the 'Referrer-Policy' header will not be sent to clients with responses. This is the default value.\n - `''` - instructs clients that the Referrer-Policy will be [defined elsewhere](https://www.w3.org/TR/referrer-policy/#referrer-policy-empty-string), such as in a meta html tag.\n - `'no-referrer'` - instructs clients to never include the referrer header when making requests.\n - `'no-referrer-when-downgrade'` - instructs clients to never include the referrer when navigating from HTTPS to HTTP.\n - `'same-origin'` - instructs clients to only include the referrer on the current site origin.\n - `'origin'` - instructs clients to include the referrer but strip off path information so that the value is the current origin only.\n - `'strict-origin'` - same as `'origin'` but instructs clients to omit the referrer header when going from HTTPS to HTTP.\n - `'origin-when-cross-origin'` - instructs clients to include the full path in the referrer header for same-origin requests but only the origin components of the URL are included for cross origin requests.\n - `'strict-origin-when-cross-origin'` - same as `'origin-when-cross-origin'` but the client is instructed to omit the referrer when going from HTTPS to HTTP.\n - `'unsafe-url'` - instructs the client to always include the referrer with the full URL.\n\n### `route.options.state`\n\nDefault value: `{ parse: true, failAction: 'error' }`.\n\nHTTP state management (cookies) allows the server to store information on the client which is sent\nback to the server with every request (as defined in [RFC 6265](https://tools.ietf.org/html/rfc6265)).\n`state` supports the following options:\n\n- `parse` - determines if incoming 'Cookie' headers are parsed and stored in the\n [`request.state`](#request.state) object.\n\n- `failAction` - A [`failAction` value](#lifecycle-failAction) which determines how to handle\n cookie parsing errors. Defaults to `'error'` (return a Bad Request (400) error response).\n\n### `route.options.tags`\n\nDefault value: none.\n\nRoute tags used for generating documentation (array of strings).\n\nThis setting is not available when setting server route defaults using\n[`server.options.routes`](#server.options.routes).\n\n### `route.options.timeout`\n\nDefault value: `{ server: false }`.\n\nTimeouts for processing durations.\n\n#### `route.options.timeout.server`\n\nDefault value: `false`.\n\nResponse timeout in milliseconds. Sets the maximum time allowed for the server to respond to an\nincoming request before giving up and responding with a Service Unavailable (503) error response.\n\n#### `route.options.timeout.socket`\n\nDefault value: none (use node default of 2 minutes).\n\nBy default, node sockets automatically timeout after 2 minutes. Use this option to override this\nbehavior. Set to `false` to disable socket timeouts.\n\n### `route.options.validate`\n\nDefault value: `{ headers: true, params: true, query: true, payload: true, state: true, failAction: 'error' }`.\n\nRequest input validation rules for various request components.\n\n#### `route.options.validate.errorFields`\n\nDefault value: none.\n\nAn optional object with error fields copied into every validation error response.\n\n#### `route.options.validate.failAction`\n\nDefault value: `'error'` (return a Bad Request (400) error response).\n\nA [`failAction` value](#lifecycle-failAction) which determines how to handle failed validations.\nWhen set to a function, the `err` argument includes the type of validation error under\n`err.output.payload.validation.source`. The default error that would otherwise have been logged\n or returned can be accessed under `err.data.defaultError`.\n\n#### `route.options.validate.headers`\n\nDefault value: `true` (no validation).\n\nValidation rules for incoming request headers:\n\n- `true` - any headers allowed (no validation performed).\n\n- a [**joi**](https://joi.dev/api) validation object.\n\n- a validation function using the signature `async function(value, options)` where:\n\n - `value` - the [`request.headers`](#request.headers) object containing the request headers.\n - `options` - [`options`](#route.options.validate.options).\n - if a value is returned, the value is used as the new [`request.headers`](#request.headers)\n value and the original value is stored in [`request.orig.headers`](#request.orig).\n Otherwise, the headers are left unchanged. If an error is thrown, the error is handled\n according to [`failAction`](#route.options.validate.failAction).\n\nNote that all header field names must be in lowercase to match the headers normalized by node.\n\n#### `route.options.validate.options`\n\nDefault value: none.\n\nAn options object passed to the [**joi**](https://joi.dev/api) rules or the custom\nvalidation methods. Used for setting global options such as `stripUnknown` or `abortEarly`.\n\nIf a custom validation function (see `headers`, `params`, `query`, or `payload` above) is defined\nthen `options` can an arbitrary object that will be passed to this function as the second\nparameter.\n\nThe values of the other inputs (i.e. `headers`, `query`, `params`, `payload`, `state`, `app`, and `auth`)\nare added to the `options` object under the validation `context` (accessible in rules as\n`Joi.ref('$query.key')`).\n\nNote that validation is performed in order (i.e. headers, params, query, and payload) and if type\ncasting is used (e.g. converting a string to a number), the value of inputs not yet validated will\nreflect the raw, unvalidated and unmodified values.\n\nIf the validation rules for `headers`, `params`, `query`, and `payload` are defined at both the\nserver [`routes`](#server.options.routes) level and at the route level, the individual route\nsettings override the routes defaults (the rules are not merged).\n\n#### `route.options.validate.params`\n\nDefault value: `true` (no validation).\n\nValidation rules for incoming request path parameters, after matching the path against the route,\nextracting any parameters, and storing them in [`request.params`](#request.params), where:\n\n- `true` - any path parameter value allowed (no validation performed).\n\n- a [**joi**](https://joi.dev/api) validation object.\n\n- a validation function using the signature `async function(value, options)` where:\n\n - `value` - the [`request.params`](#request.params) object containing the request path\n parameters.\n - `options` - [`options`](#route.options.validate.options).\n - if a value is returned, the value is used as the new [`request.params`](#request.params)\n value and the original value is stored in [`request.orig.params`](#request.orig). Otherwise,\n the path parameters are left unchanged. If an error is thrown, the error is handled according\n to [`failAction`](#route.options.validate.failAction).\n\nNote that failing to match the validation rules to the route path parameters definition will cause\nall requests to fail.\n\n#### `route.options.validate.payload`\n\nDefault value: `true` (no validation).\n\nValidation rules for incoming request payload (request body), where:\n\n- `true` - any payload allowed (no validation performed).\n\n- `false` - no payload allowed.\n\n- a [**joi**](https://joi.dev/api) validation object.\n - Note that empty payloads are represented by a `null` value. If a validation schema is\n provided and empty payload are allowed, the schema must be explicitly defined by setting the\n rule to a **joi** schema with `null` allowed (e.g.\n `Joi.object({ /* keys here */ }).allow(null)`).\n\n- a validation function using the signature `async function(value, options)` where:\n\n - `value` - the [`request.payload`](#request.payload) object containing the request payload.\n - `options` - [`options`](#route.options.validate.options).\n - if a value is returned, the value is used as the new [`request.payload`](#request.payload)\n value and the original value is stored in [`request.orig.payload`](#request.orig). Otherwise,\n the payload is left unchanged. If an error is thrown, the error is handled according to\n [`failAction`](#route.options.validate.failAction).\n\nNote that validating large payloads and modifying them will cause memory duplication of the payload\n(since the original is kept), as well as the significant performance cost of validating large\namounts of data.\n\n#### `route.options.validate.query`\n\nDefault value: `true` (no validation).\n\nValidation rules for incoming request URI query component (the key-value part of the URI between\n'?' and '#'). The query is parsed into its individual key-value pairs, decoded, and stored in\n[`request.query`](#request.query) prior to validation. Where:\n\n- `true` - any query parameter value allowed (no validation performed).\n\n- `false` - no query parameter value allowed.\n\n- a [**joi**](https://joi.dev/api) validation object.\n\n- a validation function using the signature `async function(value, options)` where:\n\n - `value` - the [`request.query`](#request.query) object containing the request query\n parameters.\n - `options` - [`options`](#route.options.validate.options).\n - if a value is returned, the value is used as the new [`request.query`](#request.query) value\n and the original value is stored in [`request.orig.query`](#request.orig). Otherwise, the\n query parameters are left unchanged. If an error is thrown, the error is handled according to\n [`failAction`](#route.options.validate.failAction).\n\nNote that changes to the query parameters will not be reflected in [`request.url`](#request.url).\n\n#### `route.options.validate.state`\n\nDefault value: `true` (no validation).\n\nValidation rules for incoming cookies. The `cookie` header is parsed and decoded into the\n[`request.state`](#request.state) prior to validation. Where:\n\n- `true` - any cookie value allowed (no validation performed).\n\n- `false` - no cookies allowed.\n\n- a [**joi**](https://joi.dev/api) validation object.\n\n- a validation function using the signature `async function(value, options)` where:\n\n - `value` - the [`request.state`](#request.state) object containing all parsed cookie values.\n - `options` - [`options`](#route.options.validate.options).\n - if a value is returned, the value is used as the new [`request.state`](#request.state) value\n and the original value is stored in [`request.orig.state`](#request.orig). Otherwise, the\n cookie values are left unchanged. If an error is thrown, the error is handled according to\n [`failAction`](#route.options.validate.failAction).\n\n#### `route.options.validate.validator`\n\nDefault value: `null` (no default validator).\n\nSets a server validation module used to compile raw validation rules into validation schemas (e.g. **joi**).\n\nNote: the validator is only used when validation rules are not pre-compiled schemas. When a validation rules is a function or schema object, the rule is used as-is and the validator is not used.\n\n## Request lifecycle\n\nEach incoming request passes through the request lifecycle. The specific steps vary based on the\nserver and route configurations, but the order in which the applicable steps are executed is always\nthe same. The following is the complete list of steps a request can go through:\n\n- _**onRequest**_\n - always called when `onRequest` extensions exist.\n - the request path and method can be modified via the [`request.setUrl()`](#request.setUrl()) and [`request.setMethod()`](#request.setMethod()) methods. Changes to the request path or method will impact how the request is routed and can be used for rewrite rules.\n - [`request.payload`](#request.payload) is `undefined` and can be overridden with any non-`undefined` value to bypass payload processing.\n - [`request.route`](#request.route) is unassigned.\n - [`request.url`](#request.url) can be `null` if the incoming request path is invalid.\n - [`request.path`](#request.path) can be an invalid path.\n\n- _**Route lookup**_\n - lookup based on `request.path` and `request.method`.\n - skips to _**onPreResponse**_ if no route is found or if the path violates the HTTP\n specification.\n\n- _**Cookies processing**_\n - based on the route [`state`](#route.options.state) option.\n - error handling based on [`failAction`](#route.options.state.failAction).\n\n- _**onPreAuth**_\n - called regardless if authentication is performed.\n\n- _**Authentication**_\n - based on the route [`auth`](#route.options.auth) option.\n\n- _**Payload processing**_\n - based on the route [`payload`](#route.options.payload) option and if [`request.payload`](#request.payload) has not been overridden in _**onRequest**_.\n - error handling based on [`failAction`](#route.options.payload.failAction).\n\n- _**Payload authentication**_\n - based on the route [`auth`](#route.options.auth) option.\n\n- _**onCredentials**_\n - called only if authentication is performed.\n\n- _**Authorization**_\n - based on the route authentication [`access`](#route.options.auth.access) option.\n\n- _**onPostAuth**_\n - called regardless if authentication is performed.\n\n- _**Headers validation**_\n - based on the route [`validate.headers`](#route.options.validate.headers) option.\n - error handling based on [`failAction`](#route.options.validate.failAction).\n\n- _**Path parameters validation**_\n - based on the route [`validate.params`](#route.options.validate.params) option.\n - error handling based on [`failAction`](#route.options.validate.failAction).\n\n- _**Query validation**_\n - based on the route [`validate.query`](#route.options.validate.query) option.\n - error handling based on [`failAction`](#route.options.validate.failAction).\n\n- _**Payload validation**_\n - based on the route [`validate.payload`](#route.options.validate.payload) option.\n - error handling based on [`failAction`](#route.options.validate.failAction).\n\n- _**State validation**_\n - based on the route [`validate.state`](#route.options.validate.state) option.\n - error handling based on [`failAction`](#route.options.validate.failAction).\n\n- _**onPreHandler**_\n\n- _**Pre-handler methods**_\n - based on the route [`pre`](#route.options.pre) option.\n - error handling based on each pre-handler method's `failAction` setting.\n\n- _**Route handler**_\n - executes the route [`handler`](#route.options.handler).\n\n- _**onPostHandler**_\n - the response contained in [`request.response`](#request.response) may be modified (but not\n assigned a new value). To return a different response type (for example, replace an error\n with an HTML response), return a new response value.\n\n- _**Response validation**_\n - error handling based on [`failAction`](#route.options.response.failAction).\n\n- _**onPreResponse**_\n - always called, unless the request is aborted.\n - the response contained in [`request.response`](#request.response) may be modified (but not\n assigned a new value). To return a different response type (for example, replace an error\n with an HTML response), return a new response value. Note that any errors generated will not\n be passed back to _**onPreResponse**_ to prevent an infinite loop.\n\n- _**Response transmission**_\n - may emit a [`'request'` event](#server.events.request) on the `'error'` channel.\n\n- _**Finalize request**_\n - emits `'response'` event.\n\n- _**onPostResponse**_\n - return value is ignored since the response is already set.\n - emits a [`'request'` event](#server.events.request) on the `'error'` channel if an error is returned.\n - all extension handlers are executed even if some error.\n - note that since the handlers are executed in serial (each is `await`ed), care must be taken to avoid blocking execution if other extension handlers expect to be called immediately when the response is sent. If an _**onPostResponse**_ handler is performing IO, it should defer that activity to another tick and return immediately (either without a return value or without a promise that is solve to resolve).\n\n### Lifecycle methods\n\nLifecycle methods are the interface between the framework and the application. Many of the request\nlifecycle steps: [extensions](#server.ext()), [authentication](#authentication-scheme),\n[handlers](#route.options.handler), [pre-handler methods](#route.options.pre), and\n[`failAction` function values](#lifecycle-failAction) are lifecyle methods provided by the\ndeveloper and executed by the framework.\n\nEach lifecycle method is a function with the signature `await function(request, h, [err])` where:\n- `request` - the [request object](#request).\n- `h` - the [response toolkit](#response-toolkit) the handler must call to set a response and\n return control back to the framework.\n- `err` - an error object available only when the method is used as a\n [`failAction` value](#lifecycle-failAction).\n\nEach lifecycle method must return a value or a promise that resolves into a value. If a lifecycle\nmethod returns without a value or resolves to an `undefined` value, an Internal Server Error (500)\nerror response is sent.\n\nThe return value must be one of:\n- Plain value:\n - `null`\n - string\n - number\n - boolean\n- `Buffer` object\n- `Error` object\n - plain `Error`.\n - a [`Boom`](https://hapi.dev/family/boom/api) object.\n- `Stream` object\n - must be compatible with the \"streams2\" API and not be in `objectMode`.\n - if the stream object has a `statusCode` property, that status code will be used as\n the default response code based on the [`passThrough`](#response.settings.passThrough)\n option.\n - if the stream object has a `headers` property, the headers will be included in the response\n based on the [`passThrough`](#response.settings.passThrough) option.\n - if the stream object has a function property `setCompressor(compressor)` and the response\n passes through a compressor, a reference to the compressor stream will be passed to the\n response stream via this method.\n- any object or array\n - must not include circular references.\n- a toolkit signal:\n - [`h.abandon`](#h.abandon) - abort processing the request.\n - [`h.close`](#h.close) - abort processing the request and call `end()` to ensure the response\n is closed.\n - [`h.continue`](#h.continue) - continue processing the request lifecycle without changing the\n response.\n- a toolkit method response:\n - [`h.response()`](#h.response()) - wraps a plain response in a [response object](#response-object).\n - [`h.redirect()`](#h.redirect()) - wraps a plain response with a redirection directive.\n - [`h.authenticated()`](#h.authenticated()) - indicate request authenticated successfully\n (auth scheme only).\n - [`h.unauthenticated()`](#h.unauthenticated()) - indicate request failed to authenticate\n (auth scheme only).\n- a promise object that resolve to any of the above values\n\nAny error thrown by a lifecycle method will be used as the [response object](#response-object). While errors and valid\nvalues can be returned, it is recommended to throw errors. Throwing non-error values will generate\na Bad Implementation (500) error response.\n\n```js\nconst handler = function (request, h) {\n\n if (request.query.forbidden) {\n throw Boom.badRequest();\n }\n\n return 'success';\n};\n```\n\nIf the route has a [`bind`](#route.options.bind) option or [`server.bind()`](#server.bind()) was\ncalled, the lifecycle method will be bound to the provided context via `this` as well as accessible\nvia [`h.context`](#h.context).\n\n#### Lifecycle workflow\n\nThe flow between each lifecycle step depends on the value returned by each lifecycle method as\nfollows:\n\n- an error:\n - the lifecycle skips to the _**Response validation**_ step.\n - if returned by the _**onRequest**_ step it skips to the _**onPreResponse**_ step.\n - if returned by the _**Response validation**_ step it skips to the _**onPreResponse**_ step.\n - if returned by the _**onPreResponse**_ step it skips to the _**Response transmission**_ step.\n\n- an abort signal ([`h.abandon`](#h.abandon) or [`h.close`](#h.close)):\n - skips to the _**Finalize request**_ step.\n\n- a [`h.continue`](#h.continue) signal:\n - continues processing the request lifecycle without changing the request response.\n - cannot be used by the [`authenticate()`](#authentication-scheme) scheme method.\n\n- a [takeover response](#takeover-response):\n - overrides the request response with the provided value and skips to the\n _**Response validation**_ step.\n - if returned by the _**Response validation**_ step it skips to the _**onPreResponse**_ step.\n - if returned by the _**onPreResponse**_ step it skips to the _**Response transmission**_ step.\n\n- any other response:\n - overrides the request response with the provided value and continues processing the request\n lifecycle.\n - cannot be returned from any step prior to the _**Pre-handler methods**_ step.\n\nThe [`authenticate()`](#authentication-scheme) method has access to two additional return values:\n - [`h.authenticated()`](#h.authenticated()) - indicate request authenticated successfully.\n - [`h.unauthenticated()`](#h.unauthenticated()) - indicate request failed to authenticate.\n\nNote that these rules apply somewhat differently when used in a [pre-handler method](#route.options.pre).\n\n#### Takeover response\n\nA takeover response is a [`response object`](#response-object) on which [`response.takeover()`](#response.takever())\nwas called to signal that the [lifecycle method](#lifecycle-methods) return value should be set as\nthe response and skip to immediately validate and trasmit the value, bypassing other lifecycle\nsteps.\n\n#### `failAction` configuration\n\nVarious configuration options allows defining how errors are handled. For example, when invalid\npayload is received or malformed cookie, instead of returning an error, the framework can be\nconfigured to perform another action. When supported the `failAction` option supports the following\nvalues:\n\n- `'error'` - return the error object as the response.\n- `'log'` - report the error but continue processing the request.\n- `'ignore'` - take no action and continue processing the request.\n\n- a [lifecycle method](#lifecycle-methods) with the signature `async function(request, h, err)`\n where:\n - `request` - the [request object](#request).\n - `h` - the [response toolkit](#response-toolkit).\n - `err` - the error object.\n\n#### Errors\n\n**hapi** uses the [**boom**](https://hapi.dev/family/boom/api) error library for all its internal\nerror generation. **boom** provides an expressive interface to return HTTP errors. Any error\nthrown by a [lifecycle method](#lifecycle-methods) is converted into a **boom** object and defaults to status\ncode `500` if the error is not already a **boom** object.\n\nWhen the error is sent back to the client, the response contains a JSON object with the\n`statusCode`, `error`, and `message` keys.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst Boom = require('@hapi/boom');\n\nconst server = Hapi.server();\n\nserver.route({\n method: 'GET',\n path: '/badRequest',\n handler: function (request, h) {\n\n throw Boom.badRequest('Unsupported parameter'); // 400\n }\n});\n\nserver.route({\n method: 'GET',\n path: '/internal',\n handler: function (request, h) {\n\n throw new Error('unexpect error'); // 500\n }\n});\n```\n\n##### Error transformation\n\nErrors can be customized by changing their `output` content. The **boom** error object includes the\nfollowing properties:\n\n- `isBoom` - if `true`, indicates this is a `Boom` object instance.\n\n- `message` - the error message.\n\n- `output` - the formatted response. Can be directly manipulated after object construction to\n return a custom error response. Allowed root keys:\n\n - `statusCode` - the HTTP status code (typically 4xx or 5xx).\n\n - `headers` - an object containing any HTTP headers where each key is a header name and value\n is the header content.\n\n - `payload` - the formatted object used as the response payload. Can be directly\n manipulated but any changes will be lost\n if `reformat()` is called. Any content allowed and by default includes the following content:\n\n - `statusCode` - the HTTP status code, derived from `error.output.statusCode`.\n\n - `error` - the HTTP status message (e.g. 'Bad Request', 'Internal Server Error') derived\n from `statusCode`.\n\n - `message` - the error message derived from `error.message`.\n\n- inherited `Error` properties.\n\nIt also supports the following method:\n\n- `reformat()` - rebuilds `error.output` using the other object properties.\n\n```js\nconst Boom = require('@hapi/boom');\n\nconst handler = function (request, h) {\n\n const error = Boom.badRequest('Cannot feed after midnight');\n error.output.statusCode = 499; // Assign a custom error code\n error.reformat();\n error.output.payload.custom = 'abc_123'; // Add custom key\n throw error;\n});\n```\n\nWhen a different error representation is desired, such as an HTML page or a different payload\nformat, the `'onPreResponse'` extension point may be used to identify errors and replace them with\na different [response object](#response-object), as in this example using [Vision's](https://hapi.dev/family/vision/api)\n`.view()` [response toolkit](#response-toolkit) property.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst Vision = require('@hapi/vision');\n\nconst server = Hapi.server({ port: 80 });\nserver.register(Vision, (err) => {\n server.views({\n engines: {\n html: require('handlebars')\n }\n });\n});\n\nconst preResponse = function (request, h) {\n\n const response = request.response;\n if (!response.isBoom) {\n return h.continue;\n }\n\n // Replace error with friendly HTML\n\n const error = response;\n const ctx = {\n message: (error.output.statusCode === 404 ? 'page not found' : 'something went wrong')\n };\n\n return h.view('error', ctx).code(error.output.statusCode);\n};\n\nserver.ext('onPreResponse', preResponse);\n```\n\n### Response Toolkit\n\nAccess: read only.\n\nThe response toolkit is a collection of properties and utilities passed to every\n[lifecycle method](#lifecycle-methods). It is somewhat hard to define as it provides both\nutilities for manipulating responses as well as other information. Since the toolkit is passed\nas a function argument, developers can name it whatever they want. For the purpose of this document\nthe `h` notation is used. It is named in the spirit of the RethinkDB `r` method, with `h` for\n**h**api.\n\n#### Toolkit properties\n\n##### `h.abandon`\n\nAccess: read only.\n\nA response symbol. When returned by a lifecycle method, the request lifecycle skips to the\nfinalizing step without further interaction with the node response stream. It is the developer's\nresponsibility to write and end the response directly via [`request.raw.res`](#request.raw).\n\n##### `h.close`\n\nAccess: read only.\n\nA response symbol. When returned by a lifecycle method, the request lifecycle skips to the\nfinalizing step after calling `request.raw.res.end())` to close the node response stream.\n\n##### `h.context`\n\nAccess: read / write (will impact the shared context if the object is modified).\n\nA response symbol. Provides access to the route or server context set via the route\n[`bind`](#route.options.bind) option or [`server.bind()`](#server.bind()).\n\n##### `h.continue`\n\nAccess: read only.\n\nA response symbol. When returned by a lifecycle method, the request lifecycle continues without\nchanging the response.\n\n##### `h.realm`\n\nAccess: read only.\n\nThe [server realm](#server.realm) associated with the matching route. Defaults to the root server\nrealm in the _**onRequest**_ step.\n\n##### `h.request`\n\nAccess: read only and public request interface.\n\nThe [request] object. This is a duplication of the `request` lifecycle method argument used by\n[toolkit decorations](#server.decorate()) to access the current request.\n\n#### `h.authenticated(data)`\n\nUsed by the [authentication] method to pass back valid credentials where:\n\n- `data` - an object with:\n\n - `credentials` - (required) object representing the authenticated entity.\n - `artifacts` - (optional) authentication artifacts object specific to the authentication\n scheme.\n\nReturn value: an internal authentication object.\n\n#### `h.entity(options)`\n\nSets the response 'ETag' and 'Last-Modified' headers and checks for any conditional request headers\nto decide if the response is going to qualify for an HTTP 304 (Not Modified). If the entity values\nmatch the request conditions, `h.entity()` returns a [response object](#response-object) for the lifecycle method to\nreturn as its value which will set a 304 response. Otherwise, it sets the provided entity headers\nand returns `undefined`. The method arguments are:\n\n- `options` - a required configuration object with:\n - `etag` - the ETag string. Required if `modified` is not present. Defaults to no header.\n - `modified` - the Last-Modified header value. Required if `etag` is not present. Defaults to\n no header.\n - `vary` - same as the [`response.etag()`](#response.etag()) option. Defaults to `true`.\n\nReturn value:\n - a [response object](#response-object) if the response is unmodified.\n - `undefined` if the response has changed.\n\nIf `undefined` is returned, the developer must return a valid lifecycle method value. If a response\nis returned, it should be used as the return value (but may be customize using the response\nmethods).\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nserver.route({\n method: 'GET',\n path: '/',\n options: {\n cache: { expiresIn: 5000 },\n handler: function (request, h) {\n\n const response = h.entity({ etag: 'abc' });\n if (response) {\n response.header('X', 'y');\n return response;\n }\n\n return 'ok';\n }\n }\n});\n```\n\n#### `h.redirect(uri)`\n\nRedirects the client to the specified uri. Same as calling `h.response().redirect(uri)`.\n\nReturns a [response object](#response-object).\n\n```js\nconst handler = function (request, h) {\n\n return h.redirect('http://example.com');\n};\n```\n\n#### `h.response([value])`\n\nWraps the provided value and returns a [`response`](#response-object) object which allows\ncustomizing the response (e.g. setting the HTTP status code, custom headers, etc.), where:\n\n- `value` - (optional) return value. Defaults to `null`.\n\nReturns a [response object](#response-object).\n\n```js\n// Detailed notation\n\nconst handler = function (request, h) {\n\n const response = h.response('success');\n response.type('text/plain');\n response.header('X-Custom', 'some-value');\n return response;\n};\n\n// Chained notation\n\nconst handler = function (request, h) {\n\n return h.response('success')\n .type('text/plain')\n .header('X-Custom', 'some-value');\n};\n```\n\n#### `h.state(name, value, [options])`\n\nSets a response cookie using the same arguments as [`response.state()`](#response.state()).\n\nReturn value: none.\n\n```js\nconst ext = function (request, h) {\n\n h.state('cookie-name', 'value');\n return h.continue;\n};\n```\n\n#### `h.unauthenticated(error, [data])`\n\nUsed by the [authentication] method to indicate authentication failed and pass back the credentials\nreceived where:\n- `error` - (required) the authentication error.\n- `data` - (optional) an object with:\n - `credentials` - (required) object representing the authenticated entity.\n - `artifacts` - (optional) authentication artifacts object specific to the authentication\n scheme.\n\nThe method is used to pass both the authentication error and the credentials. For example, if a\nrequest included expired credentials, it allows the method to pass back the user information\n(combined with a `'try'` authentication [`mode`](#route.options.auth.mode)) for error customization.\n\nThere is no difference between throwing the error or passing it with the `h.unauthenticated()`\nmethod if no credentials are passed, but it might still be helpful for code clarity.\n\n#### `h.unstate(name, [options])`\n\nClears a response cookie using the same arguments as [`response.unstate()`](#response.unstate()).\n\n```js\nconst ext = function (request, h) {\n\n h.unstate('cookie-name');\n return h.continue;\n};\n```\n\n### Response object\n\nThe response object contains the request response value along with various HTTP headers and flags.\nWhen a [lifecycle method](#lifecycle-methods) returns a value, the value is wrapped in a response\nobject along with some default flags (e.g. `200` status code). In order to customize a response\nbefore it is returned, the [`h.response()`](#h.response()) method is provided.\n\n#### Response properties\n\n##### `response.app`\n\nAccess: read / write.\n\nDefault value: `{}`.\n\nApplication-specific state. Provides a safe place to store application data without potential\nconflicts with the framework. Should not be used by [plugins](#plugins) which should use\n[`plugins[name]`](#response.plugins).\n\n##### `response.contentType`\n\nAccess: read.\n\nDefault value: none.\n\nProvides a preview of the response HTTP Content-Type header based on the implicit response type, any explicit Content-Type header set, and any content character-set defined. The returned value is only a preview as the content type can change later both internally and by user code (it represents current response state). The value is `null` if no implicit type can be determined.\n\n##### `response.events`\n\nAccess: read only and the public **podium** interface.\n\nThe `response.events` object supports the following events:\n\n- `'peek'` - emitted for each chunk of data written back to the client connection. The event method\n signature is `function(chunk, encoding)`.\n\n- `'finish'` - emitted when the response finished writing but before the client response connection\n is ended. The event method signature is `function ()`.\n\n```js\nconst Crypto = require('crypto');\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nconst preResponse = function (request, h) {\n\n const response = request.response;\n if (response.isBoom) {\n return null;\n }\n\n const hash = Crypto.createHash('sha1');\n response.events.on('peek', (chunk) => {\n\n hash.update(chunk);\n });\n\n response.events.once('finish', () => {\n\n console.log(hash.digest('hex'));\n });\n\n return h.continue;\n};\n\nserver.ext('onPreResponse', preResponse);\n```\n\n##### `response.headers`\n\nAccess: read only.\n\nDefault value: `{}`.\n\nAn object containing the response headers where each key is a header field name and the value is\nthe string header value or array of string.\n\nNote that this is an incomplete list of headers to be included with the response. Additional\nheaders will be added once the response is prepared for transmission.\n\n##### `response.plugins`\n\nAccess: read / write.\n\nDefault value: `{}`.\n\nPlugin-specific state. Provides a place to store and pass request-level plugin data. `plugins` is\nan object where each key is a plugin name and the value is the state.\n\n##### `response.settings`\n\nAccess: read only.\n\nObject containing the response handling flags.\n\n###### `response.settings.passThrough`\n\nAccess: read only.\n\nDefaults value: `true`.\n\nIf `true` and [`source`](#response.source) is a `Stream`, copies the `statusCode` and `headers`\nproperties of the stream object to the outbound response.\n\n###### `response.settings.stringify`\n\nAccess: read only.\n\nDefault value: `null` (use route defaults).\n\nOverride the route [`json`](#route.options.json) options used when [`source`](#response.source)\nvalue requires stringification.\n\n###### `response.settings.ttl`\n\nAccess: read only.\n\nDefault value: `null` (use route defaults).\n\nIf set, overrides the route [`cache`](#route.options.cache) with an expiration value in\nmilliseconds.\n\n###### `response.settings.varyEtag`\n\nDefault value: `false`.\n\nIf `true`, a suffix will be automatically added to the 'ETag' header at transmission time\n(separated by a `'-'` character) when the HTTP 'Vary' header is present.\n\n##### `response.source`\n\nAccess: read only.\n\nThe raw value returned by the [lifecycle method](#lifecycle-methods).\n\n##### `response.statusCode`\n\nAccess: read only.\n\nDefault value: `200`.\n\nThe HTTP response status code.\n\n##### `response.variety`\n\nAccess: read only.\n\nA string indicating the type of [`source`](#response.source) with available values:\n\n- `'plain'` - a plain response such as string, number, `null`, or simple object.\n- `'buffer'` - a `Buffer`.\n- `'stream'` - a `Stream`.\n\n#### `response.bytes(length)`\n\nSets the HTTP 'Content-Length' header (to avoid chunked transfer encoding) where:\n\n- `length` - the header value. Must match the actual payload size.\n\nReturn value: the current response object.\n\n#### `response.charset(charset)`\n\nSets the 'Content-Type' HTTP header 'charset' property where:\n\n- `charset` - the charset property value. When `charset` value is falsy, it will prevent hapi from using its default charset setting.\n\nReturn value: the current response object.\n\n#### `response.code(statusCode)`\n\nSets the HTTP status code where:\n\n- `statusCode` - the HTTP status code (e.g. 200).\n\nReturn value: the current response object.\n\n#### `response.message(httpMessage)`\n\nSets the HTTP status message where:\n\n- `httpMessage` - the HTTP status message (e.g. 'Ok' for status code 200).\n\nReturn value: the current response object.\n\n#### `response.compressed(encoding)`\n\nSets the HTTP 'content-encoding' header where:\n\n- `encoding` - the header value string.\n\nReturn value: the current response object.\n\nNote that setting content encoding via this method does not set a 'vary' HTTP header with 'accept-encoding' value. To vary the response, use the `response.header()` method instead.\n\n#### `response.created(uri)`\n\nSets the HTTP status code to Created (201) and the HTTP 'Location' header where:\n\n- `uri` - an absolute or relative URI used as the 'Location' header value.\n\nReturn value: the current response object.\n\n#### `response.encoding(encoding)`\n\nSets the string encoding scheme used to serial data into the HTTP payload where:\n- `encoding` - the encoding property value (see [node Buffer encoding](https://nodejs.org/api/buffer.html#buffer_buffers_and_character_encodings)).\n\nReturn value: the current response object.\n\n#### `response.etag(tag, options)`\n\nSets the representation [entity tag](https://tools.ietf.org/html/rfc7232#section-2.3) where:\n\n- `tag` - the entity tag string without the double-quote.\n\n- `options` - (optional) settings where:\n\n - `weak` - if `true`, the tag will be prefixed with the `'W/'` weak signifier. Weak tags will\n fail to match identical tags for the purpose of determining 304 response status. Defaults to\n `false`.\n\n - `vary` - if `true` and content encoding is set or applied to the response (e.g 'gzip' or\n 'deflate'), the encoding name will be automatically added to the tag at transmission time\n (separated by a `'-'` character). Ignored when `weak` is `true`. Defaults to `true`.\n\nReturn value: the current response object.\n\n#### `response.header(name, value, options)`\n\nSets an HTTP header where:\n\n- `name` - the header name.\n\n- `value` - the header value.\n\n- `options` - (optional) object where:\n\n - `append` - if `true`, the value is appended to any existing header value using `separator`.\n Defaults to `false`.\n\n - `separator` - string used as separator when appending to an existing value. Defaults to `','`.\n\n - `override` - if `false`, the header value is not set if an existing value present. Defaults\n to `true`.\n\n - `duplicate` - if `false`, the header value is not modified if the provided value is already\n included. Does not apply when `append` is `false` or if the `name` is `'set-cookie'`.\n Defaults to `true`.\n\nReturn value: the current response object.\n\n#### `response.location(uri)`\n\nSets the HTTP 'Location' header where:\n\n- `uri` - an absolute or relative URI used as the 'Location' header value.\n\nReturn value: the current response object.\n\n#### `response.redirect(uri)`\n\nSets an HTTP redirection response (302) and decorates the response with additional methods, where:\n\n- `uri` - an absolute or relative URI used to redirect the client to another resource.\n\nReturn value: the current response object.\n\nDecorates the response object with the [`response.temporary()`](#response.temporary()),\n[`response.permanent()`](#response.permanent()), and [`response.rewritable()`](#response.rewritable())\nmethods to easily change the default redirection code (302).\n\n| | Permanent | Temporary |\n| -------------- | ---------- | --------- |\n| Rewritable | 301 | 302 |\n| Non-rewritable | 308 | 307 |\n\n#### `response.replacer(method)`\n\nSets the `JSON.stringify()` `replacer` argument where:\n\n- `method` - the replacer function or array. Defaults to none.\n\nReturn value: the current response object.\n\n#### `response.spaces(count)`\n\nSets the `JSON.stringify()` `space` argument where:\n\n- `count` - the number of spaces to indent nested object keys. Defaults to no indentation.\n\nReturn value: the current response object.\n\n#### `response.state(name, value, [options])`\n\nSets an HTTP cookie where:\n\n- `name` - the cookie name.\n\n- `value` - the cookie value. If no `options.encoding` is defined, must be a string. See\n [`server.state()`](#server.state()) for supported `encoding` values.\n\n- `options` - (optional) configuration. If the state was previously registered with the server\n using [`server.state()`](#server.state()), the specified keys in `options` are merged with the\n default server definition.\n\nReturn value: the current response object.\n\n#### `response.suffix(suffix)`\n\nSets a string suffix when the response is process via `JSON.stringify()` where:\n\n- `suffix` - the string suffix.\n\nReturn value: the current response object.\n\n#### `response.ttl(msec)`\n\nOverrides the default route cache expiration rule for this response instance where:\n\n- `msec` - the time-to-live value in milliseconds.\n\nReturn value: the current response object.\n\n#### `response.type(mimeType)`\n\nSets the HTTP 'Content-Type' header where:\n\n- `mimeType` - is the mime type.\n\nReturn value: the current response object.\n\nShould only be used to override the built-in default for each response type.\n\n#### `response.unstate(name, [options])`\n\nClears the HTTP cookie by setting an expired value where:\n- `name` - the cookie name.\n- `options` - (optional) configuration for expiring cookie. If the state was previously registered\n with the server using [`server.state()`](#serverstatename-options), the specified `options` are\n merged with the server definition.\n\nReturn value: the current response object.\n\n#### `response.vary(header)`\n\nAdds the provided header to the list of inputs affected the response generation via the HTTP 'Vary'\nheader where:\n\n- `header` - the HTTP request header name.\n\nReturn value: the current response object.\n\n#### `response.takeover()`\n\nMarks the response object as a [takeover response](#takeover-response).\n\nReturn value: the current response object.\n\n#### `response.temporary(isTemporary)`\n\nSets the status code to `302` or `307` (based on the [`response.rewritable()`](#response.rewriteable())\nsetting) where:\n\n- `isTemporary` - if `false`, sets status to permanent. Defaults to `true`.\n\nReturn value: the current response object.\n\nOnly available after calling the [`response.redirect()`](#response.redirect()) method.\n\n#### `response.permanent(isPermanent)`\n\nSets the status code to `301` or `308` (based on the [`response.rewritable()`](#response.rewritable())\nsetting) where:\n\n- `isPermanent` - if `false`, sets status to temporary. Defaults to `true`.\n\nReturn value: the current response object.\n\nOnly available after calling the [`response.redirect()`](#response.redirect()) method.\n\n#### `response.rewritable(isRewritable)`\n\nSets the status code to `301`/`302` for rewritable (allows changing the request method from 'POST'\nto 'GET') or `307`/`308` for non-rewritable (does not allow changing the request method from 'POST'\nto 'GET'). Exact code based on the [`response.temporary()`](#response.temporary()) or\n[`response.permanent()`](#response.permanent()) setting. Arguments:\n\n- `isRewritable` - if `false`, sets to non-rewritable. Defaults to `true`.\n\nReturn value: the current response object.\n\nOnly available after calling the [`response.redirect()`](#response.redirect()) method.\n\n## Request\n\nThe request object is created internally for each incoming request. It is not the same object\nreceived from the node HTTP server callback (which is available via [`request.raw.req`](#request.raw)).\nThe request properties change throughout the [request lifecycle](#request-lifecycle).\n\n### Request properties\n\n#### `request.app`\n\nAccess: read / write.\n\nApplication-specific state. Provides a safe place to store application data without potential\nconflicts with the framework. Should not be used by [plugins](#plugins) which should use\n`plugins[name]`.\n\n#### `request.auth`\n\nAccess: read only.\n\nAuthentication information:\n\n- `artifacts` - an artifact object received from the authentication strategy and used in\n authentication-related actions.\n\n- `credentials` - the `credential` object received during the authentication process. The\n presence of an object does not mean successful authentication.\n\n- `error` - the authentication error if failed and mode set to `'try'`.\n\n- `isAuthenticated` - `true` if the request has been successfully authenticated, otherwise `false`.\n\n- `isAuthorized` - `true` is the request has been successfully authorized against the route\n authentication [`access`](#route.options.auth.access) configuration. If the route has not\n access rules defined or if the request failed authorization, set to `false`.\n\n- `isInjected` - `true` if the request has been authenticated via the\n [`server.inject()`](#server.inject()) `auth` option, otherwise `undefined`.\n\n- `mode` - the route authentication mode.\n\n- `strategy` - the name of the strategy used.\n\n#### `request.events`\n\nAccess: read only and the public **podium** interface.\n\nThe `request.events` supports the following events:\n\n- `'peek'` - emitted for each chunk of payload data read from the client connection. The event\n method signature is `function(chunk, encoding)`.\n\n- `'finish'` - emitted when the request payload finished reading. The event method signature is\n `function ()`.\n\n- `'disconnect'` - emitted when a request errors or aborts unexpectedly.\n\n```js\nconst Crypto = require('crypto');\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nconst onRequest = function (request, h) {\n\n const hash = Crypto.createHash('sha1');\n request.events.on('peek', (chunk) => {\n\n hash.update(chunk);\n });\n\n request.events.once('finish', () => {\n\n console.log(hash.digest('hex'));\n });\n\n request.events.once('disconnect', () => {\n\n console.error('request aborted');\n });\n\n return h.continue;\n};\n\nserver.ext('onRequest', onRequest);\n```\n\n#### `request.headers`\n\nAccess: read only.\n\nThe raw request headers (references `request.raw.req.headers`).\n\n#### `request.info`\n\nAccess: read only.\n\nRequest information:\n\n- `acceptEncoding` - the request preferred encoding.\n\n- `completed` - request processing completion timestamp (`0` is still processing).\n\n- `cors` - request CORS information (available only after the `'onRequest'` extension point as CORS\n is configured per-route and no routing decisions are made at that point in the request\n lifecycle), where:\n - `isOriginMatch` - `true` if the request 'Origin' header matches the configured CORS\n restrictions. Set to `false` if no 'Origin' header is found or if it does not match.\n\n- `host` - content of the HTTP 'Host' header (e.g. 'example.com:8080').\n\n- `hostname` - the hostname part of the 'Host' header (e.g. 'example.com').\n\n- `id` - a unique request identifier (using the format '{now}:{server.info.id}:{5 digits counter}').\n\n- `received` - request reception timestamp.\n\n- `referrer` - content of the HTTP 'Referrer' (or 'Referer') header.\n\n- `remoteAddress` - remote client IP address.\n\n- `remotePort` - remote client port.\n\n- `responded` - request response timestamp (`0` is not responded yet or response failed when `completed` is set).\n\nNote that the `request.info` object is not meant to be modified.\n\n#### `request.isInjected`\n\nAccess: read only.\n\n`true` if the request was created via [`server.inject()`](#server.inject()), and `false` otherwise.\n\n#### `request.logs`\n\nAccess: read only.\n\nAn array containing the logged request events.\n\nNote that this array will be empty if route [`log.collect`](#route.options.log) is set to `false`.\n\n#### `request.method`\n\nAccess: read only.\n\nThe request method in lower case (e.g. `'get'`, `'post'`).\n\n#### `request.mime`\n\nAccess: read only.\n\nThe parsed content-type header. Only available when payload parsing enabled and no payload error occurred.\n\n#### `request.orig`\n\nAccess: read only.\n\nAn object containing the values of `params`, `query`, `payload` and `state` before any validation modifications made. Only set when input validation is performed.\n\n#### `request.params`\n\nAccess: read only.\n\nAn object where each key is a path parameter name with matching value as described in [Path parameters](#path-parameters).\n\n#### `request.paramsArray`\n\nAccess: read only.\n\nAn array containing all the path `params` values in the order they appeared in the path.\n\n#### `request.path`\n\nAccess: read only.\n\nThe request URI's [pathname](https://nodejs.org/api/url.html#url_urlobject_pathname) component.\n\n#### `request.payload`\n\nAccess: read only / write in `'onRequest'` extension method.\n\nThe request payload based on the route `payload.output` and `payload.parse` settings. Set to `undefined` in `'onRequest'` extension methods and can be overridden to any non-`undefined` value to bypass payload processing.\n\n#### `request.plugins`\n\nAccess: read / write.\n\nPlugin-specific state. Provides a place to store and pass request-level plugin data. The `plugins` is an object where each key is a plugin name and the value is the state.\n\n#### `request.pre`\n\nAccess: read only.\n\nAn object where each key is the name assigned by a [route pre-handler methods](#route.options.pre) function. The values are the raw values provided to the continuation function as argument. For the wrapped response object, use `responses`.\n\n#### `request.response`\n\nAccess: read / write (see limitations below).\n\nThe response object when set. The object can be modified but must not be assigned another object. To replace the response with another from within an [extension point](#server.ext()), return a new response value. Contains an error when a request terminates prematurely when the client disconnects.\n\n#### `request.preResponses`\n\nAccess: read only.\n\nSame as `pre` but represented as the response object created by the pre method.\n\n#### `request.query`\n\nAccess: read only.\n\nAn object where each key is a query parameter name and each matching value is the parameter value or an array of values if a parameter repeats. Can be modified indirectly via [request.setUrl](#request.setUrl()).\n\n#### `request.raw`\n\nAccess: read only.\n\nAn object containing the Node HTTP server objects. **Direct interaction with these raw objects is not recommended.**\n- `req` - the node request object.\n- `res` - the node response object.\n\n#### `request.route`\n\nAccess: read only.\n\nThe request route information object, where:\n- `method` - the route HTTP method.\n- `path` - the route path.\n- `vhost` - the route vhost option if configured.\n- `realm` - the [active realm](#server.realm) associated with the route.\n- `settings` - the [route options](#route-options) object with all defaults applied.\n- `fingerprint` - the route internal normalized string representing the normalized path.\n\n#### `request.server`\n\nAccess: read only and the public server interface.\n\nThe server object.\n\n#### `request.state`\n\nAccess: read only.\n\nAn object containing parsed HTTP state information (cookies) where each key is the cookie name and value is the matching cookie content after processing using any registered cookie definition.\n\n#### `request.url`\n\nAccess: read only.\n\nThe parsed request URI.\n\n### `request.generateResponse(source, [options])`\n\nReturns a [`response`](#response-object) which you can pass to [h.response()](#h.response()) where:\n- `source` - the value to set as the source of [h.response()](#h.response()), optional.\n- `options` - optional object with the following optional properties:\n - `variety` - a sting name of the response type (e.g. `'file'`).\n - `prepare` - a function with the signature `async function(response)` used to prepare the response after it is returned by a [lifecycle method](#lifecycle-methods) such as setting a file descriptor, where:\n - `response` - the response object being prepared.\n - must return the prepared response object (`response`).\n - may throw an error which is used as the prepared response.\n - `marshal` - a function with the signature `async function(response)` used to prepare the response for transmission to the client before it is sent, where:\n - `response` - the response object being marshaled.\n - must return the prepared value (not as response object) which can be any value accepted by the [`h.response()`](#h.response()) `value` argument.\n - may throw an error which is used as the marshaled value.\n - `close` - a function with the signature `function(response)` used to close the resources opened by the response object (e.g. file handlers), where:\n - `response` - the response object being marshaled.\n - should not throw errors (which are logged but otherwise ignored).\n\n### `request.active()`\n\nReturns `true` when the request is active and processing should continue and `false` when the request terminated early or completed its lifecycle. Useful when request processing is a resource-intensive operation and should be terminated early if the request is no longer active (e.g. client disconnected or aborted early).\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nserver.route({\n method: 'POST',\n path: '/worker',\n handler: function (request, h) {\n\n // Do some work...\n\n // Check if request is still active\n if (!request.active()) {\n return h.close;\n }\n\n // Do some more work...\n\n return null;\n }\n});\n```\n\n### `request.log(tags, [data])`\n\nLogs request-specific events. When called, the server emits a [`'request'` event](#server.events.request)\non the `'app'` channel which can be used by other listeners or [plugins](#plugins). The arguments\nare:\n- `tags` - a string or an array of strings (e.g. `['error', 'database', 'read']`) used to identify\n the event. Tags are used instead of log levels and provide a much more expressive mechanism for\n describing and filtering events.\n- `data` - (optional) an message string or object with the application data being logged. If `data`\n is a function, the function signature is `function()` and it called once to generate (return\n value) the actual data emitted to the listeners.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80, routes: { log: { collect: true } } });\n\nserver.events.on({ name: 'request', channels: 'app' }, (request, event, tags) => {\n\n if (tags.error) {\n console.log(event);\n }\n});\n\nconst handler = function (request, h) {\n\n request.log(['test', 'error'], 'Test event');\n return null;\n};\n```\n\nNote that any logs generated by the server internally will be emitted using the\n[`'request'` event](#server.events.request) on the `'internal'` channel.\n\n```js\nserver.events.on({ name: 'request', channels: 'internal' }, (request, event, tags) => {\n\n console.log(event);\n});\n```\n\n### `request.route.auth.access(request)`\n\nValidates a request against the route's authentication [`access`](#route.options.auth.access)\nconfiguration, where:\n\n- `request` - the [request object](#request).\n\nReturn value: `true` if the `request` would have passed the route's access requirements.\n\nNote that the route's authentication mode and strategies are ignored. The only match is made\nbetween the `request.auth.credentials` scope and entity information and the route\n[`access`](#route.options.auth.access) configuration.\n\nIf the route uses dynamic scopes, the scopes are constructed against the [`request.query`](#request.query),\n[`request.params`](#request.params), [`request.payload`](#request.payload), and\n[`request.auth.credentials`](#request.auth) which may or may not match between the route and the\nrequest's route. If this method is called using a request that has not been authenticated (yet or\nnot at all), it will return `false` if the route requires any authentication.\n\n### `request.setMethod(method)`\n\nChanges the request method before the router begins processing the request where:\n- `method` - is the request HTTP method (e.g. `'GET'`).\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nconst onRequest = function (request, h) {\n\n // Change all requests to 'GET'\n request.setMethod('GET');\n return h.continue;\n};\n\nserver.ext('onRequest', onRequest);\n```\n\nCan only be called from an `'onRequest'` extension method.\n\n### `request.setUrl(url, [stripTrailingSlash]`\n\nChanges the request URI before the router begins processing the request where:\n- `url` - the new request URI. `url` can be a string or an instance of\n [`Url.URL`](https://nodejs.org/dist/latest-v10.x/docs/api/url.html#url_class_url) in which case\n `url.href` is used.\n- `stripTrailingSlash` - if `true`, strip the trailing slash from the path. Defaults to `false`.\n\n```js\nconst Hapi = require('@hapi/hapi');\nconst server = Hapi.server({ port: 80 });\n\nconst onRequest = function (request, h) {\n\n // Change all requests to '/test'\n request.setUrl('/test');\n return h.continue;\n};\n\nserver.ext('onRequest', onRequest);\n```\n\nCan only be called from an `'onRequest'` extension method.\n\n## Plugins\n\nPlugins provide a way to organize application code by splitting the server logic into smaller\ncomponents. Each plugin can manipulate the server through the standard server interface, but with\nthe added ability to sandbox certain properties. For example, setting a file path in one plugin\ndoesn't affect the file path set in another plugin.\n\nA plugin is an object with the following properties:\n\n- `register` - (required) the registration function with the signature\n `async function(server, options)` where:\n\n - `server` - the server object with a plugin-specific [`server.realm`](#server.realm).\n - `options` - any options passed to the plugin during registration via [`server.register()`](#server.register()).\n\n- `name` - (required) the plugin name string. The name is used as a unique key. Published plugins\n (e.g. published in the npm registry) should use the same name as the name field in their\n 'package.json' file. Names must be unique within each application.\n\n- `version` - (optional) plugin version string. The version is only used informatively to enable\n other plugins to find out the versions loaded. The version should be the same as the one\n specified in the plugin's 'package.json' file.\n\n- `multiple` - (optional) if `true`, allows the plugin to be registered multiple times with the same server.\n Defaults to `false`.\n\n- `dependencies` - (optional) a string or an array of strings indicating a plugin dependency. Same\n as setting dependencies via [`server.dependency()`](#server.dependency()).\n\n- `requirements` - (optional) object declaring the plugin supported [semver range](https://semver.org/) for:\n\n - `node` runtime [semver range](https://nodejs.org/en/about/releases/) string.\n - `hapi` framework [semver range](#server.version) string.\n\n- `once` - (optional) if `true`, will only register the plugin once per server. If set, overrides\n the `once` option passed to [`server.register()`](#server.register()). Defaults to no override.\n\n```js\nconst plugin = {\n name: 'test',\n version: '1.0.0',\n register: function (server, options) {\n\n server.route({\n method: 'GET',\n path: '/test',\n handler: function (request, h) {\n\n return 'ok';\n }\n });\n }\n};\n```\n\nAlternatively, the `name` and `version` can be included via the `pkg` property containing the\n'package.json' file for the module which already has the name and version included:\n\n```js\nconst plugin = {\n pkg: require('./package.json'),\n register: function (server, options) {\n\n server.route({\n method: 'GET',\n path: '/test',\n handler: function (request, h) {\n\n return 'ok';\n }\n });\n }\n};\n```\n" }, { "path": "LICENSE.md", "content": "Copyright (c) 2011-2022, Project contributors\nCopyright (c) 2011-2020, Sideway Inc\nCopyright (c) 2011-2014, Walmart \nCopyright (c) 2011, Yahoo Inc. \nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:\n\n- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.\n- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.\n- The names of any contributors may not be used to endorse or promote products derived from this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS AND CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS OFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n" }, { "path": "README.md", "content": "\n\n# @hapi/hapi\n\n#### The Simple, Secure Framework Developers Trust\n\nBuild powerful, scalable applications, with minimal overhead and full out-of-the-box functionality - your code, your way.\n\n### Visit the [hapi.dev](https://hapi.dev) Developer Portal for tutorials, documentation, and support\n\n## Useful resources\n\n- [Documentation and API](https://hapi.dev/)\n- [Version status](https://hapi.dev/resources/status/#hapi) (builds, dependencies, node versions, licenses, eol)\n- [Changelog](https://hapi.dev/resources/changelog/)\n- [Project policies](https://hapi.dev/policies/)\n- [Support](https://hapi.dev/support/)\n\n## Technical Steering Committee (TSC) Members\n\n - Devin Ivy ([@devinivy](https://github.com/devinivy))\n - Lloyd Benson ([@lloydbenson](https://github.com/lloydbenson))\n - Nathan LaFreniere ([@nlf](https://github.com/nlf))\n - Wyatt Lyon Preul ([@geek](https://github.com/geek))\n - Nicolas Morel ([@marsup](https://github.com/marsup))\n - Jonathan Samines ([@jonathansamines](https://github.com/jonathansamines))\n" }, { "path": "SPONSORS.md", "content": "We'd like to thank our sponsors as well as the legacy sponsors who have supported hapi throughout the years. Thanks so much for your support!\n\n> Below are hapi's top recurring sponsors, but there are many more to thank. For the complete list, see [hapi.dev/policies/sponsors](https://hapi.dev/policies/sponsors/) or [hapijs/.github/SPONSORS.md](https://github.com/hapijs/.github/blob/master/SPONSORS.md).\n\n# Staff Sponsors\n\n- [Big Room Studios](https://www.bigroomstudios.com/)\n- [Dixeed](https://dixeed.com/)\n\n# Top Sponsors\n\n- Fabian Gündel / [DataWrapper.de](https://www.datawrapper.de/)\n- Devin Stewart\n- [Raider.IO](https://raider.io/)\n- [Florence Healthcare](https://florencehc.com/)\n" }, { "path": "lib/auth.js", "content": "'use strict';\n\nconst Boom = require('@hapi/boom');\nconst Bounce = require('@hapi/bounce');\nconst Hoek = require('@hapi/hoek');\n\nconst Config = require('./config');\nconst Request = require('./request');\n\n\nconst internals = {\n missing: Symbol('missing')\n};\n\n\nexports = module.exports = internals.Auth = class {\n\n #core = null;\n #schemes = {};\n #strategies = {};\n\n api = {}; // Do not reassign api or settings, as they are referenced in public()\n settings = {\n default: null // Strategy used as default if route has no auth settings\n };\n\n constructor(core) {\n\n this.#core = core;\n }\n\n public(server) {\n\n return {\n api: this.api,\n settings: this.settings,\n scheme: this.scheme.bind(this),\n strategy: this._strategy.bind(this, server),\n default: this.default.bind(this),\n test: this.test.bind(this),\n verify: this.verify.bind(this),\n lookup: this.lookup.bind(this)\n };\n }\n\n scheme(name, scheme) {\n\n Hoek.assert(name, 'Authentication scheme must have a name');\n Hoek.assert(!this.#schemes[name], 'Authentication scheme name already exists:', name);\n Hoek.assert(typeof scheme === 'function', 'scheme must be a function:', name);\n\n this.#schemes[name] = scheme;\n }\n\n _strategy(server, name, scheme, options = {}) {\n\n Hoek.assert(name, 'Authentication strategy must have a name');\n Hoek.assert(typeof options === 'object', 'options must be an object');\n Hoek.assert(!this.#strategies[name], 'Authentication strategy name already exists');\n Hoek.assert(scheme, 'Authentication strategy', name, 'missing scheme');\n Hoek.assert(this.#schemes[scheme], 'Authentication strategy', name, 'uses unknown scheme:', scheme);\n\n server = server._clone();\n const strategy = this.#schemes[scheme](server, options);\n\n Hoek.assert(strategy.authenticate, 'Invalid scheme:', name, 'missing authenticate() method');\n Hoek.assert(typeof strategy.authenticate === 'function', 'Invalid scheme:', name, 'invalid authenticate() method');\n Hoek.assert(!strategy.payload || typeof strategy.payload === 'function', 'Invalid scheme:', name, 'invalid payload() method');\n Hoek.assert(!strategy.response || typeof strategy.response === 'function', 'Invalid scheme:', name, 'invalid response() method');\n strategy.options = strategy.options ?? {};\n Hoek.assert(strategy.payload || !strategy.options.payload, 'Cannot require payload validation without a payload method');\n\n this.#strategies[name] = {\n methods: strategy,\n realm: server.realm\n };\n\n if (strategy.api) {\n this.api[name] = strategy.api;\n }\n }\n\n default(options) {\n\n Hoek.assert(!this.settings.default, 'Cannot set default strategy more than once');\n options = Config.apply('auth', options, 'default strategy');\n\n this.settings.default = this._setupRoute(Hoek.clone(options)); // Prevent changes to options\n\n const routes = this.#core.router.table();\n for (const route of routes) {\n route.rebuild();\n }\n }\n\n async test(name, request) {\n\n Hoek.assert(name, 'Missing authentication strategy name');\n const strategy = this.#strategies[name];\n Hoek.assert(strategy, 'Unknown authentication strategy:', name);\n\n const bind = strategy.methods;\n const realm = strategy.realm;\n const response = await request._core.toolkit.execute(strategy.methods.authenticate, request, { bind, realm, auth: true });\n\n if (!response.isAuth) {\n throw response;\n }\n\n if (response.error) {\n throw response.error;\n }\n\n return response.data;\n }\n\n async verify(request) {\n\n const auth = request.auth;\n\n if (auth.error) {\n throw auth.error;\n }\n\n if (!auth.isAuthenticated) {\n return;\n }\n\n const strategy = this.#strategies[auth.strategy];\n Hoek.assert(strategy, 'Unknown authentication strategy:', auth.strategy);\n\n if (!strategy.methods.verify) {\n return;\n }\n\n const bind = strategy.methods;\n await strategy.methods.verify.call(bind, auth);\n }\n\n static testAccess(request, route) {\n\n const auth = request._core.auth;\n\n try {\n return auth._access(request, route);\n }\n catch (err) {\n Bounce.rethrow(err, 'system');\n return false;\n }\n }\n\n _setupRoute(options, path) {\n\n if (!options) {\n return options; // Preserve the difference between undefined and false\n }\n\n if (typeof options === 'string') {\n options = { strategies: [options] };\n }\n else if (options.strategy) {\n options.strategies = [options.strategy];\n delete options.strategy;\n }\n\n if (path &&\n !options.strategies) {\n\n Hoek.assert(this.settings.default, 'Route missing authentication strategy and no default defined:', path);\n options = Hoek.applyToDefaults(this.settings.default, options);\n }\n\n path = path ?? 'default strategy';\n Hoek.assert(options.strategies?.length, 'Missing authentication strategy:', path);\n\n options.mode = options.mode ?? 'required';\n\n if (options.entity !== undefined || // Backwards compatibility with <= 11.x.x\n options.scope !== undefined) {\n\n options.access = [{ entity: options.entity, scope: options.scope }];\n delete options.entity;\n delete options.scope;\n }\n\n if (options.access) {\n for (const access of options.access) {\n access.scope = internals.setupScope(access);\n }\n }\n\n if (options.payload === true) {\n options.payload = 'required';\n }\n\n let hasAuthenticatePayload = false;\n for (const name of options.strategies) {\n const strategy = this.#strategies[name];\n Hoek.assert(strategy, 'Unknown authentication strategy', name, 'in', path);\n\n Hoek.assert(strategy.methods.payload || options.payload !== 'required', 'Payload validation can only be required when all strategies support it in', path);\n hasAuthenticatePayload = hasAuthenticatePayload || strategy.methods.payload;\n Hoek.assert(!strategy.methods.options.payload || options.payload === undefined || options.payload === 'required', 'Cannot set authentication payload to', options.payload, 'when a strategy requires payload validation in', path);\n }\n\n Hoek.assert(!options.payload || hasAuthenticatePayload, 'Payload authentication requires at least one strategy with payload support in', path);\n\n return options;\n }\n\n lookup(route) {\n\n if (route.settings.auth === false) {\n return false;\n }\n\n return route.settings.auth || this.settings.default;\n }\n\n _enabled(route, type) {\n\n const config = this.lookup(route);\n if (!config) {\n return false;\n }\n\n if (type === 'authenticate') {\n return true;\n }\n\n if (type === 'access') {\n return !!config.access;\n }\n\n for (const name of config.strategies) {\n const strategy = this.#strategies[name];\n if (strategy.methods[type]) {\n return true;\n }\n }\n\n return false;\n }\n\n static authenticate(request) {\n\n const auth = request._core.auth;\n return auth._authenticate(request);\n }\n\n async _authenticate(request) {\n\n const config = this.lookup(request.route);\n\n const errors = [];\n request.auth.mode = config.mode;\n\n // Injection bypass\n\n if (request.auth.credentials) {\n internals.validate(null, { credentials: request.auth.credentials, artifacts: request.auth.artifacts }, request.auth.strategy, config, request, errors);\n return;\n }\n\n // Try each strategy\n\n for (const name of config.strategies) {\n const strategy = this.#strategies[name];\n\n const bind = strategy.methods;\n const realm = strategy.realm;\n const response = await request._core.toolkit.execute(strategy.methods.authenticate, request, { bind, realm, auth: true });\n\n const message = (response.isAuth ? internals.validate(response.error, response.data, name, config, request, errors) : internals.validate(response, null, name, config, request, errors));\n if (!message) {\n return;\n }\n\n if (message !== internals.missing) {\n return message;\n }\n }\n\n // No more strategies\n\n const err = Boom.unauthorized('Missing authentication', errors);\n if (config.mode === 'required') {\n throw err;\n }\n\n request.auth.isAuthenticated = false;\n request.auth.credentials = null;\n request.auth.error = err;\n request._log(['auth', 'unauthenticated']);\n }\n\n static access(request) {\n\n const auth = request._core.auth;\n request.auth.isAuthorized = auth._access(request);\n }\n\n _access(request, route) {\n\n const config = this.lookup(route || request.route);\n if (!config?.access) {\n return true;\n }\n\n const credentials = request.auth.credentials;\n if (!credentials) {\n if (config.mode !== 'required') {\n return false;\n }\n\n throw Boom.forbidden('Request is unauthenticated');\n }\n\n const requestEntity = (credentials.user ? 'user' : 'app');\n\n const scopeErrors = [];\n for (const access of config.access) {\n\n // Check entity\n\n const entity = access.entity;\n if (entity &&\n entity !== 'any' &&\n entity !== requestEntity) {\n\n continue;\n }\n\n // Check scope\n\n let scope = access.scope;\n if (scope) {\n if (!credentials.scope) {\n scopeErrors.push(scope);\n continue;\n }\n\n scope = internals.expandScope(request, scope);\n if (!internals.validateScope(credentials, scope, 'required') ||\n !internals.validateScope(credentials, scope, 'selection') ||\n !internals.validateScope(credentials, scope, 'forbidden')) {\n\n scopeErrors.push(scope);\n continue;\n }\n }\n\n return true;\n }\n\n // Scope error\n\n if (scopeErrors.length) {\n request._log(['auth', 'scope', 'error']);\n throw Boom.forbidden('Insufficient scope', { got: credentials.scope, need: scopeErrors });\n }\n\n // Entity error\n\n if (requestEntity === 'app') {\n request._log(['auth', 'entity', 'user', 'error']);\n throw Boom.forbidden('Application credentials cannot be used on a user endpoint');\n }\n\n request._log(['auth', 'entity', 'app', 'error']);\n throw Boom.forbidden('User credentials cannot be used on an application endpoint');\n }\n\n static async payload(request) {\n\n if (!request.auth.isAuthenticated || !request.auth[Request.symbols.authPayload]) {\n return;\n }\n\n const auth = request._core.auth;\n const strategy = auth.#strategies[request.auth.strategy];\n Hoek.assert(strategy, 'Unknown authentication strategy:', request.auth.strategy);\n\n if (!strategy.methods.payload) {\n return;\n }\n\n const config = auth.lookup(request.route);\n const setting = config.payload ?? (strategy.methods.options.payload ? 'required' : false);\n if (!setting) {\n return;\n }\n\n const bind = strategy.methods;\n const realm = strategy.realm;\n const response = await request._core.toolkit.execute(strategy.methods.payload, request, { bind, realm });\n\n if (response.isBoom &&\n response.isMissing) {\n\n return setting === 'optional' ? undefined : Boom.unauthorized('Missing payload authentication');\n }\n\n return response;\n }\n\n static async response(response) {\n\n const request = response.request;\n const auth = request._core.auth;\n if (!request.auth.isAuthenticated) {\n return;\n }\n\n const strategy = auth.#strategies[request.auth.strategy];\n Hoek.assert(strategy, 'Unknown authentication strategy:', request.auth.strategy);\n\n if (!strategy.methods.response) {\n return;\n }\n\n const bind = strategy.methods;\n const realm = strategy.realm;\n const error = await request._core.toolkit.execute(strategy.methods.response, request, { bind, realm, continue: 'undefined' });\n if (error) {\n throw error;\n }\n }\n};\n\n\ninternals.setupScope = function (access) {\n\n // No scopes\n\n if (!access.scope) {\n return false;\n }\n\n // Already setup\n\n if (!Array.isArray(access.scope)) {\n return access.scope;\n }\n\n const scope = {};\n for (const value of access.scope) {\n const prefix = value[0];\n const type = prefix === '+' ? 'required' : (prefix === '!' ? 'forbidden' : 'selection');\n const clean = type === 'selection' ? value : value.slice(1);\n scope[type] = scope[type] ?? [];\n scope[type].push(clean);\n\n if ((!scope._hasParameters?.[type]) &&\n /{([^}]+)}/.test(clean)) {\n\n scope._hasParameters = scope._hasParameters ?? {};\n scope._hasParameters[type] = true;\n }\n }\n\n return scope;\n};\n\n\ninternals.validate = function (err, result, name, config, request, errors) { // err can be Boom, Error, or a valid response object\n\n result = result ?? {};\n request.auth.isAuthenticated = !err;\n\n if (err) {\n\n // Non-error response\n\n if (err instanceof Error === false) {\n request._log(['auth', 'unauthenticated', 'response', name], { statusCode: err.statusCode });\n return err;\n }\n\n // Missing authenticated\n\n if (err.isMissing) {\n request._log(['auth', 'unauthenticated', 'missing', name], err);\n errors.push(err.output.headers['WWW-Authenticate']);\n return internals.missing;\n }\n }\n\n request.auth.strategy = name;\n request.auth.credentials = result.credentials;\n request.auth.artifacts = result.artifacts;\n\n // Authenticated\n\n if (!err) {\n return;\n }\n\n // Unauthenticated\n\n request.auth.error = err;\n\n if (config.mode === 'try') {\n request._log(['auth', 'unauthenticated', 'try', name], err);\n return;\n }\n\n request._log(['auth', 'unauthenticated', 'error', name], err);\n throw err;\n};\n\n\ninternals.expandScope = function (request, scope) {\n\n if (!scope._hasParameters) {\n return scope;\n }\n\n const expanded = {\n required: internals.expandScopeType(request, scope, 'required'),\n selection: internals.expandScopeType(request, scope, 'selection'),\n forbidden: internals.expandScopeType(request, scope, 'forbidden')\n };\n\n return expanded;\n};\n\n\ninternals.expandScopeType = function (request, scope, type) {\n\n if (!scope._hasParameters[type]) {\n return scope[type];\n }\n\n const expanded = [];\n const context = {\n params: request.params,\n query: request.query,\n payload: request.payload,\n credentials: request.auth.credentials\n };\n\n for (const template of scope[type]) {\n expanded.push(Hoek.reachTemplate(context, template));\n }\n\n return expanded;\n};\n\n\ninternals.validateScope = function (credentials, scope, type) {\n\n if (!scope[type]) {\n return true;\n }\n\n const count = typeof credentials.scope === 'string' ?\n scope[type].indexOf(credentials.scope) !== -1 ? 1 : 0 :\n Hoek.intersect(scope[type], credentials.scope).length;\n\n if (type === 'forbidden') {\n return count === 0;\n }\n\n if (type === 'required') {\n return count === scope.required.length;\n }\n\n return !!count;\n};\n" }, { "path": "lib/compression.js", "content": "'use strict';\n\nconst Zlib = require('zlib');\n\nconst Accept = require('@hapi/accept');\nconst Bounce = require('@hapi/bounce');\nconst Hoek = require('@hapi/hoek');\n\n\nconst internals = {\n common: ['gzip, deflate', 'deflate, gzip', 'gzip', 'deflate', 'gzip, deflate, br']\n};\n\n\nexports = module.exports = internals.Compression = class {\n\n decoders = {\n gzip: (options) => Zlib.createGunzip(options),\n deflate: (options) => Zlib.createInflate(options)\n };\n\n encodings = ['identity', 'gzip', 'deflate'];\n\n encoders = {\n identity: null,\n gzip: (options) => Zlib.createGzip(options),\n deflate: (options) => Zlib.createDeflate(options)\n };\n\n #common = null;\n\n constructor() {\n\n this._updateCommons();\n }\n\n _updateCommons() {\n\n this.#common = new Map();\n\n for (const header of internals.common) {\n this.#common.set(header, Accept.encoding(header, this.encodings));\n }\n }\n\n addEncoder(encoding, encoder) {\n\n Hoek.assert(this.encoders[encoding] === undefined, `Cannot override existing encoder for ${encoding}`);\n Hoek.assert(typeof encoder === 'function', `Invalid encoder function for ${encoding}`);\n this.encoders[encoding] = encoder;\n this.encodings.unshift(encoding);\n this._updateCommons();\n }\n\n addDecoder(encoding, decoder) {\n\n Hoek.assert(this.decoders[encoding] === undefined, `Cannot override existing decoder for ${encoding}`);\n Hoek.assert(typeof decoder === 'function', `Invalid decoder function for ${encoding}`);\n this.decoders[encoding] = decoder;\n }\n\n accept(request) {\n\n const header = request.headers['accept-encoding'];\n if (!header) {\n return 'identity';\n }\n\n const common = this.#common.get(header);\n if (common) {\n return common;\n }\n\n try {\n return Accept.encoding(header, this.encodings);\n }\n catch (err) {\n Bounce.rethrow(err, 'system');\n err.header = header;\n request._log(['accept-encoding', 'error'], err);\n return 'identity';\n }\n }\n\n encoding(response, length) {\n\n if (response.settings.compressed) {\n response.headers['content-encoding'] = response.settings.compressed;\n return null;\n }\n\n const request = response.request;\n if (!request._core.settings.compression ||\n length !== null && length < request._core.settings.compression.minBytes) {\n\n return null;\n }\n\n const mime = request._core.mime.type(response.headers['content-type'] || 'application/octet-stream');\n if (!mime.compressible) {\n return null;\n }\n\n response.vary('accept-encoding');\n\n if (response.headers['content-encoding']) {\n return null;\n }\n\n return request.info.acceptEncoding === 'identity' ? null : request.info.acceptEncoding;\n }\n\n encoder(request, encoding) {\n\n const encoder = this.encoders[encoding];\n Hoek.assert(encoder !== undefined, `Unknown encoding ${encoding}`);\n return encoder(request.route.settings.compression[encoding]);\n }\n};\n" }, { "path": "lib/config.js", "content": "'use strict';\n\nconst Os = require('os');\n\nconst Somever = require('@hapi/somever');\nconst Validate = require('@hapi/validate');\n\n\nconst internals = {};\n\n\nexports.symbol = Symbol('hapi-response');\n\n\nexports.apply = function (type, options, ...message) {\n\n const result = internals[type].validate(options);\n\n if (result.error) {\n throw new Error(`Invalid ${type} options ${message.length ? '(' + message.join(' ') + ')' : ''} ${result.error.annotate()}`);\n }\n\n return result.value;\n};\n\n\nexports.enable = function (options) {\n\n const settings = options ? Object.assign({}, options) : {}; // Shallow cloned\n\n if (settings.security === true) {\n settings.security = {};\n }\n\n if (settings.cors === true) {\n settings.cors = {};\n }\n\n return settings;\n};\n\nexports.versionMatch = (version, range) => Somever.match(version, range, { includePrerelease: true });\n\ninternals.access = Validate.object({\n entity: Validate.valid('user', 'app', 'any'),\n scope: [false, Validate.array().items(Validate.string()).single().min(1)]\n});\n\n\ninternals.auth = Validate.alternatives([\n Validate.string(),\n internals.access.keys({\n mode: Validate.valid('required', 'optional', 'try'),\n strategy: Validate.string(),\n strategies: Validate.array().items(Validate.string()).min(1),\n access: Validate.array().items(internals.access.min(1)).single().min(1),\n payload: [\n Validate.valid('required', 'optional'),\n Validate.boolean()\n ]\n })\n .without('strategy', 'strategies')\n .without('access', ['scope', 'entity'])\n]);\n\n\ninternals.event = Validate.object({\n method: Validate.array().items(Validate.function()).single(),\n options: Validate.object({\n before: Validate.array().items(Validate.string()).single(),\n after: Validate.array().items(Validate.string()).single(),\n bind: Validate.any(),\n sandbox: Validate.valid('server', 'plugin'),\n timeout: Validate.number().integer().min(1)\n })\n .default({})\n});\n\n\ninternals.exts = Validate.array()\n .items(internals.event.keys({ type: Validate.string().required() })).single();\n\n\ninternals.failAction = Validate.alternatives([\n Validate.valid('error', 'log', 'ignore'),\n Validate.function()\n])\n .default('error');\n\n\ninternals.routeBase = Validate.object({\n app: Validate.object().allow(null),\n auth: internals.auth.allow(false),\n bind: Validate.object().allow(null),\n cache: Validate.object({\n expiresIn: Validate.number(),\n expiresAt: Validate.string(),\n privacy: Validate.valid('default', 'public', 'private'),\n statuses: Validate.array().items(Validate.number().integer().min(200)).min(1).single().default([200, 204]),\n otherwise: Validate.string().default('no-cache')\n })\n .allow(false)\n .default(),\n compression: Validate.object()\n .pattern(/.+/, Validate.object())\n .default(),\n cors: Validate.object({\n origin: Validate.array().min(1).allow('ignore').default(['*']),\n maxAge: Validate.number().default(86400),\n headers: Validate.array().items(Validate.string()).default(['Accept', 'Authorization', 'Content-Type', 'If-None-Match']),\n additionalHeaders: Validate.array().items(Validate.string()).default([]),\n exposedHeaders: Validate.array().items(Validate.string()).default(['WWW-Authenticate', 'Server-Authorization']),\n additionalExposedHeaders: Validate.array().items(Validate.string()).default([]),\n credentials: Validate.boolean().when('origin', { is: 'ignore', then: false }).default(false),\n preflightStatusCode: Validate.valid(200, 204).default(200)\n })\n .allow(false, true)\n .default(false),\n ext: Validate.object({\n onPreAuth: Validate.array().items(internals.event).single(),\n onCredentials: Validate.array().items(internals.event).single(),\n onPostAuth: Validate.array().items(internals.event).single(),\n onPreHandler: Validate.array().items(internals.event).single(),\n onPostHandler: Validate.array().items(internals.event).single(),\n onPreResponse: Validate.array().items(internals.event).single(),\n onPostResponse: Validate.array().items(internals.event).single()\n })\n .default({}),\n files: Validate.object({\n relativeTo: Validate.string().pattern(/^([\\/\\.])|([A-Za-z]:\\\\)|(\\\\\\\\)/).default('.')\n })\n .default(),\n json: Validate.object({\n replacer: Validate.alternatives(Validate.function(), Validate.array()).allow(null).default(null),\n space: Validate.number().allow(null).default(null),\n suffix: Validate.string().allow(null).default(null),\n escape: Validate.boolean().default(false)\n })\n .default(),\n log: Validate.object({\n collect: Validate.boolean().default(false)\n })\n .default(),\n payload: Validate.object({\n output: Validate.valid('data', 'stream', 'file').default('data'),\n parse: Validate.boolean().allow('gunzip').default(true),\n multipart: Validate.object({\n output: Validate.valid('data', 'stream', 'file', 'annotated').required()\n })\n .default(false)\n .allow(true, false),\n allow: Validate.array().items(Validate.string()).single(),\n override: Validate.string(),\n protoAction: Validate.valid('error', 'remove', 'ignore').default('error'),\n maxBytes: Validate.number().integer().positive().default(1024 * 1024),\n maxParts: Validate.number().integer().positive().default(1000),\n uploads: Validate.string().default(Os.tmpdir()),\n failAction: internals.failAction,\n timeout: Validate.number().integer().positive().allow(false).default(10 * 1000),\n defaultContentType: Validate.string().default('application/json'),\n compression: Validate.object()\n .pattern(/.+/, Validate.object())\n .default()\n })\n .default(),\n plugins: Validate.object(),\n response: Validate.object({\n disconnectStatusCode: Validate.number().integer().min(400).default(499),\n emptyStatusCode: Validate.valid(200, 204).default(204),\n failAction: internals.failAction,\n modify: Validate.boolean(),\n options: Validate.object(),\n ranges: Validate.boolean().default(true),\n sample: Validate.number().min(0).max(100).when('modify', { then: Validate.forbidden() }),\n schema: Validate.alternatives(Validate.object(), Validate.array(), Validate.function()).allow(true, false),\n status: Validate.object().pattern(/\\d\\d\\d/, Validate.alternatives(Validate.object(), Validate.array(), Validate.function()).allow(true, false))\n })\n .default(),\n security: Validate.object({\n hsts: Validate.alternatives([\n Validate.object({\n maxAge: Validate.number(),\n includeSubdomains: Validate.boolean(),\n includeSubDomains: Validate.boolean(),\n preload: Validate.boolean()\n }),\n Validate.boolean(),\n Validate.number()\n ])\n .default(15768000),\n xframe: Validate.alternatives([\n Validate.boolean(),\n Validate.valid('sameorigin', 'deny'),\n Validate.object({\n rule: Validate.valid('sameorigin', 'deny', 'allow-from'),\n source: Validate.string()\n })\n ])\n .default('deny'),\n xss: Validate.valid('enabled', 'disabled', false).default('disabled'),\n noOpen: Validate.boolean().default(true),\n noSniff: Validate.boolean().default(true),\n referrer: Validate.alternatives([\n Validate.boolean().valid(false),\n Validate.valid('', 'no-referrer', 'no-referrer-when-downgrade',\n 'unsafe-url', 'same-origin', 'origin', 'strict-origin',\n 'origin-when-cross-origin', 'strict-origin-when-cross-origin')\n ])\n .default(false)\n })\n .allow(null, false, true)\n .default(false),\n state: Validate.object({\n parse: Validate.boolean().default(true),\n failAction: internals.failAction\n })\n .default(),\n timeout: Validate.object({\n socket: Validate.number().integer().positive().allow(false),\n server: Validate.number().integer().positive().allow(false).default(false)\n })\n .default(),\n validate: Validate.object({\n headers: Validate.alternatives(Validate.object(), Validate.array(), Validate.function()).allow(null, true),\n params: Validate.alternatives(Validate.object(), Validate.array(), Validate.function()).allow(null, true),\n query: Validate.alternatives(Validate.object(), Validate.array(), Validate.function()).allow(null, false, true),\n payload: Validate.alternatives(Validate.object(), Validate.array(), Validate.function()).allow(null, false, true),\n state: Validate.alternatives(Validate.object(), Validate.array(), Validate.function()).allow(null, false, true),\n failAction: internals.failAction,\n errorFields: Validate.object(),\n options: Validate.object().default(),\n validator: Validate.object()\n })\n .default()\n});\n\n\ninternals.server = Validate.object({\n address: Validate.string().hostname(),\n app: Validate.object().allow(null),\n autoListen: Validate.boolean(),\n cache: Validate.allow(null), // Validated elsewhere\n compression: Validate.object({\n minBytes: Validate.number().min(1).integer().default(1024)\n })\n .allow(false)\n .default(),\n debug: Validate.object({\n request: Validate.array().items(Validate.string()).single().allow(false).default(['implementation']),\n log: Validate.array().items(Validate.string()).single().allow(false)\n })\n .allow(false)\n .default(),\n host: Validate.string().hostname().allow(null),\n info: Validate.object({\n remote: Validate.boolean().default(false)\n })\n .default({}),\n listener: Validate.any(),\n load: Validate.object({\n sampleInterval: Validate.number().integer().min(0).default(0)\n })\n .unknown()\n .default(),\n mime: Validate.object().empty(null).default(),\n operations: Validate.object({\n cleanStop: Validate.boolean().default(true)\n })\n .default(),\n plugins: Validate.object(),\n port: Validate.alternatives([\n Validate.number().integer().min(0), // TCP port\n Validate.string().pattern(/\\//), // Unix domain socket\n Validate.string().pattern(/^\\\\\\\\\\.\\\\pipe\\\\/) // Windows named pipe\n ])\n .allow(null),\n query: Validate.object({\n parser: Validate.function()\n })\n .default(),\n router: Validate.object({\n isCaseSensitive: Validate.boolean().default(true),\n stripTrailingSlash: Validate.boolean().default(false)\n })\n .default(),\n routes: internals.routeBase.default(),\n state: Validate.object(), // Cookie defaults\n tls: Validate.alternatives([\n Validate.object().allow(null),\n Validate.boolean()\n ]),\n uri: Validate.string().pattern(/[^/]$/)\n});\n\n\ninternals.vhost = Validate.alternatives([\n Validate.string().hostname(),\n Validate.array().items(Validate.string().hostname()).min(1)\n]);\n\n\ninternals.handler = Validate.alternatives([\n Validate.function(),\n Validate.object().length(1)\n]);\n\n\ninternals.route = Validate.object({\n method: Validate.string().pattern(/^[a-zA-Z0-9!#\\$%&'\\*\\+\\-\\.^_`\\|~]+$/).required(),\n path: Validate.string().required(),\n rules: Validate.object(),\n vhost: internals.vhost,\n\n // Validated in route construction\n\n handler: Validate.any(),\n options: Validate.any(),\n config: Validate.any() // Backwards compatibility\n})\n .without('config', 'options');\n\n\ninternals.pre = [\n Validate.function(),\n Validate.object({\n method: Validate.alternatives(Validate.string(), Validate.function()).required(),\n assign: Validate.string(),\n mode: Validate.valid('serial', 'parallel'),\n failAction: internals.failAction\n })\n];\n\n\ninternals.routeConfig = internals.routeBase.keys({\n description: Validate.string(),\n id: Validate.string(),\n isInternal: Validate.boolean(),\n notes: [\n Validate.string(),\n Validate.array().items(Validate.string())\n ],\n pre: Validate.array().items(...internals.pre.concat(Validate.array().items(...internals.pre).min(1))),\n tags: [\n Validate.string(),\n Validate.array().items(Validate.string())\n ]\n});\n\n\ninternals.cacheConfig = Validate.alternatives([\n Validate.function(),\n Validate.object({\n name: Validate.string().invalid('_default'),\n shared: Validate.boolean(),\n provider: [\n Validate.function(),\n {\n constructor: Validate.function().required(),\n options: Validate.object({\n partition: Validate.string().default('hapi-cache')\n })\n .unknown() // Catbox client validates other keys\n .default({})\n }\n ],\n engine: Validate.object()\n })\n .xor('provider', 'engine')\n]);\n\n\ninternals.cache = Validate.array().items(internals.cacheConfig).min(1).single();\n\n\ninternals.cachePolicy = Validate.object({\n cache: Validate.string().allow(null).allow(''),\n segment: Validate.string(),\n shared: Validate.boolean()\n})\n .unknown(); // Catbox policy validates other keys\n\n\ninternals.method = Validate.object({\n bind: Validate.object().allow(null),\n generateKey: Validate.function(),\n cache: internals.cachePolicy\n});\n\n\ninternals.methodObject = Validate.object({\n name: Validate.string().required(),\n method: Validate.function().required(),\n options: Validate.object()\n});\n\n\ninternals.register = Validate.object({\n once: true,\n routes: Validate.object({\n prefix: Validate.string().pattern(/^\\/.+/),\n vhost: internals.vhost\n })\n .default({})\n});\n\n\ninternals.semver = Validate.string();\n\n\ninternals.plugin = internals.register.keys({\n options: Validate.any(),\n plugin: Validate.object({\n register: Validate.function().required(),\n name: Validate.string().when('pkg.name', { is: Validate.exist(), otherwise: Validate.required() }),\n version: Validate.string(),\n multiple: Validate.boolean().default(false),\n dependencies: [\n Validate.array().items(Validate.string()).single(),\n Validate.object().pattern(/.+/, internals.semver)\n ],\n once: true,\n requirements: Validate.object({\n hapi: Validate.string(),\n node: Validate.string()\n })\n .default(),\n pkg: Validate.object({\n name: Validate.string(),\n version: Validate.string().default('0.0.0')\n })\n .unknown()\n .default({})\n })\n .unknown()\n})\n .without('once', 'options')\n .unknown();\n\n\ninternals.rules = Validate.object({\n validate: Validate.object({\n schema: Validate.alternatives(Validate.object(), Validate.array()).required(),\n options: Validate.object()\n .default({ allowUnknown: true })\n })\n});\n" }, { "path": "lib/core.js", "content": "'use strict';\n\nconst Http = require('http');\nconst Https = require('https');\nconst Os = require('os');\nconst Path = require('path');\n\nconst Boom = require('@hapi/boom');\nconst Bounce = require('@hapi/bounce');\nconst Call = require('@hapi/call');\nconst Catbox = require('@hapi/catbox');\nconst { Engine: CatboxMemory } = require('@hapi/catbox-memory');\nconst { Heavy } = require('@hapi/heavy');\nconst Hoek = require('@hapi/hoek');\nconst { Mimos } = require('@hapi/mimos');\nconst Podium = require('@hapi/podium');\nconst Statehood = require('@hapi/statehood');\n\nconst Auth = require('./auth');\nconst Compression = require('./compression');\nconst Config = require('./config');\nconst Cors = require('./cors');\nconst Ext = require('./ext');\nconst Methods = require('./methods');\nconst Request = require('./request');\nconst Response = require('./response');\nconst Route = require('./route');\nconst Toolkit = require('./toolkit');\nconst Validation = require('./validation');\n\n\nconst internals = {\n counter: {\n min: 10000,\n max: 99999\n },\n events: [\n { name: 'cachePolicy', spread: true },\n { name: 'log', channels: ['app', 'internal'], tags: true },\n { name: 'request', channels: ['app', 'internal', 'error'], tags: true, spread: true },\n 'response',\n 'route',\n 'start',\n 'closing',\n 'stop'\n ],\n badRequestResponse: Buffer.from('HTTP/1.1 400 Bad Request\\r\\n\\r\\n', 'ascii')\n};\n\n\nexports = module.exports = internals.Core = class {\n\n actives = new WeakMap(); // Active requests being processed\n app = {};\n auth = new Auth(this);\n caches = new Map(); // Cache clients\n compression = new Compression();\n controlled = null; // Other servers linked to the phases of this server\n dependencies = []; // Plugin dependencies\n events = new Podium.Podium(internals.events);\n heavy = null;\n info = null;\n instances = new Set();\n listener = null;\n methods = new Methods(this); // Server methods\n mime = null;\n onConnection = null; // Used to remove event listener on stop\n phase = 'stopped'; // 'stopped', 'initializing', 'initialized', 'starting', 'started', 'stopping', 'invalid'\n plugins = {}; // Exposed plugin properties by name\n registrations = {}; // Tracks plugin for dependency validation { name -> { version } }\n registring = 0; // > 0 while register() is waiting for plugin callbacks\n Request = class extends Request { };\n Response = class extends Response { };\n requestCounter = { value: internals.counter.min, min: internals.counter.min, max: internals.counter.max };\n root = null;\n router = null;\n settings = null;\n sockets = null; // Track open sockets for graceful shutdown\n started = false;\n states = null;\n toolkit = new Toolkit.Manager();\n type = null;\n validator = null;\n\n extensionsSeq = 0; // Used to keep absolute order of extensions based on the order added across locations\n extensions = {\n server: {\n onPreStart: new Ext('onPreStart', this),\n onPostStart: new Ext('onPostStart', this),\n onPreStop: new Ext('onPreStop', this),\n onPostStop: new Ext('onPostStop', this)\n },\n route: {\n onRequest: new Ext('onRequest', this),\n onPreAuth: new Ext('onPreAuth', this),\n onCredentials: new Ext('onCredentials', this),\n onPostAuth: new Ext('onPostAuth', this),\n onPreHandler: new Ext('onPreHandler', this),\n onPostHandler: new Ext('onPostHandler', this),\n onPreResponse: new Ext('onPreResponse', this),\n onPostResponse: new Ext('onPostResponse', this)\n }\n };\n\n decorations = {\n handler: new Map(),\n request: new Map(),\n response: new Map(),\n server: new Map(),\n toolkit: new Map(),\n requestApply: null,\n public: { handler: [], request: [], response: [], server: [], toolkit: [] }\n };\n\n constructor(options) {\n\n const { settings, type } = internals.setup(options);\n\n this.settings = settings;\n this.type = type;\n\n this.heavy = new Heavy(this.settings.load);\n this.mime = new Mimos(this.settings.mime);\n this.router = new Call.Router(this.settings.router);\n this.states = new Statehood.Definitions(this.settings.state);\n\n this._debug();\n this._initializeCache();\n\n if (this.settings.routes.validate.validator) {\n this.validator = Validation.validator(this.settings.routes.validate.validator);\n }\n\n this.listener = this._createListener();\n this._initializeListener();\n this.info = this._info();\n }\n\n _debug() {\n\n const debug = this.settings.debug;\n if (!debug) {\n return;\n }\n\n // Subscribe to server log events\n\n const method = (event) => {\n\n const data = event.error ?? event.data;\n console.error('Debug:', event.tags.join(', '), data ? '\\n ' + (data.stack ?? (typeof data === 'object' ? Hoek.stringify(data) : data)) : '');\n };\n\n if (debug.log) {\n const filter = debug.log.some((tag) => tag === '*') ? undefined : debug.log;\n this.events.on({ name: 'log', filter }, method);\n }\n\n if (debug.request) {\n const filter = debug.request.some((tag) => tag === '*') ? undefined : debug.request;\n this.events.on({ name: 'request', filter }, (request, event) => method(event));\n }\n }\n\n _initializeCache() {\n\n if (this.settings.cache) {\n this._createCache(this.settings.cache);\n }\n\n if (!this.caches.has('_default')) {\n this._createCache([{ provider: CatboxMemory }]); // Defaults to memory-based\n }\n }\n\n _info() {\n\n const now = Date.now();\n const protocol = this.type === 'tcp' ? (this.settings.tls ? 'https' : 'http') : this.type;\n const host = this.settings.host || Os.hostname() || 'localhost';\n const port = this.settings.port;\n\n const info = {\n created: now,\n started: 0,\n host,\n port,\n protocol,\n id: Os.hostname() + ':' + process.pid + ':' + now.toString(36),\n uri: this.settings.uri ?? (protocol + ':' + (this.type === 'tcp' ? '//' + host + (port ? ':' + port : '') : port))\n };\n\n return info;\n }\n\n _counter() {\n\n const next = ++this.requestCounter.value;\n\n if (this.requestCounter.value > this.requestCounter.max) {\n this.requestCounter.value = this.requestCounter.min;\n }\n\n return next - 1;\n }\n\n _createCache(configs) {\n\n Hoek.assert(this.phase !== 'initializing', 'Cannot provision server cache while server is initializing');\n\n configs = Config.apply('cache', configs);\n\n const added = [];\n for (let config of configs) {\n\n // \n // { provider: }\n // { provider: { constructor: , options } }\n // { engine }\n\n if (typeof config === 'function') {\n config = { provider: { constructor: config } };\n }\n\n const name = config.name ?? '_default';\n Hoek.assert(!this.caches.has(name), 'Cannot configure the same cache more than once: ', name === '_default' ? 'default cache' : name);\n\n let client = null;\n\n if (config.provider) {\n let provider = config.provider;\n if (typeof provider === 'function') {\n provider = { constructor: provider };\n }\n\n client = new Catbox.Client(provider.constructor, provider.options ?? { partition: 'hapi-cache' });\n }\n else {\n client = new Catbox.Client(config.engine);\n }\n\n this.caches.set(name, { client, segments: {}, shared: config.shared ?? false });\n added.push(client);\n }\n\n return added;\n }\n\n registerServer(server) {\n\n if (!this.root) {\n this.root = server;\n this._defaultRoutes();\n }\n\n this.instances.add(server);\n }\n\n async _start() {\n\n if (this.phase === 'initialized' ||\n this.phase === 'started') {\n\n this._validateDeps();\n }\n\n if (this.phase === 'started') {\n return;\n }\n\n if (this.phase !== 'stopped' &&\n this.phase !== 'initialized') {\n\n throw new Error('Cannot start server while it is in ' + this.phase + ' phase');\n }\n\n if (this.phase !== 'initialized') {\n await this._initialize();\n }\n\n this.phase = 'starting';\n this.started = true;\n this.info.started = Date.now();\n\n try {\n await this._listen();\n }\n catch (err) {\n this.started = false;\n this.phase = 'invalid';\n throw err;\n }\n\n this.phase = 'started';\n this.events.emit('start');\n\n try {\n if (this.controlled) {\n await Promise.all(this.controlled.map((control) => control.start()));\n }\n\n await this._invoke('onPostStart');\n }\n catch (err) {\n this.phase = 'invalid';\n throw err;\n }\n }\n\n _listen() {\n\n return new Promise((resolve, reject) => {\n\n if (!this.settings.autoListen) {\n resolve();\n return;\n }\n\n const onError = (err) => {\n\n reject(err);\n return;\n };\n\n this.listener.once('error', onError);\n\n const finalize = () => {\n\n this.listener.removeListener('error', onError);\n resolve();\n return;\n };\n\n if (this.type !== 'tcp') {\n this.listener.listen(this.settings.port, finalize);\n }\n else {\n // Default is the unspecified address, :: if IPv6 is available or otherwise the IPv4 address 0.0.0.0\n const address = this.settings.address || this.settings.host || null;\n this.listener.listen(this.settings.port, address, finalize);\n }\n });\n }\n\n async _initialize() {\n\n if (this.registring) {\n throw new Error('Cannot start server before plugins finished registration');\n }\n\n if (this.phase === 'initialized') {\n return;\n }\n\n if (this.phase !== 'stopped') {\n throw new Error('Cannot initialize server while it is in ' + this.phase + ' phase');\n }\n\n this._validateDeps();\n this.phase = 'initializing';\n\n // Start cache\n\n try {\n const caches = [];\n this.caches.forEach((cache) => caches.push(cache.client.start()));\n await Promise.all(caches);\n await this._invoke('onPreStart');\n this.heavy.start();\n this.phase = 'initialized';\n\n if (this.controlled) {\n await Promise.all(this.controlled.map((control) => control.initialize()));\n }\n }\n catch (err) {\n this.phase = 'invalid';\n throw err;\n }\n }\n\n _validateDeps() {\n\n for (const { deps, plugin } of this.dependencies) {\n for (const dep in deps) {\n const version = deps[dep];\n Hoek.assert(this.registrations[dep], 'Plugin', plugin, 'missing dependency', dep);\n Hoek.assert(version === '*' || Config.versionMatch(this.registrations[dep].version, version), 'Plugin', plugin, 'requires', dep, 'version', version, 'but found', this.registrations[dep].version);\n }\n }\n }\n\n async _stop(options = {}) {\n\n options.timeout = options.timeout ?? 5000; // Default timeout to 5 seconds\n\n if (['stopped', 'initialized', 'started', 'invalid'].indexOf(this.phase) === -1) {\n throw new Error('Cannot stop server while in ' + this.phase + ' phase');\n }\n\n this.phase = 'stopping';\n\n try {\n await this._invoke('onPreStop');\n\n if (this.started) {\n this.started = false;\n this.info.started = 0;\n\n await this._unlisten(options.timeout);\n }\n\n const caches = [];\n this.caches.forEach((cache) => caches.push(cache.client.stop()));\n await Promise.all(caches);\n\n this.events.emit('stop');\n this.heavy.stop();\n\n if (this.controlled) {\n await Promise.all(this.controlled.map((control) => control.stop(options)));\n }\n\n await this._invoke('onPostStop');\n this.phase = 'stopped';\n }\n catch (err) {\n this.phase = 'invalid';\n throw err;\n }\n }\n\n _unlisten(timeout) {\n\n let timeoutId = null;\n if (this.settings.operations.cleanStop) {\n\n // Set connections timeout\n\n const destroy = () => {\n\n for (const connection of this.sockets) {\n connection.destroy();\n }\n\n this.sockets.clear();\n };\n\n timeoutId = setTimeout(destroy, timeout);\n\n // Tell idle keep-alive connections to close\n\n for (const connection of this.sockets) {\n if (!this.actives.has(connection)) {\n connection.end();\n }\n }\n }\n\n // Close connection\n\n return new Promise((resolve) => {\n\n this.listener.close(() => {\n\n if (this.settings.operations.cleanStop) {\n this.listener.removeListener(this.settings.tls ? 'secureConnection' : 'connection', this.onConnection);\n clearTimeout(timeoutId);\n }\n\n this._initializeListener();\n resolve();\n });\n\n this.events.emit('closing');\n });\n }\n\n async _invoke(type) {\n\n const exts = this.extensions.server[type];\n if (!exts.nodes) {\n return;\n }\n\n // Execute extensions\n\n for (const ext of exts.nodes) {\n const bind = ext.bind ?? ext.realm.settings.bind;\n const operation = ext.func.call(bind, ext.server, bind);\n await Toolkit.timed(operation, { timeout: ext.timeout, name: type });\n }\n }\n\n _defaultRoutes() {\n\n this.router.special('notFound', new Route({ method: '_special', path: '/{p*}', handler: internals.notFound }, this.root, { special: true }));\n this.router.special('badRequest', new Route({ method: '_special', path: '/{p*}', handler: internals.badRequest }, this.root, { special: true }));\n\n if (this.settings.routes.cors) {\n Cors.handler(this.root);\n }\n }\n\n _dispatch(options = {}) {\n\n return (req, res) => {\n\n // Create request\n\n const request = Request.generate(this.root, req, res, options);\n\n // Track socket request processing state\n\n if (this.settings.operations.cleanStop &&\n req.socket) {\n\n this.actives.set(req.socket, request);\n const env = { core: this, req };\n res.on('finish', internals.onFinish.bind(res, env));\n }\n\n // Check load\n\n if (this.settings.load.sampleInterval) {\n try {\n this.heavy.check();\n }\n catch (err) {\n Bounce.rethrow(err, 'system');\n this._log(['load'], this.heavy.load);\n request._reply(err);\n return;\n }\n }\n\n request._execute();\n };\n }\n\n _createListener() {\n\n const listener = this.settings.listener ?? (this.settings.tls ? Https.createServer(this.settings.tls) : Http.createServer());\n listener.on('request', this._dispatch());\n listener.on('checkContinue', this._dispatch({ expectContinue: true }));\n\n listener.on('clientError', (err, socket) => {\n\n this._log(['connection', 'client', 'error'], err);\n\n if (socket.readable) {\n const request = this.settings.operations.cleanStop && this.actives.get(socket);\n if (request) {\n\n // If a request is available, it means that the connection and parsing has progressed far enough to have created the request.\n\n if (err.code === 'HPE_INVALID_METHOD') {\n\n // This parser error is for a pipelined request. Schedule destroy once current request is done.\n\n request.raw.res.once('close', () => {\n\n if (socket.readable) {\n socket.end(internals.badRequestResponse);\n }\n else {\n socket.destroy(err);\n }\n });\n return;\n }\n\n const error = Boom.badRequest();\n error.output.headers = { connection: 'close' };\n request._reply(error);\n }\n else {\n socket.end(internals.badRequestResponse);\n }\n }\n else {\n socket.destroy(err);\n }\n });\n\n return listener;\n }\n\n _initializeListener() {\n\n this.listener.once('listening', () => {\n\n // Update the address, port, and uri with active values\n\n if (this.type === 'tcp') {\n const address = this.listener.address();\n this.info.address = address.address;\n this.info.port = address.port;\n this.info.uri = this.settings.uri ?? this.info.protocol + '://' + this.info.host + ':' + this.info.port;\n }\n\n if (this.settings.operations.cleanStop) {\n this.sockets = new Set();\n\n const self = this;\n const onClose = function () { // 'this' is bound to the emitter\n\n self.sockets.delete(this);\n };\n\n this.onConnection = (connection) => {\n\n this.sockets.add(connection);\n connection.on('close', onClose);\n };\n\n this.listener.on(this.settings.tls ? 'secureConnection' : 'connection', this.onConnection);\n }\n });\n }\n\n _cachePolicy(options, _segment, realm) {\n\n options = Config.apply('cachePolicy', options);\n\n const plugin = realm?.plugin;\n const segment = options.segment ?? _segment ?? (plugin ? `!${plugin}` : '');\n Hoek.assert(segment, 'Missing cache segment name');\n\n const cacheName = options.cache ?? '_default';\n const cache = this.caches.get(cacheName);\n Hoek.assert(cache, 'Unknown cache', cacheName);\n Hoek.assert(!cache.segments[segment] || cache.shared || options.shared, 'Cannot provision the same cache segment more than once');\n cache.segments[segment] = true;\n\n const policy = new Catbox.Policy(options, cache.client, segment);\n this.events.emit('cachePolicy', [policy, options.cache, segment]);\n\n return policy;\n }\n\n log(tags, data) {\n\n return this._log(tags, data, 'app');\n }\n\n _log(tags, data, channel = 'internal') {\n\n if (!this.events.hasListeners('log')) {\n return;\n }\n\n if (!Array.isArray(tags)) {\n tags = [tags];\n }\n\n const timestamp = Date.now();\n const field = data instanceof Error ? 'error' : 'data';\n\n let event = { timestamp, tags, [field]: data, channel };\n\n if (typeof data === 'function') {\n event = () => ({ timestamp, tags, data: data(), channel });\n }\n\n this.events.emit({ name: 'log', tags, channel }, event);\n }\n};\n\n\ninternals.setup = function (options = {}) {\n\n let settings = Hoek.clone(options, { shallow: ['cache', 'listener', 'routes.bind'] });\n settings.app = settings.app ?? {};\n settings.routes = Config.enable(settings.routes);\n settings = Config.apply('server', settings);\n\n if (settings.port === undefined) {\n settings.port = 0;\n }\n\n const type = (typeof settings.port === 'string' ? 'socket' : 'tcp');\n if (type === 'socket') {\n settings.port = (settings.port.indexOf('/') !== -1 ? Path.resolve(settings.port) : settings.port.toLowerCase());\n }\n\n if (settings.autoListen === undefined) {\n settings.autoListen = true;\n }\n\n Hoek.assert(settings.autoListen || !settings.port, 'Cannot specify port when autoListen is false');\n Hoek.assert(settings.autoListen || !settings.address, 'Cannot specify address when autoListen is false');\n\n return { settings, type };\n};\n\n\ninternals.notFound = function () {\n\n throw Boom.notFound();\n};\n\n\ninternals.badRequest = function () {\n\n throw Boom.badRequest();\n};\n\n\ninternals.onFinish = function (env) {\n\n const { core, req } = env;\n\n core.actives.delete(req.socket);\n if (!core.started) {\n req.socket.end();\n }\n};\n" }, { "path": "lib/cors.js", "content": "'use strict';\n\nconst Boom = require('@hapi/boom');\nconst Hoek = require('@hapi/hoek');\n\nlet Route = null; // Delayed load due to circular dependency\n\n\nconst internals = {};\n\n\nexports.route = function (options) {\n\n if (!options) {\n return false;\n }\n\n const settings = Hoek.clone(options);\n settings._headers = settings.headers.concat(settings.additionalHeaders);\n settings._headersString = settings._headers.join(',');\n for (let i = 0; i < settings._headers.length; ++i) {\n settings._headers[i] = settings._headers[i].toLowerCase();\n }\n\n if (settings._headers.indexOf('origin') === -1) {\n settings._headers.push('origin');\n }\n\n settings._exposedHeaders = settings.exposedHeaders.concat(settings.additionalExposedHeaders).join(',');\n\n if (settings.origin === 'ignore') {\n settings._origin = false;\n }\n else if (settings.origin.indexOf('*') !== -1) {\n Hoek.assert(settings.origin.length === 1, 'Cannot specify cors.origin * together with other values');\n settings._origin = true;\n }\n else {\n settings._origin = {\n qualified: [],\n wildcards: []\n };\n\n for (const origin of settings.origin) {\n if (origin.indexOf('*') !== -1) {\n settings._origin.wildcards.push(new RegExp('^' + Hoek.escapeRegex(origin).replace(/\\\\\\*/g, '.*').replace(/\\\\\\?/g, '.') + '$'));\n }\n else {\n settings._origin.qualified.push(origin);\n }\n }\n }\n\n return settings;\n};\n\n\nexports.options = function (route, server) {\n\n if (route.method === 'options' ||\n !route.settings.cors) {\n\n return;\n }\n\n exports.handler(server);\n};\n\n\nexports.handler = function (server) {\n\n Route = Route || require('./route');\n\n if (server._core.router.specials.options) {\n return;\n }\n\n const definition = {\n method: '_special',\n path: '/{p*}',\n handler: internals.handler,\n options: {\n cors: false\n }\n };\n\n const route = new Route(definition, server, { special: true });\n server._core.router.special('options', route);\n};\n\n\ninternals.handler = function (request, h) {\n\n // Validate CORS preflight request\n\n const method = request.headers['access-control-request-method'];\n if (!method) {\n throw Boom.notFound('CORS error: Missing Access-Control-Request-Method header');\n }\n\n // Lookup route\n\n const route = request.server.match(method, request.path, request.info.hostname);\n if (!route) {\n throw Boom.notFound();\n }\n\n const settings = route.settings.cors;\n if (!settings) {\n return { message: 'CORS is disabled for this route' };\n }\n\n // Validate Origin header\n\n const origin = request.headers.origin;\n\n if (!origin &&\n settings._origin !== false) {\n\n throw Boom.notFound('CORS error: Missing Origin header');\n }\n\n if (!exports.matchOrigin(origin, settings)) {\n return { message: 'CORS error: Origin not allowed' };\n }\n\n // Validate allowed headers\n\n let headers = request.headers['access-control-request-headers'];\n if (headers) {\n headers = headers.toLowerCase().split(/\\s*,\\s*/);\n if (Hoek.intersect(headers, settings._headers).length !== headers.length) {\n return { message: 'CORS error: Some headers are not allowed' };\n }\n }\n\n // Reply with the route CORS headers\n\n const response = h.response();\n response.code(settings.preflightStatusCode);\n response._header('access-control-allow-origin', settings._origin ? origin : '*');\n response._header('access-control-allow-methods', method);\n response._header('access-control-allow-headers', settings._headersString);\n response._header('access-control-max-age', settings.maxAge);\n\n if (settings.credentials) {\n response._header('access-control-allow-credentials', 'true');\n }\n\n if (settings._exposedHeaders) {\n response._header('access-control-expose-headers', settings._exposedHeaders);\n }\n\n return response;\n};\n\n\nexports.headers = function (response) {\n\n const request = response.request;\n const settings = request.route.settings.cors;\n\n if (settings._origin !== false) {\n response.vary('origin');\n }\n\n if ((request.info.cors && !request.info.cors.isOriginMatch) || // After route lookup\n !exports.matchOrigin(request.headers.origin, request.route.settings.cors)) { // Response from onRequest\n\n return;\n }\n\n response._header('access-control-allow-origin', settings._origin ? request.headers.origin : '*');\n\n if (settings.credentials) {\n response._header('access-control-allow-credentials', 'true');\n }\n\n if (settings._exposedHeaders) {\n response._header('access-control-expose-headers', settings._exposedHeaders, { append: true });\n }\n};\n\n\nexports.matchOrigin = function (origin, settings) {\n\n if (settings._origin === true ||\n settings._origin === false) {\n\n return true;\n }\n\n if (!origin) {\n return false;\n }\n\n if (settings._origin.qualified.indexOf(origin) !== -1) {\n return true;\n }\n\n for (const wildcard of settings._origin.wildcards) {\n if (origin.match(wildcard)) {\n return true;\n }\n }\n\n return false;\n};\n" }, { "path": "lib/ext.js", "content": "'use strict';\n\nconst Hoek = require('@hapi/hoek');\nconst Topo = require('@hapi/topo');\n\n\nconst internals = {};\n\n\nexports = module.exports = internals.Ext = class {\n\n type = null;\n nodes = null;\n\n #core = null;\n #routes = [];\n #topo = new Topo.Sorter();\n\n constructor(type, core) {\n\n this.#core = core;\n this.type = type;\n }\n\n add(event) {\n\n const methods = [].concat(event.method);\n for (const method of methods) {\n const settings = {\n before: event.options.before,\n after: event.options.after,\n group: event.realm.plugin,\n sort: this.#core.extensionsSeq++\n };\n\n const node = {\n func: method, // Request: function (request, h), Server: function (server)\n bind: event.options.bind,\n server: event.server, // Server event\n realm: event.realm,\n timeout: event.options.timeout\n };\n\n this.#topo.add(node, settings);\n }\n\n this.nodes = this.#topo.nodes;\n\n // Notify routes\n\n for (const route of this.#routes) {\n route.rebuild(event);\n }\n }\n\n merge(others) {\n\n const merge = [];\n for (const other of others) {\n merge.push(other.#topo);\n }\n\n this.#topo.merge(merge);\n this.nodes = this.#topo.nodes.length ? this.#topo.nodes : null;\n }\n\n subscribe(route) {\n\n this.#routes.push(route);\n }\n\n static combine(route, type) {\n\n const ext = new internals.Ext(type, route._core);\n\n const events = route.settings.ext[type];\n if (events) {\n for (let event of events) {\n event = Object.assign({}, event); // Shallow cloned\n Hoek.assert(!event.options.sandbox, 'Cannot specify sandbox option for route extension');\n event.realm = route.realm;\n ext.add(event);\n }\n }\n\n const server = route._core.extensions.route[type];\n const realm = route.realm._extensions[type];\n\n ext.merge([server, realm]);\n\n server.subscribe(route);\n realm.subscribe(route);\n\n return ext;\n }\n};\n" }, { "path": "lib/handler.js", "content": "'use strict';\n\nconst Hoek = require('@hapi/hoek');\n\n\nconst internals = {};\n\n\nexports.execute = async function (request) {\n\n // Prerequisites\n\n if (request._route._prerequisites) {\n for (const set of request._route._prerequisites) { // Serial execution of each set\n const pres = [];\n for (const item of set) {\n pres.push(internals.handler(request, item.method, item));\n }\n\n const responses = await Promise.all(pres); // Parallel execution within sets\n for (const response of responses) {\n if (response !== undefined) {\n return response;\n }\n }\n }\n }\n\n // Handler\n\n const result = await internals.handler(request, request.route.settings.handler);\n if (result._takeover ||\n typeof result === 'symbol') {\n\n return result;\n }\n\n request._setResponse(result);\n};\n\n\ninternals.handler = async function (request, method, pre) {\n\n const bind = request.route.settings.bind;\n const realm = request.route.realm;\n let response = await request._core.toolkit.execute(method, request, { bind, realm, continue: 'null' });\n\n // Handler\n\n if (!pre) {\n if (response.isBoom) {\n request._log(['handler', 'error'], response);\n throw response;\n }\n\n return response;\n }\n\n // Pre\n\n if (response.isBoom) {\n response.assign = pre.assign;\n response = await request._core.toolkit.failAction(request, pre.failAction, response, { tags: ['pre', 'error'], retain: true });\n }\n\n if (typeof response === 'symbol') {\n return response;\n }\n\n if (pre.assign) {\n request.pre[pre.assign] = (response.isBoom ? response : response.source);\n request.preResponses[pre.assign] = response;\n }\n\n if (response._takeover) {\n return response;\n }\n};\n\n\nexports.defaults = function (method, handler, core) {\n\n let defaults = null;\n\n if (typeof handler === 'object') {\n const type = Object.keys(handler)[0];\n const serverHandler = core.decorations.handler.get(type);\n\n Hoek.assert(serverHandler, 'Unknown handler:', type);\n\n if (serverHandler.defaults) {\n defaults = (typeof serverHandler.defaults === 'function' ? serverHandler.defaults(method) : serverHandler.defaults);\n }\n }\n\n return defaults ?? {};\n};\n\n\nexports.configure = function (handler, route) {\n\n if (typeof handler === 'object') {\n const type = Object.keys(handler)[0];\n const serverHandler = route._core.decorations.handler.get(type);\n\n Hoek.assert(serverHandler, 'Unknown handler:', type);\n\n return serverHandler(route.public, handler[type]);\n }\n\n return handler;\n};\n\n\nexports.prerequisitesConfig = function (config) {\n\n if (!config) {\n return null;\n }\n\n /*\n [\n [\n function (request, h) { },\n {\n method: function (request, h) { }\n assign: key1\n },\n {\n method: function (request, h) { },\n assign: key2\n }\n ],\n {\n method: function (request, h) { },\n assign: key3\n }\n ]\n */\n\n const prerequisites = [];\n\n for (let pres of config) {\n pres = [].concat(pres);\n\n const set = [];\n for (let pre of pres) {\n if (typeof pre !== 'object') {\n pre = { method: pre };\n }\n\n const item = {\n method: pre.method,\n assign: pre.assign,\n failAction: pre.failAction ?? 'error'\n };\n\n set.push(item);\n }\n\n prerequisites.push(set);\n }\n\n return prerequisites.length ? prerequisites : null;\n};\n" }, { "path": "lib/headers.js", "content": "'use strict';\n\n\nconst Stream = require('stream');\n\nconst Boom = require('@hapi/boom');\n\n\nconst internals = {};\n\n\nexports.cache = function (response) {\n\n const request = response.request;\n if (response.headers['cache-control']) {\n return;\n }\n\n const settings = request.route.settings.cache;\n const policy = settings && request._route._cache && (settings._statuses.has(response.statusCode) || (response.statusCode === 304 && settings._statuses.has(200)));\n\n if (policy ||\n response.settings.ttl) {\n\n const ttl = response.settings.ttl !== null ? response.settings.ttl : request._route._cache.ttl();\n const privacy = request.auth.isAuthenticated || response.headers['set-cookie'] ? 'private' : settings.privacy ?? 'default';\n response._header('cache-control', 'max-age=' + Math.floor(ttl / 1000) + ', must-revalidate' + (privacy !== 'default' ? ', ' + privacy : ''));\n }\n else if (settings) {\n response._header('cache-control', settings.otherwise);\n }\n};\n\n\nexports.content = async function (response) {\n\n const request = response.request;\n if (response._isPayloadSupported() ||\n request.method === 'head') {\n\n await response._marshal();\n\n if (typeof response._payload.size === 'function') {\n response._header('content-length', response._payload.size(), { override: false });\n }\n\n if (!response._isPayloadSupported()) {\n response._close(); // Close unused file streams\n response._payload = new internals.Empty(); // Set empty stream\n }\n\n exports.type(response);\n }\n else {\n\n // Set empty stream\n\n response._close(); // Close unused file streams\n response._payload = new internals.Empty();\n delete response.headers['content-length'];\n }\n};\n\n\nexports.state = async function (response) {\n\n const request = response.request;\n const states = [];\n\n for (const stateName in request._states) {\n states.push(request._states[stateName]);\n }\n\n try {\n for (const name in request._core.states.cookies) {\n const autoValue = request._core.states.cookies[name].autoValue;\n if (!autoValue || name in request._states || name in request.state) {\n continue;\n }\n\n if (typeof autoValue !== 'function') {\n states.push({ name, value: autoValue });\n continue;\n }\n\n const value = await autoValue(request);\n states.push({ name, value });\n }\n\n if (!states.length) {\n return;\n }\n\n let header = await request._core.states.format(states, request);\n const existing = response.headers['set-cookie'];\n if (existing) {\n header = (Array.isArray(existing) ? existing : [existing]).concat(header);\n }\n\n response._header('set-cookie', header);\n }\n catch (err) {\n const error = Boom.boomify(err);\n request._log(['state', 'response', 'error'], error);\n request._states = {}; // Clear broken state\n throw error;\n }\n};\n\n\nexports.type = function (response) {\n\n const type = response.contentType;\n if (type !== null && type !== response.headers['content-type']) {\n response.type(type);\n }\n};\n\n\nexports.entity = function (response) {\n\n const request = response.request;\n\n if (!request._entity) {\n return;\n }\n\n if (request._entity.etag &&\n !response.headers.etag) {\n\n response.etag(request._entity.etag, { vary: request._entity.vary });\n }\n\n if (request._entity.modified &&\n !response.headers['last-modified']) {\n\n response.header('last-modified', request._entity.modified);\n }\n};\n\n\nexports.unmodified = function (response) {\n\n const request = response.request;\n if (response.statusCode === 304) {\n return;\n }\n\n const entity = {\n etag: response.headers.etag,\n vary: response.settings.varyEtag,\n modified: response.headers['last-modified']\n };\n\n const etag = request._core.Response.unmodified(request, entity);\n if (etag) {\n response.code(304);\n\n if (etag !== true) { // Override etag with incoming weak match\n response.headers.etag = etag;\n }\n }\n};\n\n\ninternals.Empty = class extends Stream.Readable {\n\n _read(/* size */) {\n\n this.push(null);\n }\n\n writeToStream(stream) {\n\n stream.end();\n }\n};\n" }, { "path": "lib/index.d.ts", "content": "export * from './types';\n" }, { "path": "lib/index.js", "content": "'use strict';\n\nconst Server = require('./server');\n\n\nconst internals = {};\n\n\nexports.Server = Server;\n\nexports.server = Server;\n" }, { "path": "lib/methods.js", "content": "'use strict';\n\nconst Boom = require('@hapi/boom');\nconst Hoek = require('@hapi/hoek');\n\nconst Config = require('./config');\n\n\nconst internals = {\n methodNameRx: /^[_$a-zA-Z][$\\w]*(?:\\.[_$a-zA-Z][$\\w]*)*$/\n};\n\n\nexports = module.exports = internals.Methods = class {\n\n methods = {};\n\n #core = null;\n\n constructor(core) {\n\n this.#core = core;\n }\n\n add(name, method, options, realm) {\n\n if (typeof name !== 'object') {\n return this._add(name, method, options, realm);\n }\n\n // {} or [{}, {}]\n\n const items = [].concat(name);\n for (let item of items) {\n item = Config.apply('methodObject', item);\n this._add(item.name, item.method, item.options ?? {}, realm);\n }\n }\n\n _add(name, method, options, realm) {\n\n Hoek.assert(typeof method === 'function', 'method must be a function');\n Hoek.assert(typeof name === 'string', 'name must be a string');\n Hoek.assert(name.match(internals.methodNameRx), 'Invalid name:', name);\n Hoek.assert(!Hoek.reach(this.methods, name, { functions: false }), 'Server method function name already exists:', name);\n\n options = Config.apply('method', options, name);\n\n const settings = Hoek.clone(options, { shallow: ['bind'] });\n settings.generateKey = settings.generateKey ?? internals.generateKey;\n\n const bind = settings.bind ?? realm.settings.bind ?? null;\n const bound = !bind ? method : (...args) => method.apply(bind, args);\n\n // Not cached\n\n if (!settings.cache) {\n return this._assign(name, bound);\n }\n\n // Cached\n\n Hoek.assert(!settings.cache.generateFunc, 'Cannot set generateFunc with method caching:', name);\n Hoek.assert(settings.cache.generateTimeout !== undefined, 'Method caching requires a timeout value in generateTimeout:', name);\n\n settings.cache.generateFunc = (id, flags) => bound(...id.args, flags);\n const cache = this.#core._cachePolicy(settings.cache, '#' + name);\n\n const func = function (...args) {\n\n const key = settings.generateKey.apply(bind, args);\n if (typeof key !== 'string') {\n return Promise.reject(Boom.badImplementation('Invalid method key when invoking: ' + name, { name, args }));\n }\n\n return cache.get({ id: key, args });\n };\n\n func.cache = {\n drop: function (...args) {\n\n const key = settings.generateKey.apply(bind, args);\n if (typeof key !== 'string') {\n return Promise.reject(Boom.badImplementation('Invalid method key when invoking: ' + name, { name, args }));\n }\n\n return cache.drop(key);\n },\n stats: cache.stats\n };\n\n this._assign(name, func, func);\n }\n\n _assign(name, method) {\n\n const path = name.split('.');\n let ref = this.methods;\n for (let i = 0; i < path.length; ++i) {\n if (!ref[path[i]]) {\n ref[path[i]] = (i + 1 === path.length ? method : {});\n }\n\n ref = ref[path[i]];\n }\n }\n};\n\n\ninternals.supportedArgs = ['string', 'number', 'boolean'];\n\n\ninternals.generateKey = function (...args) {\n\n let key = '';\n for (let i = 0; i < args.length; ++i) {\n const arg = args[i];\n if (!internals.supportedArgs.includes(typeof arg)) {\n return null;\n }\n\n key = key + (i ? ':' : '') + encodeURIComponent(arg.toString());\n }\n\n return key;\n};\n" }, { "path": "lib/request.js", "content": "'use strict';\n\nconst Querystring = require('querystring');\nconst Url = require('url');\n\nconst Boom = require('@hapi/boom');\nconst Bounce = require('@hapi/bounce');\nconst Hoek = require('@hapi/hoek');\nconst Podium = require('@hapi/podium');\n\nconst Cors = require('./cors');\nconst Toolkit = require('./toolkit');\nconst Transmit = require('./transmit');\n\n\nconst internals = {\n events: Podium.validate(['finish', { name: 'peek', spread: true }, 'disconnect']),\n reserved: ['server', 'url', 'query', 'path', 'method', 'mime', 'setUrl', 'setMethod', 'headers', 'id', 'app', 'plugins', 'route', 'auth', 'pre', 'preResponses', 'info', 'isInjected', 'orig', 'params', 'paramsArray', 'payload', 'state', 'response', 'raw', 'domain', 'log', 'logs', 'generateResponse']\n};\n\n\nexports = module.exports = internals.Request = class {\n\n constructor(server, req, res, options) {\n\n this._allowInternals = !!options.allowInternals;\n this._closed = false; // true once the response has closed (esp. early) and will not emit any more events\n this._core = server._core;\n this._entity = null; // Entity information set via h.entity()\n this._eventContext = { request: this };\n this._events = null; // Assigned an emitter when request.events is accessed\n this._expectContinue = !!options.expectContinue;\n this._isInjected = !!options.isInjected;\n this._isPayloadPending = !!(req.headers['content-length'] || req.headers['transfer-encoding']); // Changes to false when incoming payload fully processed\n this._isReplied = false; // true when response processing started\n this._route = this._core.router.specials.notFound.route; // Used prior to routing (only settings are used, not the handler)\n this._serverTimeoutId = null;\n this._states = {};\n this._url = null;\n this._urlError = null;\n\n this.app = options.app ? Object.assign({}, options.app) : {}; // Place for application-specific state without conflicts with hapi, should not be used by plugins (shallow cloned)\n this.headers = req.headers;\n this.logs = [];\n this.method = req.method.toLowerCase();\n this.mime = null;\n this.orig = {};\n this.params = null;\n this.paramsArray = null; // Array of path parameters in path order\n this.path = null;\n this.payload = undefined;\n this.plugins = options.plugins ? Object.assign({}, options.plugins) : {}; // Place for plugins to store state without conflicts with hapi, should be namespaced using plugin name (shallow cloned)\n this.pre = {}; // Pre raw values\n this.preResponses = {}; // Pre response values\n this.raw = { req, res };\n this.response = null;\n this.route = this._route.public;\n this.query = null;\n this.server = server;\n this.state = null;\n\n this.info = new internals.Info(this);\n\n this.auth = {\n isAuthenticated: false,\n isAuthorized: false,\n isInjected: options.auth ? true : false,\n [internals.Request.symbols.authPayload]: options.auth?.payload ?? true,\n credentials: options.auth?.credentials ?? null, // Special keys: 'app', 'user', 'scope'\n artifacts: options.auth?.artifacts ?? null, // Scheme-specific artifacts\n strategy: options.auth?.strategy ?? null,\n mode: null,\n error: null\n };\n\n // Parse request url\n\n this._initializeUrl();\n }\n\n static generate(server, req, res, options) {\n\n const request = new server._core.Request(server, req, res, options);\n\n // Decorate\n\n if (server._core.decorations.requestApply) {\n for (const [property, assignment] of server._core.decorations.requestApply.entries()) {\n request[property] = assignment(request);\n }\n }\n\n request._listen();\n return request;\n }\n\n get events() {\n\n if (!this._events) {\n this._events = new Podium.Podium(internals.events);\n }\n\n return this._events;\n }\n\n get isInjected() {\n\n return this._isInjected;\n }\n\n get url() {\n\n if (this._urlError) {\n return null;\n }\n\n if (this._url) {\n return this._url;\n }\n\n return this._parseUrl(this.raw.req.url, this._core.settings.router);\n }\n\n _initializeUrl() {\n\n try {\n this._setUrl(this.raw.req.url, this._core.settings.router.stripTrailingSlash, { fast: true });\n }\n catch (err) {\n this.path = this.raw.req.url;\n this.query = {};\n\n this._urlError = Boom.boomify(err, { statusCode: 400, override: false });\n }\n }\n\n setUrl(url, stripTrailingSlash) {\n\n Hoek.assert(this.params === null, 'Cannot change request URL after routing');\n\n if (url instanceof Url.URL) {\n url = url.href;\n }\n\n Hoek.assert(typeof url === 'string', 'Url must be a string or URL object');\n\n this._setUrl(url, stripTrailingSlash, { fast: false });\n }\n\n _setUrl(source, stripTrailingSlash, { fast }) {\n\n const url = this._parseUrl(source, { stripTrailingSlash, _fast: fast });\n this.query = this._parseQuery(url.searchParams);\n this.path = url.pathname;\n }\n\n _parseUrl(source, options) {\n\n if (source[0] === '/') {\n\n // Relative URL\n\n if (options._fast) {\n const url = {\n pathname: source,\n searchParams: ''\n };\n\n const q = source.indexOf('?');\n const h = source.indexOf('#');\n\n if (q !== -1 &&\n (h === -1 || q < h)) {\n\n url.pathname = source.slice(0, q);\n const query = h === -1 ? source.slice(q + 1) : source.slice(q + 1, h);\n url.searchParams = Querystring.parse(query);\n }\n else {\n url.pathname = h === -1 ? source : source.slice(0, h);\n }\n\n this._normalizePath(url, options);\n return url;\n }\n\n const host = this.info.host || this._formatIpv6Host(this._core.info.host, this._core.info.port);\n\n this._url = new Url.URL(`${this._core.info.protocol}://${host}${source}`);\n }\n else {\n\n // Absolute URI (proxied)\n\n this._url = new Url.URL(source);\n this.info.hostname = this._url.hostname;\n this.info.host = this._url.host;\n }\n\n this._normalizePath(this._url, options);\n this._urlError = null;\n\n return this._url;\n }\n\n _isBareIpv6(host) {\n\n // An IPv6 address contains at least two colons.\n\n return /:[^:]*:/.test(host);\n }\n\n _formatIpv6Host(host, port) {\n\n return this._isBareIpv6(host) ? `[${host}]:${port}` : `${host}:${port}`;\n }\n\n _normalizePath(url, options) {\n\n let path = this._core.router.normalize(url.pathname);\n\n if (options.stripTrailingSlash &&\n path.length > 1 &&\n path[path.length - 1] === '/') {\n\n path = path.slice(0, -1);\n }\n\n url.pathname = path;\n }\n\n _parseQuery(searchParams) {\n\n let query = Object.create(null);\n\n // Flatten map\n\n if (searchParams instanceof Url.URLSearchParams) {\n for (let [key, value] of searchParams) {\n const entry = query[key];\n if (entry !== undefined) {\n value = [].concat(entry, value);\n }\n\n query[key] = value;\n }\n }\n else {\n query = Object.assign(query, searchParams);\n }\n\n // Custom parser\n\n const parser = this._core.settings.query.parser;\n if (parser) {\n query = parser(query);\n if (!query ||\n typeof query !== 'object') {\n\n throw Boom.badImplementation('Parsed query must be an object');\n }\n }\n\n return query;\n }\n\n setMethod(method) {\n\n Hoek.assert(this.params === null, 'Cannot change request method after routing');\n Hoek.assert(method && typeof method === 'string', 'Missing method');\n\n this.method = method.toLowerCase();\n }\n\n active() {\n\n return !!this._eventContext.request;\n }\n\n async _execute() {\n\n this.info.acceptEncoding = this._core.compression.accept(this);\n\n try {\n await this._onRequest();\n }\n catch (err) {\n Bounce.rethrow(err, 'system');\n return this._reply(err);\n }\n\n this._lookup();\n this._setTimeouts();\n await this._lifecycle();\n this._reply();\n }\n\n async _onRequest() {\n\n // onRequest (can change request method and url)\n\n if (this._core.extensions.route.onRequest.nodes) {\n const response = await this._invoke(this._core.extensions.route.onRequest);\n if (response) {\n if (!internals.skip(response)) {\n throw Boom.badImplementation('onRequest extension methods must return an error, a takeover response, or a continue signal');\n }\n\n throw response;\n }\n }\n\n // Validate path\n\n if (this._urlError) {\n throw this._urlError;\n }\n }\n\n _listen() {\n\n if (this._isPayloadPending) {\n this.raw.req.on('end', internals.event.bind(this.raw.req, this._eventContext, 'end'));\n }\n\n this.raw.res.on('close', internals.event.bind(this.raw.res, this._eventContext, 'close'));\n this.raw.req.on('error', internals.event.bind(this.raw.req, this._eventContext, 'error'));\n this.raw.req.on('aborted', internals.event.bind(this.raw.req, this._eventContext, 'abort'));\n this.raw.res.once('close', internals.closed.bind(this.raw.res, this));\n }\n\n _lookup() {\n\n const match = this._core.router.route(this.method, this.path, this.info.hostname);\n if (!match.route.settings.isInternal ||\n this._allowInternals) {\n\n this._route = match.route;\n this.route = this._route.public;\n }\n\n this.params = match.params ?? {};\n this.paramsArray = match.paramsArray ?? [];\n\n if (this.route.settings.cors) {\n this.info.cors = {\n isOriginMatch: Cors.matchOrigin(this.headers.origin, this.route.settings.cors)\n };\n }\n }\n\n _setTimeouts() {\n\n if (this.raw.req.socket &&\n this.route.settings.timeout.socket !== undefined) {\n\n this.raw.req.socket.setTimeout(this.route.settings.timeout.socket || 0); // Value can be false or positive\n }\n\n let serverTimeout = this.route.settings.timeout.server;\n if (!serverTimeout) {\n return;\n }\n\n const elapsed = Date.now() - this.info.received;\n serverTimeout = Math.floor(serverTimeout - elapsed); // Calculate the timeout from when the request was constructed\n\n if (serverTimeout <= 0) {\n internals.timeoutReply(this, serverTimeout);\n return;\n }\n\n this._serverTimeoutId = setTimeout(internals.timeoutReply, serverTimeout, this, serverTimeout);\n }\n\n async _lifecycle() {\n\n for (const func of this._route._cycle) {\n if (this._isReplied) {\n return;\n }\n\n try {\n var response = await (typeof func === 'function' ? func(this) : this._invoke(func));\n }\n catch (err) {\n Bounce.rethrow(err, 'system');\n response = this._core.Response.wrap(err, this);\n }\n\n if (!response ||\n response === Toolkit.symbols.continue) { // Continue\n\n continue;\n }\n\n if (!internals.skip(response)) {\n response = Boom.badImplementation('Lifecycle methods called before the handler can only return an error, a takeover response, or a continue signal');\n }\n\n this._setResponse(response);\n return;\n }\n }\n\n async _invoke(event, options = {}) {\n\n for (const ext of event.nodes) {\n const realm = ext.realm;\n const bind = ext.bind ?? realm.settings.bind;\n const response = await this._core.toolkit.execute(ext.func, this, { bind, realm, timeout: ext.timeout, name: event.type, ignoreResponse: options.ignoreResponse });\n\n if (options.ignoreResponse) {\n if (Boom.isBoom(response)) {\n this._log(['ext', 'error'], response);\n }\n\n continue;\n }\n\n if (response === Toolkit.symbols.continue) {\n continue;\n }\n\n if (internals.skip(response) ||\n this.response === null) {\n\n return response;\n }\n\n this._setResponse(response);\n }\n }\n\n async _reply(exit) {\n\n if (this._isReplied) { // Prevent any future responses to this request\n return;\n }\n\n this._isReplied = true;\n\n if (this._serverTimeoutId) {\n clearTimeout(this._serverTimeoutId);\n }\n\n if (exit) { // Can be a valid response or error (if returned from an ext, already handled because this.response is also set)\n this._setResponse(this._core.Response.wrap(exit, this)); // Wrap to ensure any object thrown is always a valid Boom or Response object\n }\n\n if (!this._eventContext.request) {\n this._finalize();\n return;\n }\n\n if (typeof this.response === 'symbol') { // close or abandon\n this._abort();\n return;\n }\n\n await this._postCycle();\n\n if (!this._eventContext.request ||\n typeof this.response === 'symbol') { // close or abandon\n\n this._abort();\n return;\n }\n\n await Transmit.send(this);\n this._finalize();\n }\n\n async _postCycle() {\n\n for (const func of this._route._postCycle) {\n if (!this._eventContext.request) {\n return;\n }\n\n try {\n var response = await (typeof func === 'function' ? func(this) : this._invoke(func));\n }\n catch (err) {\n Bounce.rethrow(err, 'system');\n response = this._core.Response.wrap(err, this);\n }\n\n if (response &&\n response !== Toolkit.symbols.continue) { // Continue\n\n this._setResponse(response);\n }\n }\n }\n\n _abort() {\n\n if (this.response === Toolkit.symbols.close) {\n this.raw.res.end(); // End the response in case it wasn't already closed\n }\n\n this._finalize();\n }\n\n _finalize() {\n\n this._eventContext.request = null; // Disable req events\n\n if (this.response._close) {\n if (this.response.statusCode === 500 &&\n this.response._error) {\n\n const tags = this.response._error.isDeveloperError ? ['internal', 'implementation', 'error'] : ['internal', 'error'];\n this._log(tags, this.response._error, 'error');\n }\n\n this.response._close();\n }\n\n this.info.completed = Date.now();\n\n this._core.events.emit('response', this);\n\n if (this._route._extensions.onPostResponse.nodes) {\n this._invoke(this._route._extensions.onPostResponse, { ignoreResponse: true });\n }\n }\n\n _setResponse(response) {\n\n if (this.response &&\n !this.response.isBoom &&\n this.response !== response &&\n this.response.source !== response.source) {\n\n this.response._close?.();\n }\n\n if (this.info.completed) {\n response._close?.();\n\n return;\n }\n\n this.response = response;\n }\n\n _setState(name, value, options) {\n\n const state = { name, value };\n if (options) {\n Hoek.assert(!options.autoValue, 'Cannot set autoValue directly in a response');\n state.options = Hoek.clone(options);\n }\n\n this._states[name] = state;\n }\n\n _clearState(name, options = {}) {\n\n const state = { name };\n\n state.options = Hoek.clone(options);\n state.options.ttl = 0;\n\n this._states[name] = state;\n }\n\n _tap() {\n\n if (!this._events) {\n return null;\n }\n\n if (this._events.hasListeners('peek') ||\n this._events.hasListeners('finish')) {\n\n return new this._core.Response.Peek(this._events);\n }\n\n return null;\n }\n\n log(tags, data) {\n\n return this._log(tags, data, 'app');\n }\n\n _log(tags, data, channel = 'internal') {\n\n if (!this._core.events.hasListeners('request') &&\n !this.route.settings.log.collect) {\n\n return;\n }\n\n if (!Array.isArray(tags)) {\n tags = [tags];\n }\n\n const timestamp = Date.now();\n const field = data instanceof Error ? 'error' : 'data';\n\n let event = [this, { request: this.info.id, timestamp, tags, [field]: data, channel }];\n if (typeof data === 'function') {\n event = () => [this, { request: this.info.id, timestamp, tags, data: data(), channel }];\n }\n\n if (this.route.settings.log.collect) {\n if (typeof data === 'function') {\n event = event();\n }\n\n this.logs.push(event[1]);\n }\n\n this._core.events.emit({ name: 'request', channel, tags }, event);\n }\n\n generateResponse(source, options) {\n\n return new this._core.Response(source, this, options);\n }\n};\n\n\ninternals.Request.reserved = internals.reserved;\n\ninternals.Request.symbols = {\n authPayload: Symbol('auth.payload')\n};\n\ninternals.Info = class {\n\n constructor(request) {\n\n this._request = request;\n\n const req = request.raw.req;\n const host = (req.headers.host || req.headers[':authority'] || '').trim();\n const received = Date.now();\n\n this.received = received;\n this.referrer = req.headers.referrer || req.headers.referer || '';\n this.host = host;\n this.hostname = /^(.*?)(?::\\d+)?$/.exec(host)[1];\n this.id = `${received}:${request._core.info.id}:${request._core._counter()}`;\n\n this._remoteAddress = null;\n this._remotePort = null;\n\n // Assigned later\n\n this.acceptEncoding = null;\n this.cors = null;\n this.responded = 0;\n this.completed = 0;\n\n if (request._core.settings.info.remote) {\n this.remoteAddress;\n this.remotePort;\n }\n }\n\n get remoteAddress() {\n\n if (!this._remoteAddress) {\n const ipv6Prefix = '::ffff:';\n const socketAddress = this._request.raw.req.socket.remoteAddress;\n if (socketAddress && socketAddress.startsWith(ipv6Prefix) && socketAddress.includes('.', ipv6Prefix.length)) {\n // Normalize IPv4-mapped IPv6 address, e.g. ::ffff:127.0.0.1 -> 127.0.0.1\n this._remoteAddress = socketAddress.slice(ipv6Prefix.length);\n }\n else {\n this._remoteAddress = socketAddress;\n }\n }\n\n return this._remoteAddress;\n }\n\n get remotePort() {\n\n if (this._remotePort === null) {\n this._remotePort = this._request.raw.req.socket.remotePort || '';\n }\n\n return this._remotePort;\n }\n\n toJSON() {\n\n return {\n acceptEncoding: this.acceptEncoding,\n completed: this.completed,\n cors: this.cors,\n host: this.host,\n hostname: this.hostname,\n id: this.id,\n received: this.received,\n referrer: this.referrer,\n remoteAddress: this.remoteAddress,\n remotePort: this.remotePort,\n responded: this.responded\n };\n }\n};\n\n\ninternals.closed = function (request) {\n\n request._closed = true;\n};\n\ninternals.event = function ({ request }, event, err) {\n\n if (!request) {\n return;\n }\n\n request._isPayloadPending = false;\n\n if (event === 'close' &&\n request.raw.res.writableEnded) {\n\n return;\n }\n\n if (event === 'end') {\n return;\n }\n\n request._log(err ? ['request', 'error'] : ['request', 'error', event], err);\n\n if (event === 'error') {\n return;\n }\n\n request._eventContext.request = null;\n\n if (event === 'abort') {\n\n // Calling _reply() means that the abort is applied immediately, unless the response has already\n // called _reply(), in which case this call is ignored and the transmit logic is responsible for\n // handling the abort.\n\n request._reply(new Boom.Boom('Request aborted', { statusCode: request.route.settings.response.disconnectStatusCode, data: request.response }));\n\n if (request._events) {\n request._events.emit('disconnect');\n }\n }\n};\n\n\ninternals.timeoutReply = function (request, timeout) {\n\n const elapsed = Date.now() - request.info.received;\n request._log(['request', 'server', 'timeout', 'error'], { timeout, elapsed });\n request._reply(Boom.serverUnavailable());\n};\n\n\ninternals.skip = function (response) {\n\n return response.isBoom || response._takeover || typeof response === 'symbol';\n};\n" }, { "path": "lib/response.js", "content": "'use strict';\n\nconst Stream = require('stream');\n\nconst Boom = require('@hapi/boom');\nconst Bounce = require('@hapi/bounce');\nconst Hoek = require('@hapi/hoek');\nconst Podium = require('@hapi/podium');\n\nconst Streams = require('./streams');\n\n\nconst internals = {\n events: Podium.validate(['finish', { name: 'peek', spread: true }]),\n hopByHop: {\n connection: true,\n 'keep-alive': true,\n 'proxy-authenticate': true,\n 'proxy-authorization': true,\n 'te': true,\n 'trailer': true,\n 'transfer-encoding': true,\n 'upgrade': true\n },\n reserved: ['app', 'headers', 'plugins', 'request', 'source', 'statusCode', 'variety',\n 'settings', 'events', 'code', 'message', 'header', 'vary', 'etag', 'type', 'contentType',\n 'bytes', 'location', 'created', 'compressed', 'replacer', 'space', 'suffix', 'escape',\n 'passThrough', 'redirect', 'temporary', 'permanent', 'rewritable', 'encoding', 'charset',\n 'ttl', 'state', 'unstate', 'takeover']\n};\n\n\nexports = module.exports = internals.Response = class {\n\n constructor(source, request, options = {}) {\n\n this.app = {};\n this.headers = {}; // Incomplete as some headers are stored in flags\n this.plugins = {};\n this.request = request;\n this.source = null;\n this.statusCode = null;\n this.variety = null;\n\n this.settings = {\n charset: 'utf-8', // '-' required by IANA\n compressed: null,\n encoding: 'utf8',\n message: null,\n passThrough: true,\n stringify: null, // JSON.stringify options\n ttl: null,\n varyEtag: false\n };\n\n this._events = null;\n this._payload = null; // Readable stream\n this._error = options.error ?? null; // The boom object when created from an error (used for logging)\n this._contentType = null; // Used if no explicit content-type is set and type is known\n this._takeover = false;\n this._statusCode = false; // true when code() called\n this._state = this._error ? 'prepare' : 'init'; // One of 'init', 'prepare', 'marshall', 'close'\n\n this._processors = {\n marshal: options.marshal,\n prepare: options.prepare,\n close: options.close\n };\n\n this._setSource(source, options.variety);\n }\n\n static wrap(result, request) {\n\n if (result instanceof request._core.Response ||\n typeof result === 'symbol') {\n\n return result;\n }\n\n if (result instanceof Error) {\n return Boom.boomify(result);\n }\n\n return new request._core.Response(result, request);\n }\n\n _setSource(source, variety) {\n\n // Method must not set any headers or other properties as source can change later\n\n this.variety = variety ?? 'plain';\n\n if (source === null ||\n source === undefined) {\n\n source = null;\n }\n else if (Buffer.isBuffer(source)) {\n this.variety = 'buffer';\n this._contentType = 'application/octet-stream';\n }\n else if (Streams.isStream(source)) {\n this.variety = 'stream';\n this._contentType = 'application/octet-stream';\n }\n\n this.source = source;\n\n if (this.variety === 'plain' &&\n this.source !== null) {\n\n this._contentType = typeof this.source === 'string' ? 'text/html' : 'application/json';\n }\n }\n\n get events() {\n\n if (!this._events) {\n this._events = new Podium.Podium(internals.events);\n }\n\n return this._events;\n }\n\n code(statusCode) {\n\n Hoek.assert(Number.isSafeInteger(statusCode), 'Status code must be an integer');\n\n this.statusCode = statusCode;\n this._statusCode = true;\n\n return this;\n }\n\n message(httpMessage) {\n\n this.settings.message = httpMessage;\n return this;\n }\n\n header(key, value, options) {\n\n key = key.toLowerCase();\n if (key === 'vary') {\n return this.vary(value);\n }\n\n return this._header(key, value, options);\n }\n\n _header(key, value, options = {}) {\n\n const append = options.append ?? false;\n const separator = options.separator || ',';\n const override = options.override !== false;\n const duplicate = options.duplicate !== false;\n\n if (!append && override ||\n !this.headers[key]) {\n\n this.headers[key] = value;\n }\n else if (override) {\n if (key === 'set-cookie') {\n this.headers[key] = [].concat(this.headers[key], value);\n }\n else {\n const existing = this.headers[key];\n if (!duplicate) {\n const values = existing.split(separator);\n for (const v of values) {\n if (v === value) {\n return this;\n }\n }\n }\n\n this.headers[key] = existing + separator + value;\n }\n }\n\n return this;\n }\n\n vary(value) {\n\n if (value === '*') {\n this.headers.vary = '*';\n }\n else if (!this.headers.vary) {\n this.headers.vary = value;\n }\n else if (this.headers.vary !== '*') {\n this._header('vary', value, { append: true, duplicate: false });\n }\n\n return this;\n }\n\n etag(tag, options) {\n\n const entity = this.request._core.Response.entity(tag, options);\n this._header('etag', entity.etag);\n this.settings.varyEtag = entity.vary;\n return this;\n }\n\n static entity(tag, options = {}) {\n\n Hoek.assert(tag !== '*', 'ETag cannot be *');\n\n return {\n etag: (options.weak ? 'W/' : '') + '\"' + tag + '\"',\n vary: options.vary !== false && !options.weak, // vary defaults to true\n modified: options.modified\n };\n }\n\n static unmodified(request, entity) {\n\n if (request.method !== 'get' &&\n request.method !== 'head') {\n\n return false;\n }\n\n // Strong verifier\n\n if (entity.etag &&\n request.headers['if-none-match']) {\n\n const ifNoneMatch = request.headers['if-none-match'].split(/\\s*,\\s*/);\n for (const etag of ifNoneMatch) {\n\n // Compare tags (https://tools.ietf.org/html/rfc7232#section-2.3.2)\n\n if (etag === entity.etag) { // Strong comparison\n return true;\n }\n\n if (!entity.vary) {\n continue;\n }\n\n if (etag === `W/${entity.etag}`) { // Weak comparison\n return etag;\n }\n\n const etagBase = entity.etag.slice(0, -1);\n const encoders = request._core.compression.encodings;\n for (const encoder of encoders) {\n if (etag === etagBase + `-${encoder}\"`) {\n return true;\n }\n }\n }\n\n return false;\n }\n\n // Weak verifier\n\n if (!entity.modified) {\n return false;\n }\n\n const ifModifiedSinceHeader = request.headers['if-modified-since'];\n if (!ifModifiedSinceHeader) {\n return false;\n }\n\n const ifModifiedSince = internals.parseDate(ifModifiedSinceHeader);\n if (!ifModifiedSince) {\n return false;\n }\n\n const lastModified = internals.parseDate(entity.modified);\n if (!lastModified) {\n return false;\n }\n\n return ifModifiedSince >= lastModified;\n }\n\n type(type) {\n\n this._header('content-type', type);\n return this;\n }\n\n get contentType() {\n\n let type = this.headers['content-type'];\n if (type) {\n type = type.trim();\n if (this.settings.charset &&\n type.match(/^(?:text\\/)|(?:application\\/(?:json)|(?:javascript))/) &&\n !type.match(/; *charset=/)) {\n\n const semi = type[type.length - 1] === ';';\n return type + (semi ? ' ' : '; ') + 'charset=' + this.settings.charset;\n }\n\n return type;\n }\n\n if (this._contentType) {\n const charset = this.settings.charset && this._contentType !== 'application/octet-stream' ? '; charset=' + this.settings.charset : '';\n return this._contentType + charset;\n }\n\n return null;\n }\n\n bytes(bytes) {\n\n this._header('content-length', bytes);\n return this;\n }\n\n location(uri) {\n\n this._header('location', uri);\n return this;\n }\n\n created(location) {\n\n Hoek.assert(this.request.method === 'post' ||\n this.request.method === 'put' ||\n this.request.method === 'patch', 'Cannot return 201 status codes for ' + this.request.method.toUpperCase());\n\n this.statusCode = 201;\n this.location(location);\n return this;\n }\n\n compressed(encoding) {\n\n Hoek.assert(encoding && typeof encoding === 'string', 'Invalid content-encoding');\n this.settings.compressed = encoding;\n return this;\n }\n\n replacer(method) {\n\n this.settings.stringify = this.settings.stringify ?? {};\n this.settings.stringify.replacer = method;\n return this;\n }\n\n spaces(count) {\n\n this.settings.stringify = this.settings.stringify ?? {};\n this.settings.stringify.space = count;\n return this;\n }\n\n suffix(suffix) {\n\n this.settings.stringify = this.settings.stringify ?? {};\n this.settings.stringify.suffix = suffix;\n return this;\n }\n\n escape(escape) {\n\n this.settings.stringify = this.settings.stringify ?? {};\n this.settings.stringify.escape = escape;\n return this;\n }\n\n passThrough(enabled) {\n\n this.settings.passThrough = enabled !== false; // Defaults to true\n return this;\n }\n\n redirect(location) {\n\n this.statusCode = 302;\n this.location(location);\n return this;\n }\n\n temporary(isTemporary) {\n\n Hoek.assert(this.headers.location, 'Cannot set redirection mode without first setting a location');\n\n this._setTemporary(isTemporary !== false); // Defaults to true\n return this;\n }\n\n permanent(isPermanent) {\n\n Hoek.assert(this.headers.location, 'Cannot set redirection mode without first setting a location');\n\n this._setTemporary(isPermanent === false); // Defaults to true\n return this;\n }\n\n rewritable(isRewritable) {\n\n Hoek.assert(this.headers.location, 'Cannot set redirection mode without first setting a location');\n\n this._setRewritable(isRewritable !== false); // Defaults to true\n return this;\n }\n\n _isTemporary() {\n\n return this.statusCode === 302 || this.statusCode === 307;\n }\n\n _isRewritable() {\n\n return this.statusCode === 301 || this.statusCode === 302;\n }\n\n _setTemporary(isTemporary) {\n\n if (isTemporary) {\n if (this._isRewritable()) {\n this.statusCode = 302;\n }\n else {\n this.statusCode = 307;\n }\n }\n else {\n if (this._isRewritable()) {\n this.statusCode = 301;\n }\n else {\n this.statusCode = 308;\n }\n }\n }\n\n _setRewritable(isRewritable) {\n\n if (isRewritable) {\n if (this._isTemporary()) {\n this.statusCode = 302;\n }\n else {\n this.statusCode = 301;\n }\n }\n else {\n if (this._isTemporary()) {\n this.statusCode = 307;\n }\n else {\n this.statusCode = 308;\n }\n }\n }\n\n encoding(encoding) {\n\n this.settings.encoding = encoding;\n return this;\n }\n\n charset(charset) {\n\n this.settings.charset = charset ?? null;\n return this;\n }\n\n ttl(ttl) {\n\n this.settings.ttl = ttl;\n return this;\n }\n\n state(name, value, options) {\n\n this.request._setState(name, value, options);\n return this;\n }\n\n unstate(name, options) {\n\n this.request._clearState(name, options);\n return this;\n }\n\n takeover() {\n\n this._takeover = true;\n return this;\n }\n\n _prepare() {\n\n Hoek.assert(this._state === 'init');\n\n this._state = 'prepare';\n\n this._passThrough();\n\n if (!this._processors.prepare) {\n return this;\n }\n\n try {\n return this._processors.prepare(this);\n }\n catch (err) {\n throw Boom.boomify(err);\n }\n }\n\n _passThrough() {\n\n if (this.variety === 'stream' &&\n this.settings.passThrough) {\n\n if (this.source.statusCode &&\n !this.statusCode) {\n\n this.statusCode = this.source.statusCode; // Stream is an HTTP response\n }\n\n if (this.source.headers) {\n let headerKeys = Object.keys(this.source.headers);\n\n if (headerKeys.length) {\n const localHeaders = this.headers;\n this.headers = {};\n\n const connection = this.source.headers.connection;\n const byHop = {};\n if (connection) {\n connection.split(/\\s*,\\s*/).forEach((header) => {\n\n byHop[header] = true;\n });\n }\n\n for (const key of headerKeys) {\n const lower = key.toLowerCase();\n if (!internals.hopByHop[lower] &&\n !byHop[lower]) {\n\n this.header(lower, Hoek.clone(this.source.headers[key])); // Clone arrays\n }\n }\n\n headerKeys = Object.keys(localHeaders);\n for (const key of headerKeys) {\n this.header(key, localHeaders[key], { append: key === 'set-cookie' });\n }\n }\n }\n }\n\n this.statusCode = this.statusCode ?? 200;\n }\n\n async _marshal() {\n\n Hoek.assert(this._state === 'prepare');\n\n this._state = 'marshall';\n\n // Processor marshal\n\n let source = this.source;\n\n if (this._processors.marshal) {\n try {\n source = await this._processors.marshal(this);\n }\n catch (err) {\n throw Boom.boomify(err);\n }\n }\n\n // Stream source\n\n if (Streams.isStream(source)) {\n this._payload = source;\n return;\n }\n\n // Plain source (non string or null)\n\n const jsonify = this.variety === 'plain' && source !== null && typeof source !== 'string';\n\n if (!jsonify &&\n this.settings.stringify) {\n\n throw Boom.badImplementation('Cannot set formatting options on non object response');\n }\n\n let payload = source;\n\n if (jsonify) {\n const options = this.settings.stringify ?? {};\n const space = options.space ?? this.request.route.settings.json.space;\n const replacer = options.replacer ?? this.request.route.settings.json.replacer;\n const suffix = options.suffix ?? this.request.route.settings.json.suffix ?? '';\n const escape = this.request.route.settings.json.escape;\n\n try {\n if (replacer || space) {\n payload = JSON.stringify(payload, replacer, space);\n }\n else {\n payload = JSON.stringify(payload);\n }\n }\n catch (err) {\n throw Boom.boomify(err);\n }\n\n if (suffix) {\n payload = payload + suffix;\n }\n\n if (escape) {\n payload = Hoek.escapeJson(payload);\n }\n }\n\n this._payload = new internals.Response.Payload(payload, this.settings);\n }\n\n _tap() {\n\n if (!this._events) {\n return null;\n }\n\n if (this._events.hasListeners('peek') ||\n this._events.hasListeners('finish')) {\n\n return new internals.Response.Peek(this._events);\n }\n\n return null;\n }\n\n _close() {\n\n if (this._state === 'close') {\n return;\n }\n\n this._state = 'close';\n\n if (this._processors.close) {\n try {\n this._processors.close(this);\n }\n catch (err) {\n Bounce.rethrow(err, 'system');\n this.request._log(['response', 'cleanup', 'error'], err);\n }\n }\n\n const stream = this._payload || this.source;\n if (Streams.isStream(stream)) {\n internals.Response.drain(stream);\n }\n }\n\n _isPayloadSupported() {\n\n return this.request.method !== 'head' && this.statusCode !== 304 && this.statusCode !== 204;\n }\n\n static drain(stream) {\n\n stream.destroy();\n }\n};\n\n\ninternals.Response.reserved = internals.reserved;\n\n\ninternals.parseDate = function (string) {\n\n try {\n return Date.parse(string);\n }\n catch (errIgnore) { }\n};\n\n\ninternals.Response.Payload = class extends Stream.Readable {\n\n constructor(payload, options) {\n\n super();\n\n this._data = payload;\n this._encoding = options.encoding;\n }\n\n _read(size) {\n\n if (this._data) {\n this.push(this._data, this._encoding);\n }\n\n this.push(null);\n }\n\n size() {\n\n if (!this._data) {\n return 0;\n }\n\n return Buffer.isBuffer(this._data) ? this._data.length : Buffer.byteLength(this._data, this._encoding);\n }\n\n writeToStream(stream) {\n\n if (this._data) {\n stream.write(this._data, this._encoding);\n }\n\n stream.end();\n }\n};\n\n\ninternals.Response.Peek = class extends Stream.Transform {\n\n constructor(podium) {\n\n super();\n\n this._podium = podium;\n this.on('finish', () => podium.emit('finish'));\n }\n\n _transform(chunk, encoding, callback) {\n\n this._podium.emit('peek', [chunk, encoding]);\n this.push(chunk, encoding);\n callback();\n }\n};\n" }, { "path": "lib/route.js", "content": "'use strict';\n\nconst Assert = require('assert');\n\nconst Bounce = require('@hapi/bounce');\nconst Catbox = require('@hapi/catbox');\nconst Hoek = require('@hapi/hoek');\nconst Subtext = require('@hapi/subtext');\nconst Validate = require('@hapi/validate');\n\nconst Auth = require('./auth');\nconst Config = require('./config');\nconst Cors = require('./cors');\nconst Ext = require('./ext');\nconst Handler = require('./handler');\nconst Headers = require('./headers');\nconst Security = require('./security');\nconst Streams = require('./streams');\nconst Validation = require('./validation');\n\n\nconst internals = {};\n\n\nexports = module.exports = internals.Route = class {\n\n constructor(route, server, options = {}) {\n\n const core = server._core;\n const realm = server.realm;\n\n // Routing information\n\n Config.apply('route', route, route.method, route.path);\n\n const method = route.method.toLowerCase();\n Hoek.assert(method !== 'head', 'Cannot set HEAD route:', route.path);\n\n const path = realm.modifiers.route.prefix ? realm.modifiers.route.prefix + (route.path !== '/' ? route.path : '') : route.path;\n Hoek.assert(path === '/' || path[path.length - 1] !== '/' || !core.settings.router.stripTrailingSlash, 'Path cannot end with a trailing slash when configured to strip:', route.method, route.path);\n\n const vhost = realm.modifiers.route.vhost ?? route.vhost;\n\n // Set identifying members (assert)\n\n this.method = method;\n this.path = path;\n\n // Prepare configuration\n\n let config = route.options ?? route.config ?? {};\n if (typeof config === 'function') {\n config = config.call(realm.settings.bind, server);\n }\n\n config = Config.enable(config); // Shallow clone\n\n // Verify route level config (as opposed to the merged settings)\n\n this._assert(method !== 'get' || !config.payload, 'Cannot set payload settings on HEAD or GET request');\n this._assert(method !== 'get' || !config.validate?.payload, 'Cannot validate HEAD or GET request payload');\n\n // Rules\n\n this._assert(!route.rules || !config.rules, 'Route rules can only appear once'); // XOR\n const rules = route.rules ?? config.rules;\n const rulesConfig = internals.rules(rules, { method, path, vhost }, server);\n delete config.rules;\n\n // Handler\n\n this._assert(route.handler || config.handler, 'Missing or undefined handler');\n this._assert(!!route.handler ^ !!config.handler, 'Handler must only appear once'); // XOR\n\n const handler = Config.apply('handler', route.handler ?? config.handler);\n delete config.handler;\n\n const handlerDefaults = Handler.defaults(method, handler, core);\n\n // Apply settings in order: server <- handler <- realm <- route\n\n const settings = internals.config([core.settings.routes, handlerDefaults, realm.settings, rulesConfig, config]);\n this.settings = Config.apply('routeConfig', settings, method, path);\n\n\n // Route members\n\n this._core = core;\n this.realm = realm;\n\n this.settings.vhost = vhost;\n this.settings.plugins = this.settings.plugins ?? {}; // Route-specific plugins settings, namespaced using plugin name\n this.settings.app = this.settings.app ?? {}; // Route-specific application settings\n\n // Path parsing\n\n this._special = !!options.special;\n this._analysis = this._core.router.analyze(this.path);\n this.params = this._analysis.params;\n this.fingerprint = this._analysis.fingerprint;\n\n this.public = {\n method: this.method,\n path: this.path,\n vhost,\n realm,\n settings: this.settings,\n fingerprint: this.fingerprint,\n auth: {\n access: (request) => Auth.testAccess(request, this.public)\n }\n };\n\n // Validation\n\n this._setupValidation();\n\n // Payload parsing\n\n if (this.method === 'get') {\n this.settings.payload = null;\n }\n else {\n this.settings.payload.decoders = this._core.compression.decoders; // Reference the shared object to keep up to date\n }\n\n this._assert(!this.settings.validate.payload || this.settings.payload.parse, 'Route payload must be set to \\'parse\\' when payload validation enabled');\n this._assert(!this.settings.validate.state || this.settings.state.parse, 'Route state must be set to \\'parse\\' when state validation enabled');\n\n // Authentication configuration\n\n this.settings.auth = this._special ? false : this._core.auth._setupRoute(this.settings.auth, path);\n\n // Cache\n\n if (this.method === 'get' &&\n typeof this.settings.cache === 'object' &&\n (this.settings.cache.expiresIn || this.settings.cache.expiresAt)) {\n\n this.settings.cache._statuses = new Set(this.settings.cache.statuses);\n this._cache = new Catbox.Policy({ expiresIn: this.settings.cache.expiresIn, expiresAt: this.settings.cache.expiresAt });\n }\n\n // CORS\n\n this.settings.cors = Cors.route(this.settings.cors);\n\n // Security\n\n this.settings.security = Security.route(this.settings.security);\n\n // Handler\n\n this.settings.handler = Handler.configure(handler, this);\n this._prerequisites = Handler.prerequisitesConfig(this.settings.pre);\n\n // Route lifecycle\n\n this._extensions = {\n onPreResponse: Ext.combine(this, 'onPreResponse'),\n onPostResponse: Ext.combine(this, 'onPostResponse')\n };\n\n if (this._special) {\n this._cycle = [internals.drain, Handler.execute];\n this.rebuild();\n return;\n }\n\n this._extensions.onPreAuth = Ext.combine(this, 'onPreAuth');\n this._extensions.onCredentials = Ext.combine(this, 'onCredentials');\n this._extensions.onPostAuth = Ext.combine(this, 'onPostAuth');\n this._extensions.onPreHandler = Ext.combine(this, 'onPreHandler');\n this._extensions.onPostHandler = Ext.combine(this, 'onPostHandler');\n\n this.rebuild();\n }\n\n _setupValidation() {\n\n const validation = this.settings.validate;\n if (this.method === 'get') {\n validation.payload = null;\n }\n\n this._assert(!validation.params || this.params.length, 'Cannot set path parameters validations without path parameters');\n\n for (const type of ['headers', 'params', 'query', 'payload', 'state']) {\n validation[type] = Validation.compile(validation[type], this.settings.validate.validator, this.realm, this._core);\n }\n\n if (this.settings.response.schema !== undefined ||\n this.settings.response.status) {\n\n this.settings.response._validate = true;\n\n const rule = this.settings.response.schema;\n this.settings.response.status = this.settings.response.status ?? {};\n const statuses = Object.keys(this.settings.response.status);\n\n if (rule === true &&\n !statuses.length) {\n\n this.settings.response._validate = false;\n }\n else {\n this.settings.response.schema = Validation.compile(rule, this.settings.validate.validator, this.realm, this._core);\n for (const code of statuses) {\n this.settings.response.status[code] = Validation.compile(this.settings.response.status[code], this.settings.validate.validator, this.realm, this._core);\n }\n }\n }\n }\n\n rebuild(event) {\n\n if (event) {\n this._extensions[event.type].add(event);\n }\n\n if (this._special) {\n this._postCycle = this._extensions.onPreResponse.nodes ? [this._extensions.onPreResponse] : [];\n this._buildMarshalCycle();\n return;\n }\n\n // Build lifecycle array\n\n this._cycle = [];\n\n // 'onRequest'\n\n if (this.settings.state.parse) {\n this._cycle.push(internals.state);\n }\n\n if (this._extensions.onPreAuth.nodes) {\n this._cycle.push(this._extensions.onPreAuth);\n }\n\n if (this._core.auth._enabled(this, 'authenticate')) {\n this._cycle.push(Auth.authenticate);\n }\n\n if (this.method !== 'get') {\n this._cycle.push(internals.payload);\n\n if (this._core.auth._enabled(this, 'payload')) {\n this._cycle.push(Auth.payload);\n }\n }\n\n if (this._core.auth._enabled(this, 'authenticate') &&\n this._extensions.onCredentials.nodes) {\n\n this._cycle.push(this._extensions.onCredentials);\n }\n\n if (this._core.auth._enabled(this, 'access')) {\n this._cycle.push(Auth.access);\n }\n\n if (this._extensions.onPostAuth.nodes) {\n this._cycle.push(this._extensions.onPostAuth);\n }\n\n if (this.settings.validate.headers) {\n this._cycle.push(Validation.headers);\n }\n\n if (this.settings.validate.params) {\n this._cycle.push(Validation.params);\n }\n\n if (this.settings.validate.query) {\n this._cycle.push(Validation.query);\n }\n\n if (this.settings.validate.payload) {\n this._cycle.push(Validation.payload);\n }\n\n if (this.settings.validate.state) {\n this._cycle.push(Validation.state);\n }\n\n if (this._extensions.onPreHandler.nodes) {\n this._cycle.push(this._extensions.onPreHandler);\n }\n\n this._cycle.push(Handler.execute);\n\n if (this._extensions.onPostHandler.nodes) {\n this._cycle.push(this._extensions.onPostHandler);\n }\n\n this._postCycle = [];\n\n if (this.settings.response._validate &&\n this.settings.response.sample !== 0) {\n\n this._postCycle.push(Validation.response);\n }\n\n if (this._extensions.onPreResponse.nodes) {\n this._postCycle.push(this._extensions.onPreResponse);\n }\n\n this._buildMarshalCycle();\n\n // onPostResponse\n }\n\n _buildMarshalCycle() {\n\n this._marshalCycle = [Headers.type];\n\n if (this.settings.cors) {\n this._marshalCycle.push(Cors.headers);\n }\n\n if (this.settings.security) {\n this._marshalCycle.push(Security.headers);\n }\n\n this._marshalCycle.push(Headers.entity);\n\n if (this.method === 'get' ||\n this.method === '*') {\n\n this._marshalCycle.push(Headers.unmodified);\n }\n\n this._marshalCycle.push(Headers.cache);\n this._marshalCycle.push(Headers.state);\n this._marshalCycle.push(Headers.content);\n\n if (this._core.auth._enabled(this, 'response')) {\n this._marshalCycle.push(Auth.response); // Must be last in case requires access to headers\n }\n }\n\n _assert(condition, message) {\n\n if (condition) {\n return;\n }\n\n if (this.method[0] !== '_') {\n message = `${message}: ${this.method.toUpperCase()} ${this.path}`;\n }\n\n throw new Assert.AssertionError({\n message,\n actual: false,\n expected: true,\n operator: '==',\n stackStartFunction: this._assert\n });\n }\n};\n\n\ninternals.state = async function (request) {\n\n request.state = {};\n\n const req = request.raw.req;\n const cookies = req.headers.cookie;\n if (!cookies) {\n return;\n }\n\n try {\n var result = await request._core.states.parse(cookies);\n }\n catch (err) {\n Bounce.rethrow(err, 'system');\n var parseError = err;\n }\n\n const { states, failed = [] } = result ?? parseError;\n request.state = states ?? {};\n\n // Clear cookies\n\n for (const item of failed) {\n if (item.settings.clearInvalid) {\n request._clearState(item.name);\n }\n }\n\n if (!parseError) {\n return;\n }\n\n parseError.header = cookies;\n\n return request._core.toolkit.failAction(request, request.route.settings.state.failAction, parseError, { tags: ['state', 'error'] });\n};\n\n\ninternals.payload = async function (request) {\n\n if (request.method === 'get' ||\n request.method === 'head') { // When route.method is '*'\n\n return;\n }\n\n if (request.payload !== undefined) {\n return internals.drain(request);\n }\n\n if (request._expectContinue) {\n request._expectContinue = false;\n request.raw.res.writeContinue();\n }\n\n try {\n const { payload, mime } = await Subtext.parse(request.raw.req, request._tap(), request.route.settings.payload);\n\n request._isPayloadPending = !!payload?._readableState;\n request.mime = mime;\n request.payload = payload;\n }\n catch (err) {\n Bounce.rethrow(err, 'system');\n\n await internals.drain(request);\n\n request.mime = err.mime;\n request.payload = null;\n\n return request._core.toolkit.failAction(request, request.route.settings.payload.failAction, err, { tags: ['payload', 'error'] });\n }\n};\n\n\ninternals.drain = async function (request) {\n\n // Flush out any pending request payload not consumed due to errors\n\n if (request._expectContinue) {\n request._isPayloadPending = false; // If we don't continue, client should not send a payload\n request._expectContinue = false;\n }\n\n if (request._isPayloadPending) {\n await Streams.drain(request.raw.req);\n request._isPayloadPending = false;\n }\n};\n\n\ninternals.config = function (chain) {\n\n if (!chain.length) {\n return {};\n }\n\n let config = chain[0];\n for (const item of chain) {\n config = Hoek.applyToDefaults(config, item, { shallow: ['bind', 'validate.headers', 'validate.payload', 'validate.params', 'validate.query', 'validate.state'] });\n }\n\n return config;\n};\n\n\ninternals.rules = function (rules, info, server) {\n\n const configs = [];\n\n let realm = server.realm;\n while (realm) {\n if (realm._rules) {\n const source = !realm._rules.settings.validate ? rules : Validate.attempt(rules, realm._rules.settings.validate.schema, realm._rules.settings.validate.options);\n const config = realm._rules.processor(source, info);\n if (config) {\n configs.unshift(config);\n }\n }\n\n realm = realm.parent;\n }\n\n return internals.config(configs);\n};\n" }, { "path": "lib/security.js", "content": "'use strict';\n\nconst internals = {};\n\n\nexports.route = function (settings) {\n\n if (!settings) {\n return null;\n }\n\n const security = settings;\n if (security.hsts) {\n if (security.hsts === true) {\n security._hsts = 'max-age=15768000';\n }\n else if (typeof security.hsts === 'number') {\n security._hsts = 'max-age=' + security.hsts;\n }\n else {\n security._hsts = 'max-age=' + (security.hsts.maxAge ?? 15768000);\n if (security.hsts.includeSubdomains || security.hsts.includeSubDomains) {\n security._hsts = security._hsts + '; includeSubDomains';\n }\n\n if (security.hsts.preload) {\n security._hsts = security._hsts + '; preload';\n }\n }\n }\n\n if (security.xframe) {\n if (security.xframe === true) {\n security._xframe = 'DENY';\n }\n else if (typeof security.xframe === 'string') {\n security._xframe = security.xframe.toUpperCase();\n }\n else if (security.xframe.rule === 'allow-from') {\n if (!security.xframe.source) {\n security._xframe = 'SAMEORIGIN';\n }\n else {\n security._xframe = 'ALLOW-FROM ' + security.xframe.source;\n }\n }\n else {\n security._xframe = security.xframe.rule.toUpperCase();\n }\n }\n\n return security;\n};\n\n\nexports.headers = function (response) {\n\n const security = response.request.route.settings.security;\n\n if (security._hsts) {\n response._header('strict-transport-security', security._hsts, { override: false });\n }\n\n if (security._xframe) {\n response._header('x-frame-options', security._xframe, { override: false });\n }\n\n if (security.xss === 'enabled') {\n response._header('x-xss-protection', '1; mode=block', { override: false });\n }\n else if (security.xss === 'disabled') {\n response._header('x-xss-protection', '0', { override: false });\n }\n\n if (security.noOpen) {\n response._header('x-download-options', 'noopen', { override: false });\n }\n\n if (security.noSniff) {\n response._header('x-content-type-options', 'nosniff', { override: false });\n }\n\n if (security.referrer !== false) {\n response._header('referrer-policy', security.referrer, { override: false });\n }\n};\n" }, { "path": "lib/server.js", "content": "'use strict';\n\nconst Hoek = require('@hapi/hoek');\nconst Shot = require('@hapi/shot');\nconst Teamwork = require('@hapi/teamwork');\n\nconst Config = require('./config');\nconst Core = require('./core');\nconst Cors = require('./cors');\nconst Ext = require('./ext');\nconst Package = require('../package.json');\nconst Route = require('./route');\nconst Toolkit = require('./toolkit');\nconst Validation = require('./validation');\n\n\nconst internals = {};\n\n\nexports = module.exports = function (options) {\n\n const core = new Core(options);\n return new internals.Server(core);\n};\n\n\ninternals.Server = class {\n\n constructor(core, name, parent) {\n\n this._core = core;\n\n // Public interface\n\n this.app = core.app;\n this.auth = core.auth.public(this);\n this.decorations = core.decorations.public;\n this.cache = internals.cache(this);\n this.events = core.events;\n this.info = core.info;\n this.listener = core.listener;\n this.load = core.heavy.load;\n this.methods = core.methods.methods;\n this.mime = core.mime;\n this.plugins = core.plugins;\n this.registrations = core.registrations;\n this.settings = core.settings;\n this.states = core.states;\n this.type = core.type;\n this.version = Package.version;\n\n this.realm = {\n _extensions: {\n onPreAuth: new Ext('onPreAuth', core),\n onCredentials: new Ext('onCredentials', core),\n onPostAuth: new Ext('onPostAuth', core),\n onPreHandler: new Ext('onPreHandler', core),\n onPostHandler: new Ext('onPostHandler', core),\n onPreResponse: new Ext('onPreResponse', core),\n onPostResponse: new Ext('onPostResponse', core)\n },\n modifiers: {\n route: {}\n },\n parent: parent ? parent.realm : null,\n plugin: name,\n pluginOptions: {},\n plugins: {},\n _rules: null,\n settings: {\n bind: undefined,\n files: {\n relativeTo: undefined\n }\n },\n validator: null\n };\n\n // Decorations\n\n for (const [property, method] of core.decorations.server.entries()) {\n this[property] = method;\n }\n\n core.registerServer(this);\n }\n\n _clone(name) {\n\n return new internals.Server(this._core, name, this);\n }\n\n bind(context) {\n\n Hoek.assert(typeof context === 'object', 'bind must be an object');\n this.realm.settings.bind = context;\n }\n\n control(server) {\n\n Hoek.assert(server instanceof internals.Server, 'Can only control Server objects');\n\n this._core.controlled = this._core.controlled ?? [];\n this._core.controlled.push(server);\n }\n\n decoder(encoding, decoder) {\n\n return this._core.compression.addDecoder(encoding, decoder);\n }\n\n decorate(type, property, method, options = {}) {\n\n Hoek.assert(this._core.decorations.public[type], 'Unknown decoration type:', type);\n Hoek.assert(property, 'Missing decoration property name');\n Hoek.assert(typeof property === 'string' || typeof property === 'symbol', 'Decoration property must be a string or a symbol');\n\n const propertyName = property.toString();\n Hoek.assert(propertyName[0] !== '_', 'Property name cannot begin with an underscore:', propertyName);\n\n const existing = this._core.decorations[type].get(property);\n if (options.extend) {\n Hoek.assert(type !== 'handler', 'Cannot extend handler decoration:', propertyName);\n Hoek.assert(existing, `Cannot extend missing ${type} decoration: ${propertyName}`);\n Hoek.assert(typeof method === 'function', `Extended ${type} decoration method must be a function: ${propertyName}`);\n\n method = method(existing);\n }\n else {\n Hoek.assert(existing === undefined, `${type[0].toUpperCase() + type.slice(1)} decoration already defined: ${propertyName}`);\n }\n\n if (type === 'handler') {\n\n // Handler\n\n Hoek.assert(typeof method === 'function', 'Handler must be a function:', propertyName);\n Hoek.assert(!method.defaults || typeof method.defaults === 'object' || typeof method.defaults === 'function', 'Handler defaults property must be an object or function');\n Hoek.assert(!options.extend, 'Cannot extend handler decoration:', propertyName);\n }\n else if (type === 'request') {\n\n // Request\n\n Hoek.assert(!this._core.Request.reserved.includes(property), 'Cannot override the built-in request interface decoration:', propertyName);\n\n if (options.apply) {\n this._core.decorations.requestApply = this._core.decorations.requestApply ?? new Map();\n this._core.decorations.requestApply.set(property, method);\n }\n else {\n this._core.Request.prototype[property] = method;\n }\n }\n else if (type === 'response') {\n\n // Response\n\n Hoek.assert(!this._core.Response.reserved.includes(property), 'Cannot override the built-in response interface decoration:', propertyName);\n this._core.Response.prototype[property] = method;\n }\n else if (type === 'toolkit') {\n\n // Toolkit\n\n Hoek.assert(!Toolkit.reserved.includes(property), 'Cannot override the built-in toolkit decoration:', propertyName);\n this._core.toolkit.decorate(property, method);\n }\n else {\n\n // Server\n\n if (typeof property === 'string') {\n Hoek.assert(!Object.getOwnPropertyNames(internals.Server.prototype).includes(property), 'Cannot override the built-in server interface method:', propertyName);\n }\n else {\n Hoek.assert(!Object.getOwnPropertySymbols(internals.Server.prototype).includes(property), 'Cannot override the built-in server interface method:', propertyName);\n }\n\n this._core.instances.forEach((server) => {\n\n server[property] = method;\n });\n }\n\n this._core.decorations[type].set(property, method);\n this._core.decorations.public[type].push(property);\n }\n\n dependency(dependencies, after) {\n\n Hoek.assert(this.realm.plugin, 'Cannot call dependency() outside of a plugin');\n Hoek.assert(!after || typeof after === 'function', 'Invalid after method');\n\n // Normalize to { plugin: version }\n\n if (typeof dependencies === 'string') {\n dependencies = { [dependencies]: '*' };\n }\n else if (Array.isArray(dependencies)) {\n const map = {};\n for (const dependency of dependencies) {\n map[dependency] = '*';\n }\n\n dependencies = map;\n }\n\n this._core.dependencies.push({ plugin: this.realm.plugin, deps: dependencies });\n\n if (after) {\n this.ext('onPreStart', after, { after: Object.keys(dependencies) });\n }\n }\n\n encoder(encoding, encoder) {\n\n return this._core.compression.addEncoder(encoding, encoder);\n }\n\n event(event) {\n\n this._core.events.registerEvent(event);\n }\n\n expose(key, value, options = {}) {\n\n Hoek.assert(this.realm.plugin, 'Cannot call expose() outside of a plugin');\n\n let plugin = this.realm.plugin;\n if (plugin[0] === '@' &&\n options.scope !== true) {\n\n plugin = plugin.replace(/^@([^/]+)\\//, ($0, $1) => {\n\n return !options.scope ? '' : `${$1}__`;\n });\n }\n\n this._core.plugins[plugin] = this._core.plugins[plugin] ?? {};\n\n if (typeof key === 'string') {\n this._core.plugins[plugin][key] = value;\n }\n else {\n Hoek.merge(this._core.plugins[plugin], key);\n }\n }\n\n ext(events, method, options) { // (event, method, options) -OR- (events)\n\n let promise;\n if (typeof events === 'string') {\n if (!method) {\n const team = new Teamwork.Team();\n method = (request, h) => {\n\n team.attend(request);\n return h.continue;\n };\n\n promise = team.work;\n }\n\n events = { type: events, method, options };\n }\n\n events = Config.apply('exts', events);\n for (const event of events) {\n this._ext(event);\n }\n\n return promise;\n }\n\n _ext(event) {\n\n event = Object.assign({}, event); // Shallow cloned\n event.realm = this.realm;\n const type = event.type;\n\n if (!this._core.extensions.server[type]) {\n\n // Realm route extensions\n\n if (event.options.sandbox === 'plugin') {\n Hoek.assert(this.realm._extensions[type], 'Unknown event type', type);\n return this.realm._extensions[type].add(event);\n }\n\n // Connection route extensions\n\n Hoek.assert(this._core.extensions.route[type], 'Unknown event type', type);\n return this._core.extensions.route[type].add(event);\n }\n\n // Server extensions\n\n Hoek.assert(!event.options.sandbox, 'Cannot specify sandbox option for server extension');\n Hoek.assert(type !== 'onPreStart' || this._core.phase === 'stopped', 'Cannot add onPreStart (after) extension after the server was initialized');\n\n event.server = this;\n this._core.extensions.server[type].add(event);\n }\n\n async inject(options) {\n\n let settings = options;\n if (typeof settings === 'string') {\n settings = { url: settings };\n }\n\n if (!settings.authority ||\n settings.auth ||\n settings.app ||\n settings.plugins ||\n settings.allowInternals !== undefined) { // Can be false\n\n settings = Object.assign({}, settings); // options can be reused (shallow cloned)\n delete settings.auth;\n delete settings.app;\n delete settings.plugins;\n delete settings.allowInternals;\n\n settings.authority = settings.authority ?? this._core.info.host + ':' + this._core.info.port;\n }\n\n Hoek.assert(!options.credentials, 'options.credentials no longer supported (use options.auth)');\n\n if (options.auth) {\n Hoek.assert(typeof options.auth === 'object', 'options.auth must be an object');\n Hoek.assert(options.auth.credentials, 'options.auth.credentials is missing');\n Hoek.assert(options.auth.strategy, 'options.auth.strategy is missing');\n }\n\n const needle = this._core._dispatch({\n auth: options.auth,\n allowInternals: options.allowInternals,\n app: options.app,\n plugins: options.plugins,\n isInjected: true\n });\n\n const res = await Shot.inject(needle, settings);\n const custom = res.raw.res[Config.symbol];\n if (custom) {\n delete res.raw.res[Config.symbol];\n\n res.request = custom.request;\n\n if (custom.error) {\n throw custom.error;\n }\n\n if (custom.result !== undefined) {\n res.result = custom.result;\n }\n }\n\n if (res.result === undefined) {\n res.result = res.payload;\n }\n\n return res;\n }\n\n log(tags, data) {\n\n return this._core.log(tags, data);\n }\n\n lookup(id) {\n\n Hoek.assert(id && typeof id === 'string', 'Invalid route id:', id);\n\n const record = this._core.router.ids.get(id);\n if (!record) {\n return null;\n }\n\n return record.route.public;\n }\n\n match(method, path, host) {\n\n Hoek.assert(method && typeof method === 'string', 'Invalid method:', method);\n Hoek.assert(path && typeof path === 'string' && path[0] === '/', 'Invalid path:', path);\n Hoek.assert(!host || typeof host === 'string', 'Invalid host:', host);\n\n const match = this._core.router.route(method.toLowerCase(), path, host);\n Hoek.assert(match !== this._core.router.specials.badRequest, 'Invalid path:', path);\n if (match === this._core.router.specials.notFound) {\n return null;\n }\n\n return match.route.public;\n }\n\n method(name, method, options = {}) {\n\n return this._core.methods.add(name, method, options, this.realm);\n }\n\n path(relativeTo) {\n\n Hoek.assert(relativeTo && typeof relativeTo === 'string', 'relativeTo must be a non-empty string');\n this.realm.settings.files.relativeTo = relativeTo;\n }\n\n async register(plugins, options = {}) {\n\n if (this.realm.modifiers.route.prefix ||\n this.realm.modifiers.route.vhost) {\n\n options = Hoek.clone(options);\n options.routes = options.routes ?? {};\n\n options.routes.prefix = (this.realm.modifiers.route.prefix ?? '') + (options.routes.prefix ?? '') || undefined;\n options.routes.vhost = this.realm.modifiers.route.vhost ?? options.routes.vhost;\n }\n\n options = Config.apply('register', options);\n\n ++this._core.registring;\n\n try {\n const items = [].concat(plugins);\n for (let item of items) {\n\n /*\n { register, ...attributes }\n { plugin: { register, ...attributes }, options, once, routes }\n { plugin: { plugin: { register, ...attributes } }, options, once, routes } // Required module\n */\n\n if (!item.plugin) {\n item = {\n plugin: item\n };\n }\n else if (!item.plugin.register) {\n item = {\n options: item.options,\n once: item.once,\n routes: item.routes,\n plugin: item.plugin.plugin\n };\n }\n else if (typeof item === 'function') {\n item = Object.assign({}, item); // Shallow cloned\n }\n\n item = Config.apply('plugin', item);\n\n const name = item.plugin.name ?? item.plugin.pkg.name;\n const clone = this._clone(name);\n\n clone.realm.modifiers.route.prefix = item.routes.prefix ?? options.routes.prefix;\n clone.realm.modifiers.route.vhost = item.routes.vhost ?? options.routes.vhost;\n clone.realm.pluginOptions = item.options ?? {};\n\n // Validate requirements\n\n const requirements = item.plugin.requirements;\n Hoek.assert(!requirements.node || Config.versionMatch(process.version, requirements.node), 'Plugin', name, 'requires node version', requirements.node, 'but found', process.version);\n Hoek.assert(!requirements.hapi || Config.versionMatch(this.version, requirements.hapi), 'Plugin', name, 'requires hapi version', requirements.hapi, 'but found', this.version);\n\n // Protect against multiple registrations\n\n if (this._core.registrations[name]) {\n if (item.plugin.once ||\n item.once ||\n options.once) {\n\n continue;\n }\n\n Hoek.assert(item.plugin.multiple, 'Plugin', name, 'already registered');\n }\n else {\n this._core.registrations[name] = {\n version: item.plugin.version ?? item.plugin.pkg.version,\n name,\n options: item.options\n };\n }\n\n if (item.plugin.dependencies) {\n clone.dependency(item.plugin.dependencies);\n }\n\n // Register\n\n await item.plugin.register(clone, item.options ?? {});\n }\n }\n finally {\n --this._core.registring;\n }\n\n return this;\n }\n\n route(options) {\n\n Hoek.assert(typeof options === 'object', 'Invalid route options');\n\n options = [].concat(options);\n for (const config of options) {\n if (Array.isArray(config.method)) {\n for (const method of config.method) {\n const settings = Object.assign({}, config); // Shallow cloned\n settings.method = method;\n this._addRoute(settings, this);\n }\n }\n else {\n this._addRoute(config, this);\n }\n }\n }\n\n _addRoute(config, server) {\n\n const route = new Route(config, server); // Do no use config beyond this point, use route members\n const vhosts = [].concat(route.settings.vhost ?? '*');\n\n for (const vhost of vhosts) {\n const record = this._core.router.add({ method: route.method, path: route.path, vhost, analysis: route._analysis, id: route.settings.id }, route);\n route.fingerprint = record.fingerprint;\n route.params = record.params;\n }\n\n this.events.emit('route', route.public);\n Cors.options(route.public, server);\n }\n\n rules(processor, options = {}) {\n\n Hoek.assert(!this.realm._rules, 'Server realm rules already defined');\n\n const settings = Config.apply('rules', options);\n if (settings.validate) {\n const schema = settings.validate.schema;\n settings.validate.schema = Validation.compile(schema, null, this.realm, this._core);\n }\n\n this.realm._rules = { processor, settings };\n }\n\n state(name, options) {\n\n this.states.add(name, options);\n }\n\n table(host) {\n\n return this._core.router.table(host);\n }\n\n validator(validator) {\n\n Hoek.assert(!this.realm.validator, 'Validator already set');\n\n this.realm.validator = Validation.validator(validator);\n }\n\n start() {\n\n return this._core._start();\n }\n\n initialize() {\n\n return this._core._initialize();\n }\n\n stop(options) {\n\n return this._core._stop(options);\n }\n};\n\n\ninternals.cache = (plugin) => {\n\n const policy = function (options, _segment) {\n\n return this._core._cachePolicy(options, _segment, plugin.realm);\n };\n\n policy.provision = async (opts) => {\n\n const clients = plugin._core._createCache(opts);\n\n // Start cache\n\n if (['initialized', 'starting', 'started'].includes(plugin._core.phase)) {\n await Promise.all(clients.map((client) => client.start()));\n }\n };\n\n return policy;\n};\n" }, { "path": "lib/streams.js", "content": "'use strict';\n\nconst Stream = require('stream');\n\nconst Boom = require('@hapi/boom');\nconst Teamwork = require('@hapi/teamwork');\n\nconst internals = {\n team: Symbol('team')\n};\n\n\nexports.isStream = function (stream) {\n\n const isReadableStream = stream instanceof Stream.Readable;\n\n if (!isReadableStream &&\n typeof stream?.pipe === 'function') {\n throw Boom.badImplementation('Cannot reply with a stream-like object that is not an instance of Stream.Readable');\n }\n\n if (!isReadableStream) {\n return false;\n }\n\n if (stream.readableObjectMode) {\n throw Boom.badImplementation('Cannot reply with stream in object mode');\n }\n\n return true;\n};\n\n\nexports.drain = function (stream) {\n\n const team = new Teamwork.Team();\n stream[internals.team] = team;\n\n stream.on('readable', internals.read);\n stream.on('error', internals.end);\n stream.on('end', internals.end);\n stream.on('close', internals.end);\n\n return team.work;\n};\n\n\ninternals.read = function () {\n\n while (this.read()) { }\n};\n\n\ninternals.end = function () {\n\n this.removeListener('readable', internals.read);\n this.removeListener('error', internals.end);\n this.removeListener('end', internals.end);\n this.removeListener('close', internals.end);\n\n this[internals.team].attend();\n};\n" }, { "path": "lib/toolkit.js", "content": "'use strict';\n\nconst Boom = require('@hapi/boom');\nconst Bounce = require('@hapi/bounce');\nconst Hoek = require('@hapi/hoek');\n\n\nconst internals = {};\n\n\nexports.reserved = [\n 'abandon',\n 'authenticated',\n 'close',\n 'context',\n 'continue',\n 'entity',\n 'redirect',\n 'realm',\n 'request',\n 'response',\n 'state',\n 'unauthenticated',\n 'unstate'\n];\n\n\nexports.symbols = {\n abandon: Symbol('abandon'),\n close: Symbol('close'),\n continue: Symbol('continue')\n};\n\n\nexports.Manager = class {\n\n constructor() {\n\n this._toolkit = internals.toolkit();\n }\n\n async execute(method, request, options) {\n\n const h = new this._toolkit(request, options);\n const bind = options.bind ?? null;\n\n try {\n let operation;\n\n if (bind) {\n operation = method.call(bind, request, h);\n }\n else if (options.args) {\n operation = method(request, h, ...options.args);\n }\n else {\n operation = method(request, h);\n }\n\n var response = await exports.timed(operation, options);\n }\n catch (err) {\n if (Bounce.isSystem(err)) {\n response = Boom.badImplementation(err);\n }\n else if (!Bounce.isError(err)) {\n response = Boom.badImplementation('Cannot throw non-error object', err);\n }\n else {\n response = Boom.boomify(err);\n }\n }\n\n // Process response\n\n if (options.ignoreResponse) {\n return response;\n }\n\n if (response === undefined) {\n response = Boom.badImplementation(`${method.name} method did not return a value, a promise, or throw an error`);\n }\n\n if (options.continue &&\n response === exports.symbols.continue) {\n\n if (options.continue === 'undefined') {\n return;\n }\n\n // 'null'\n\n response = null;\n }\n\n if (options.auth &&\n response instanceof internals.Auth) {\n\n return response;\n }\n\n if (typeof response !== 'symbol') {\n response = request._core.Response.wrap(response, request);\n if (!response.isBoom && response._state === 'init') {\n await response._prepare();\n }\n }\n\n return response;\n }\n\n decorate(name, method) {\n\n this._toolkit.prototype[name] = method;\n }\n\n async failAction(request, failAction, err, options) {\n\n const retain = options.retain ? err : undefined;\n if (failAction === 'ignore') {\n return retain;\n }\n\n if (failAction === 'log') {\n request._log(options.tags, err);\n return retain;\n }\n\n if (failAction === 'error') {\n throw err;\n }\n\n return await this.execute(failAction, request, { realm: request.route.realm, args: [options.details ?? err] });\n }\n};\n\n\nexports.timed = async function (method, options) {\n\n if (!options.timeout) {\n return method;\n }\n\n const timer = new Promise((resolve, reject) => {\n\n const handler = () => {\n\n reject(Boom.internal(`${options.name} timed out`));\n };\n\n setTimeout(handler, options.timeout);\n });\n\n return await Promise.race([timer, method]);\n};\n\n\n/*\n const handler = function (request, h) {\n\n result / h.response(result) -> result // Not allowed before handler\n h.response(result).takeover() -> result (respond)\n h.continue -> null // Defaults to null only in handler and pre, not allowed in auth\n\n throw error / h.response(error) -> error (respond) // failAction override in pre\n -> badImplementation (respond)\n\n // Auth only (scheme.payload and scheme.response use the same interface as pre-handler extension methods)\n\n h.unauthenticated(error, data) -> error (respond) + data\n h.authenticated(data ) -> (continue) + data\n };\n*/\n\ninternals.toolkit = function () {\n\n const Toolkit = class {\n\n constructor(request, options) {\n\n this.context = options.bind;\n this.realm = options.realm;\n this.request = request;\n\n this._auth = options.auth;\n }\n\n response(result) {\n\n Hoek.assert(!result || typeof result !== 'object' || typeof result.then !== 'function', 'Cannot wrap a promise');\n Hoek.assert(result instanceof Error === false, 'Cannot wrap an error');\n Hoek.assert(typeof result !== 'symbol', 'Cannot wrap a symbol');\n\n return this.request._core.Response.wrap(result, this.request);\n }\n\n redirect(location) {\n\n return this.response('').redirect(location);\n }\n\n entity(options) {\n\n Hoek.assert(options, 'Entity method missing required options');\n Hoek.assert(options.etag || options.modified, 'Entity methods missing required options key');\n\n this.request._entity = options;\n\n const entity = this.request._core.Response.entity(options.etag, options);\n if (this.request._core.Response.unmodified(this.request, entity)) {\n return this.response().code(304).takeover();\n }\n }\n\n state(name, value, options) {\n\n this.request._setState(name, value, options);\n }\n\n unstate(name, options) {\n\n this.request._clearState(name, options);\n }\n\n authenticated(data) {\n\n Hoek.assert(this._auth, 'Method not supported outside of authentication');\n Hoek.assert(data?.credentials, 'Authentication data missing credentials information');\n\n return new internals.Auth(null, data);\n }\n\n unauthenticated(error, data) {\n\n Hoek.assert(this._auth, 'Method not supported outside of authentication');\n Hoek.assert(!data || data.credentials, 'Authentication data missing credentials information');\n\n return new internals.Auth(error, data);\n }\n };\n\n Toolkit.prototype.abandon = exports.symbols.abandon;\n Toolkit.prototype.close = exports.symbols.close;\n Toolkit.prototype.continue = exports.symbols.continue;\n\n return Toolkit;\n};\n\n\ninternals.Auth = class {\n\n constructor(error, data) {\n\n this.isAuth = true;\n this.error = error;\n this.data = data;\n }\n};\n" }, { "path": "lib/transmit.js", "content": "'use strict';\n\nconst Http = require('http');\n\nconst Ammo = require('@hapi/ammo');\nconst Boom = require('@hapi/boom');\nconst Bounce = require('@hapi/bounce');\nconst Hoek = require('@hapi/hoek');\nconst Teamwork = require('@hapi/teamwork');\n\nconst Config = require('./config');\n\n\nconst internals = {};\n\n\nexports.send = async function (request) {\n\n const response = request.response;\n\n try {\n if (response.isBoom) {\n await internals.fail(request, response);\n return;\n }\n\n await internals.marshal(response);\n await internals.transmit(response);\n }\n catch (err) {\n Bounce.rethrow(err, 'system');\n request._setResponse(err);\n return internals.fail(request, err);\n }\n};\n\n\ninternals.marshal = async function (response) {\n\n for (const func of response.request._route._marshalCycle) {\n await func(response);\n }\n};\n\n\ninternals.fail = async function (request, boom) {\n\n const response = internals.error(request, boom);\n request.response = response; // Not using request._setResponse() to avoid double log\n\n try {\n await internals.marshal(response);\n }\n catch (err) {\n Bounce.rethrow(err, 'system');\n\n // Failed to marshal an error - replace with minimal representation of original error\n\n const minimal = {\n statusCode: response.statusCode,\n error: Http.STATUS_CODES[response.statusCode],\n message: boom.message\n };\n\n response._payload = new request._core.Response.Payload(JSON.stringify(minimal), {});\n }\n\n return internals.transmit(response);\n};\n\n\ninternals.error = function (request, boom) {\n\n const error = boom.output;\n const response = new request._core.Response(error.payload, request, { error: boom });\n response.code(error.statusCode);\n response.headers = Hoek.clone(error.headers); // Prevent source from being modified\n return response;\n};\n\n\ninternals.transmit = function (response) {\n\n const request = response.request;\n const length = internals.length(response);\n\n // Pipes\n\n const encoding = request._core.compression.encoding(response, length);\n const ranger = encoding ? null : internals.range(response, length);\n const compressor = internals.encoding(response, encoding);\n\n // Connection: close\n\n const isInjection = request.isInjected;\n if (!(isInjection || request._core.started) ||\n request._isPayloadPending && !request.raw.req._readableState.ended) {\n\n response._header('connection', 'close');\n }\n\n // Write headers\n\n internals.writeHead(response);\n\n // Injection\n\n if (isInjection) {\n request.raw.res[Config.symbol] = { request };\n\n if (response.variety === 'plain') {\n request.raw.res[Config.symbol].result = response._isPayloadSupported() ? response.source : null;\n }\n }\n\n // Finalize response stream\n\n const stream = internals.chain([response._payload, response._tap(), compressor, ranger]);\n return internals.pipe(request, stream);\n};\n\n\ninternals.length = function (response) {\n\n const request = response.request;\n\n const header = response.headers['content-length'];\n if (header === undefined) {\n return null;\n }\n\n let length = header;\n if (typeof length === 'string') {\n length = parseInt(header, 10);\n if (!isFinite(length)) {\n delete response.headers['content-length'];\n return null;\n }\n }\n\n // Empty response\n\n if (length === 0 &&\n !response._statusCode &&\n response.statusCode === 200 &&\n request.route.settings.response.emptyStatusCode !== 200) {\n\n response.code(204);\n delete response.headers['content-length'];\n }\n\n return length;\n};\n\n\ninternals.range = function (response, length) {\n\n const request = response.request;\n\n if (!length ||\n !request.route.settings.response.ranges ||\n request.method !== 'get' ||\n response.statusCode !== 200) {\n\n return null;\n }\n\n response._header('accept-ranges', 'bytes');\n\n if (!request.headers.range) {\n return null;\n }\n\n // Check If-Range\n\n if (request.headers['if-range'] &&\n request.headers['if-range'] !== response.headers.etag) { // Ignoring last-modified date (weak)\n\n return null;\n }\n\n // Parse header\n\n const ranges = Ammo.header(request.headers.range, length);\n if (!ranges) {\n const error = Boom.rangeNotSatisfiable();\n error.output.headers['content-range'] = 'bytes */' + length;\n throw error;\n }\n\n // Prepare transform\n\n if (ranges.length !== 1) { // Ignore requests for multiple ranges\n return null;\n }\n\n const range = ranges[0];\n response.code(206);\n response.bytes(range.to - range.from + 1);\n response._header('content-range', 'bytes ' + range.from + '-' + range.to + '/' + length);\n\n return new Ammo.Clip(range);\n};\n\n\ninternals.encoding = function (response, encoding) {\n\n const request = response.request;\n\n const header = response.headers['content-encoding'] || encoding;\n if (header &&\n response.headers.etag &&\n response.settings.varyEtag) {\n\n response.headers.etag = response.headers.etag.slice(0, -1) + '-' + header + '\"';\n }\n\n if (!encoding ||\n response.statusCode === 206 ||\n !response._isPayloadSupported()) {\n\n return null;\n }\n\n delete response.headers['content-length'];\n response._header('content-encoding', encoding);\n const compressor = request._core.compression.encoder(request, encoding);\n if (response.variety === 'stream' &&\n typeof response._payload.setCompressor === 'function') {\n\n response._payload.setCompressor(compressor);\n }\n\n return compressor;\n};\n\n\ninternals.pipe = function (request, stream) {\n\n const team = new Teamwork.Team();\n\n // Write payload\n\n const env = { stream, request, team };\n\n if (request._closed) {\n\n // The request has already been aborted - no need to wait or attempt to write.\n\n internals.end(env, 'aborted');\n return team.work;\n }\n\n const aborted = internals.end.bind(null, env, 'aborted');\n const close = internals.end.bind(null, env, 'close');\n const end = internals.end.bind(null, env, null);\n\n request.raw.req.on('aborted', aborted);\n\n request.raw.res.on('close', close);\n request.raw.res.on('error', end);\n request.raw.res.on('finish', end);\n\n if (stream.writeToStream) {\n stream.writeToStream(request.raw.res);\n }\n else {\n stream.on('error', end);\n stream.on('close', aborted);\n stream.pipe(request.raw.res);\n }\n\n return team.work;\n};\n\n\ninternals.end = function (env, event, err) {\n\n const { request, stream, team } = env;\n\n if (!team) { // Used instead of cleaning up emitter listeners\n return;\n }\n\n env.team = null;\n\n if (request.raw.res.writableEnded) {\n request.info.responded = Date.now();\n\n team.attend();\n return;\n }\n\n if (err) {\n request.raw.res.destroy();\n request._core.Response.drain(stream);\n }\n\n // Update reported response to reflect the error condition\n\n const origResponse = request.response;\n const error = err ? Boom.boomify(err) :\n new Boom.Boom(`Request ${event}`, { statusCode: request.route.settings.response.disconnectStatusCode, data: origResponse });\n\n request._setResponse(error);\n\n // Make inject throw a disconnect error\n\n if (request.raw.res[Config.symbol]) {\n request.raw.res[Config.symbol].error = event ? error :\n new Boom.Boom(`Response error`, { statusCode: request.route.settings.response.disconnectStatusCode, data: origResponse });\n }\n\n if (event) {\n request._log(['response', 'error', event]);\n }\n else {\n request._log(['response', 'error'], err);\n }\n\n request.raw.res.end(); // Triggers injection promise resolve\n team.attend();\n};\n\n\ninternals.writeHead = function (response) {\n\n const res = response.request.raw.res;\n const headers = Object.keys(response.headers);\n let i = 0;\n\n try {\n for (; i < headers.length; ++i) {\n const header = headers[i];\n const value = response.headers[header];\n if (value !== undefined) {\n res.setHeader(header, value);\n }\n }\n }\n catch (err) {\n for (--i; i >= 0; --i) {\n res.removeHeader(headers[i]); // Undo headers\n }\n\n throw Boom.boomify(err);\n }\n\n if (response.settings.message) {\n res.statusMessage = response.settings.message;\n }\n\n try {\n res.writeHead(response.statusCode);\n }\n catch (err) {\n throw Boom.boomify(err);\n }\n};\n\n\ninternals.chain = function (sources) {\n\n let from = sources[0];\n for (let i = 1; i < sources.length; ++i) {\n const to = sources[i];\n if (to) {\n from.on('close', internals.destroyPipe.bind(from, to));\n from.on('error', internals.errorPipe.bind(from, to));\n from = from.pipe(to);\n }\n }\n\n return from;\n};\n\n\ninternals.destroyPipe = function (to) {\n\n if (!this.readableEnded && !this.errored) {\n to.destroy();\n }\n};\n\ninternals.errorPipe = function (to, err) {\n\n to.emit('error', err);\n};\n" }, { "path": "lib/types/index.d.ts", "content": "// Definitions adapted from DefinitelyTyped, originally created by:\n// Rafael Souza Fijalkowski \n// Justin Simms \n// Simon Schick \n// Rodrigo Saboya \n// Silas Rech \n\nexport * from './plugin';\nexport * from './response';\nexport * from './request';\nexport * from './route';\nexport * from './server';\nexport * from './utils';\n\n// Kept for backwards compatibility only (remove in next major)\n\nexport namespace Utils {\n interface Dictionary {\n [key: string]: T;\n }\n}\n" }, { "path": "lib/types/plugin.d.ts", "content": "import { RequestRoute } from './request';\nimport { RouteOptions } from './route';\nimport { Server } from './server';\nimport { Lifecycle } from './utils';\n\n/**\n * one of\n * a single plugin name string.\n * an array of plugin name strings.\n * an object where each key is a plugin name and each matching value is a\n * {@link https://www.npmjs.com/package/semver version range string} which must match the registered\n * plugin version.\n */\nexport type Dependencies = string | string[] | Record;\n\n/**\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverregistrations)\n */\nexport interface PluginsListRegistered {\n}\n\n/**\n * An object of the currently registered plugins where each key is a registered plugin name and the value is an\n * object containing:\n * * version - the plugin version.\n * * name - the plugin name.\n * * options - (optional) options passed to the plugin during registration.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverregistrations)\n */\nexport interface PluginRegistered {\n /**\n * the plugin version.\n */\n version: string;\n\n /**\n * the plugin name.\n */\n name: string;\n\n /**\n * options used to register the plugin.\n */\n options: object;\n}\n\nexport interface PluginsStates {\n}\n\nexport interface PluginSpecificConfiguration {\n}\n\nexport interface PluginNameVersion {\n /**\n * (required) the plugin name string. The name is used as a unique key. Published plugins (e.g. published in the npm\n * registry) should use the same name as the name field in their 'package.json' file. Names must be\n * unique within each application.\n */\n name: string;\n\n /**\n * optional plugin version. The version is only used informatively to enable other plugins to find out the versions loaded. The version should be the same as the one specified in the plugin's\n * 'package.json' file.\n */\n version?: string | undefined;\n}\n\nexport interface PluginPackage {\n /**\n * Alternatively, the name and version can be included via the pkg property containing the 'package.json' file for the module which already has the name and version included\n */\n pkg: PluginNameVersion;\n}\n\nexport interface PluginBase {\n /**\n * (required) the registration function with the signature async function(server, options) where:\n * * server - the server object with a plugin-specific server.realm.\n * * options - any options passed to the plugin during registration via server.register().\n */\n register: (server: Server, options: T) => void | Promise;\n\n /** (optional) if true, allows the plugin to be registered multiple times with the same server. Defaults to false. */\n multiple?: boolean | undefined;\n\n /** (optional) a string or an array of strings indicating a plugin dependency. Same as setting dependencies via server.dependency(). */\n dependencies?: Dependencies | undefined;\n\n /**\n * Allows defining semver requirements for node and hapi.\n * @default Allows all.\n */\n requirements?: {\n node?: string | undefined;\n hapi?: string | undefined;\n } | undefined;\n\n /** once - (optional) if true, will only register the plugin once per server. If set, overrides the once option passed to server.register(). Defaults to no override. */\n once?: boolean | undefined;\n\n /**\n * We need to use D within the PluginBase type to be able to infer it later on,\n * but this property has no concrete existence in the code.\n *\n * See https://github.com/Microsoft/TypeScript/wiki/FAQ#why-doesnt-type-inference-work-on-this-interface-interface-foot-- for details.\n */\n ___$type_of_plugin_decorations$___?: D;\n}\n\n/**\n * A plugin that is registered by name and version.\n */\nexport interface NamedPlugin extends PluginBase, PluginNameVersion {}\n\n/**\n * A plugin that is registered by its package.json file.\n */\nexport interface PackagedPlugin extends PluginBase, PluginPackage {}\n\n\n/**\n * Plugins provide a way to organize application code by splitting the server logic into smaller components. Each\n * plugin can manipulate the server through the standard server interface, but with the added ability to sandbox\n * certain properties. For example, setting a file path in one plugin doesn't affect the file path set\n * in another plugin.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#plugins)\n *\n * The type T is the type of the plugin options.\n */\nexport type Plugin = NamedPlugin | PackagedPlugin;\n\n/**\n * The realm object contains sandboxed server settings specific to each plugin or authentication strategy. When registering a plugin or an authentication scheme, a server object reference is provided\n * with a new server.realm container specific to that registration. It allows each plugin to maintain its own settings without leaking and affecting other plugins. For example, a plugin can set a\n * default file path for local resources without breaking other plugins' configured paths. When calling server.bind(), the active realm's settings.bind property is set which is then used by routes\n * and extensions added at the same level (server root or plugin).\n *\n * https://github.com/hapijs/hapi/blob/master/API.md#server.realm\n */\nexport interface ServerRealm {\n /** when the server object is provided as an argument to the plugin register() method, modifiers provides the registration preferences passed the server.register() method and includes: */\n modifiers: {\n /** routes preferences: */\n route: {\n /**\n * the route path prefix used by any calls to server.route() from the server. Note that if a prefix is used and the route path is set to '/', the resulting path will not include\n * the trailing slash.\n */\n prefix: string;\n /** the route virtual host settings used by any calls to server.route() from the server. */\n vhost: string;\n }\n };\n /** the realm of the parent server object, or null for the root server. */\n parent: ServerRealm | null;\n /** the active plugin name (empty string if at the server root). */\n plugin: string;\n /** the plugin options object passed at registration. */\n pluginOptions: object;\n /** plugin-specific state to be shared only among activities sharing the same active state. plugins is an object where each key is a plugin name and the value is the plugin state. */\n plugins: PluginsStates;\n /** settings overrides */\n settings: {\n files: {\n relativeTo: string;\n };\n bind: object;\n };\n}\n\n/**\n * Registration options (different from the options passed to the registration function):\n * * once - if true, subsequent registrations of the same plugin are skipped without error. Cannot be used with plugin options. Defaults to false. If not set to true, an error will be thrown the\n * second time a plugin is registered on the server.\n * * routes - modifiers applied to each route added by the plugin:\n * * * prefix - string added as prefix to any route path (must begin with '/'). If a plugin registers a child plugin the prefix is passed on to the child or is added in front of the child-specific\n * prefix.\n * * * vhost - virtual host string (or array of strings) applied to every route. The outer-most vhost overrides the any nested configuration.\n * For reference [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-await-serverregisterplugins-options)\n */\nexport interface ServerRegisterOptions {\n /**\n * if true, subsequent registrations of the same plugin are skipped without error. Cannot be used with plugin options. Defaults to false. If not set to true, an error will be thrown the second\n * time a plugin is registered on the server.\n */\n once?: boolean | undefined;\n /**\n * modifiers applied to each route added by the plugin:\n */\n routes?: {\n /**\n * string added as prefix to any route path (must begin with '/'). If a plugin registers a child plugin the prefix is passed on to the child or is added in front of the child-specific prefix.\n */\n prefix: string;\n /**\n * virtual host string (or array of strings) applied to every route. The outer-most vhost overrides the any nested configuration.\n */\n vhost?: string | string[] | undefined;\n } | undefined;\n}\n\nexport interface ServerRegisterPluginObjectDirect extends ServerRegisterOptions {\n /**\n * a plugin object.\n */\n plugin: Plugin;\n /**\n * options passed to the plugin during registration.\n */\n options?: T | undefined;\n}\n\nexport interface ServerRegisterPluginObjectWrapped extends ServerRegisterOptions {\n /**\n * a plugin object.\n */\n plugin: { plugin: Plugin };\n /**\n * options passed to the plugin during registration.\n */\n options?: T | undefined;\n}\n\n/**\n * An object with the following:\n * * plugin - a plugin object or a wrapped plugin loaded module.\n * * options - (optional) options passed to the plugin during registration.\n * * once - if true, subsequent registrations of the same plugin are skipped without error. Cannot be used with plugin options. Defaults to false. If not set to true, an error will be thrown the\n * second time a plugin is registered on the server.\n * * routes - modifiers applied to each route added by the plugin:\n * * * prefix - string added as prefix to any route path (must begin with '/'). If a plugin registers a child plugin the prefix is passed on to the child or is added in front of the child-specific\n * prefix.\n * * * vhost - virtual host string (or array of strings) applied to every route. The outer-most vhost overrides the any nested configuration.\n * For reference [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-await-serverregisterplugins-options)\n *\n * The type parameter T is the type of the plugin configuration options.\n */\nexport type ServerRegisterPluginObject =\n ServerRegisterPluginObjectDirect |\n ServerRegisterPluginObjectWrapped;\n\nexport type ServerRegisterPluginObjectArray = (\n ServerRegisterPluginObject |\n ServerRegisterPluginObject |\n ServerRegisterPluginObject |\n ServerRegisterPluginObject |\n ServerRegisterPluginObject |\n ServerRegisterPluginObject |\n ServerRegisterPluginObject\n)[];\n\n/**\n * The method function can have a defaults object or function property. If the property is set to an object, that object is used as the default route config for routes using this handler.\n * If the property is set to a function, the function uses the signature function(method) and returns the route default configuration.\n */\nexport interface HandlerDecorationMethod {\n (route: RequestRoute, options: any): Lifecycle.Method;\n defaults?: RouteOptions | ((method: any) => RouteOptions) | undefined;\n}\n\n/**\n * An empty interface to allow typings of custom plugin properties.\n */\n\nexport interface PluginProperties {\n}\n" }, { "path": "lib/types/request.d.ts", "content": "import * as http from 'http';\nimport * as stream from 'stream';\nimport * as url from 'url';\n\nimport { Boom } from '@hapi/boom';\nimport { Podium } from '@hapi/podium';\n\nimport { PluginsStates, ServerRealm } from './plugin';\nimport { ResponseValue, ResponseObject } from \"./response\";\nimport { RouteRules, RouteSettings } from './route';\nimport { Server, ServerAuthSchemeObjectApi } from './server';\nimport { HTTP_METHODS, PeekListener } from './utils';\n\n/**\n * User extensible types user credentials.\n */\nexport interface UserCredentials {\n}\n\n/**\n * User extensible types app credentials.\n */\nexport interface AppCredentials {\n}\n\n/**\n * User-extensible type for request.auth credentials.\n */\nexport interface AuthCredentials<\n AuthUser = UserCredentials,\n AuthApp = AppCredentials\n> {\n /**\n * The application scopes to be granted.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsauthaccessscope)\n */\n scope?: string[] | undefined;\n\n /**\n * If set, will only work with routes that set `access.entity` to `user`.\n */\n user?: AuthUser\n\n /**\n * If set, will only work with routes that set `access.entity` to `app`.\n */\n app?: AuthApp;\n}\n\nexport interface AuthArtifacts {\n [key: string]: unknown;\n}\n\nexport type AuthMode = 'required' | 'optional' | 'try';\n\n/**\n * Authentication information:\n * * artifacts - an artifact object received from the authentication strategy and used in authentication-related actions.\n * * credentials - the credential object received during the authentication process. The presence of an object does not mean successful authentication.\n * * error - the authentication error is failed and mode set to 'try'.\n * * isAuthenticated - true if the request has been successfully authenticated, otherwise false.\n * * isAuthorized - true is the request has been successfully authorized against the route authentication access configuration. If the route has not access rules defined or if the request failed\n * authorization, set to false.\n * * mode - the route authentication mode.\n * * strategy - the name of the strategy used.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestauth)\n */\nexport interface RequestAuth<\n AuthUser = UserCredentials,\n AuthApp = AppCredentials,\n CredentialsExtra = Record,\n ArtifactsExtra = Record\n> {\n /** an artifact object received from the authentication strategy and used in authentication-related actions. */\n artifacts: ArtifactsExtra;\n /** the credential object received during the authentication process. The presence of an object does not mean successful authentication. */\n credentials: (\n\n AuthCredentials &\n CredentialsExtra\n );\n\n /** the authentication error is failed and mode set to 'try'. */\n error: Error;\n /** true if the request has been successfully authenticated, otherwise false. */\n isAuthenticated: boolean;\n /**\n * true is the request has been successfully authorized against the route authentication access configuration. If the route has not access rules defined or if the request failed authorization,\n * set to false.\n */\n isAuthorized: boolean;\n /** true if the request has been authenticated via the `server.inject()` `auth` option, otherwise `undefined`. */\n isInjected?: boolean | undefined;\n /** the route authentication mode. */\n mode: AuthMode;\n /** the name of the strategy used. */\n strategy: string;\n}\n\n\n/**\n * 'peek' - emitted for each chunk of payload data read from the client connection. The event method signature is function(chunk, encoding).\n * 'finish' - emitted when the request payload finished reading. The event method signature is function ().\n * 'disconnect' - emitted when a request errors or aborts unexpectedly.\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestevents)\n */\nexport type RequestEventType = 'peek' | 'finish' | 'disconnect';\n\n/**\n * Access: read only and the public podium interface.\n * The request.events supports the following events:\n * * 'peek' - emitted for each chunk of payload data read from the client connection. The event method signature is function(chunk, encoding).\n * * 'finish' - emitted when the request payload finished reading. The event method signature is function ().\n * * 'disconnect' - emitted when a request errors or aborts unexpectedly.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestevents)\n */\nexport interface RequestEvents extends Podium {\n /**\n * Access: read only and the public podium interface.\n * The request.events supports the following events:\n * * 'peek' - emitted for each chunk of payload data read from the client connection. The event method signature is function(chunk, encoding).\n * * 'finish' - emitted when the request payload finished reading. The event method signature is function ().\n * * 'disconnect' - emitted when a request errors or aborts unexpectedly.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestevents)\n */\n on(criteria: 'peek', listener: PeekListener): this;\n\n on(criteria: 'finish' | 'disconnect', listener: (data: undefined) => void): this;\n\n /**\n * Access: read only and the public podium interface.\n * The request.events supports the following events:\n * * 'peek' - emitted for each chunk of payload data read from the client connection. The event method signature is function(chunk, encoding).\n * * 'finish' - emitted when the request payload finished reading. The event method signature is function ().\n * * 'disconnect' - emitted when a request errors or aborts unexpectedly.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestevents)\n */\n once(criteria: 'peek', listener: PeekListener): this;\n once(criteria: 'peek'): Promise>;\n\n once(criteria: 'finish' | 'disconnect', listener: (data: undefined) => void): this;\n}\n\n/**\n * Request information:\n * * acceptEncoding - the request preferred encoding.\n * * cors - if CORS is enabled for the route, contains the following:\n * * isOriginMatch - true if the request 'Origin' header matches the configured CORS restrictions. Set to false if no 'Origin' header is found or if it does not match. Note that this is only\n * available after the 'onRequest' extension point as CORS is configured per-route and no routing decisions are made at that point in the request lifecycle.\n * * host - content of the HTTP 'Host' header (e.g. 'example.com:8080').\n * * hostname - the hostname part of the 'Host' header (e.g. 'example.com').\n * * id - a unique request identifier (using the format '{now}:{connection.info.id}:{5 digits counter}').\n * * received - request reception timestamp.\n * * referrer - content of the HTTP 'Referrer' (or 'Referer') header.\n * * remoteAddress - remote client IP address.\n * * remotePort - remote client port.\n * * responded - request response timestamp (0 is not responded yet).\n * Note that the request.info object is not meant to be modified.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestinfo)\n */\nexport interface RequestInfo {\n /** the request preferred encoding. */\n acceptEncoding: string;\n /** if CORS is enabled for the route, contains the following: */\n cors: {\n /**\n * true if the request 'Origin' header matches the configured CORS restrictions. Set to false if no 'Origin' header is found or if it does not match. Note that this is only available after\n * the 'onRequest' extension point as CORS is configured per-route and no routing decisions are made at that point in the request lifecycle.\n */\n isOriginMatch?: boolean | undefined;\n };\n /** content of the HTTP 'Host' header (e.g. 'example.com:8080'). */\n host: string;\n /** the hostname part of the 'Host' header (e.g. 'example.com'). */\n hostname: string;\n /** a unique request identifier (using the format '{now}:{connection.info.id}:{5 digits counter}') */\n id: string;\n /** request reception timestamp. */\n received: number;\n /** content of the HTTP 'Referrer' (or 'Referer') header. */\n referrer: string;\n /** remote client IP address. */\n remoteAddress: string;\n /** remote client port. */\n remotePort: string;\n /** request response timestamp (0 is not responded yet). */\n responded: number;\n /** request processing completion timestamp (0 is still processing). */\n completed: number;\n}\n\n/**\n * The request route information object, where:\n * * method - the route HTTP method.\n * * path - the route path.\n * * vhost - the route vhost option if configured.\n * * realm - the active realm associated with the route.\n * * settings - the route options object with all defaults applied.\n * * fingerprint - the route internal normalized string representing the normalized path.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestroute)\n */\nexport interface RequestRoute {\n /** the route HTTP method. */\n method: Exclude, 'head'> | '*';\n\n /** the route path. */\n path: string;\n\n /** the route vhost option if configured. */\n vhost?: string | string[] | undefined;\n\n /** the active realm associated with the route. */\n realm: ServerRealm;\n\n /** the route options object with all defaults applied. */\n settings: RouteSettings;\n\n /** the route internal normalized string representing the normalized path. */\n fingerprint: string;\n\n auth: {\n /**\n * Validates a request against the route's authentication access configuration, where:\n * @param request - the request object.\n * @return Return value: true if the request would have passed the route's access requirements.\n * Note that the route's authentication mode and strategies are ignored. The only match is made between the request.auth.credentials scope and entity information and the route access\n * configuration. If the route uses dynamic scopes, the scopes are constructed against the request.query, request.params, request.payload, and request.auth.credentials which may or may\n * not match between the route and the request's route. If this method is called using a request that has not been authenticated (yet or not at all), it will return false if the route\n * requires any authentication.\n * [See docs](https://hapijs.com/api/17.0.1#-requestrouteauthaccessrequest)\n */\n access(request: Request): boolean;\n };\n}\n\n/**\n * An object containing the values of params, query, and payload before any validation modifications made. Only set when input validation is performed.\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestorig)\n */\nexport interface RequestOrig {\n params: object;\n query: object;\n payload: object;\n}\n\nexport interface RequestLog {\n request: string;\n timestamp: number;\n tags: string[];\n data: string | object;\n channel: string;\n}\n\nexport interface RequestQuery {\n [key: string]: string | string[] | undefined;\n}\n\n/**\n * Empty interface to allow for user-defined augmentations.\n */\nexport interface RouteOptionsApp {}\n\n/**\n * User-extensible type for application specific state on requests (`request.app`).\n */\nexport interface RequestApplicationState {\n}\n\nexport interface InternalRequestDefaults {\n Server: Server;\n\n Payload: stream.Readable | Buffer | string | object;\n Query: RequestQuery;\n Params: Record;\n Pres: Record;\n Headers: Record;\n RequestApp: RequestApplicationState;\n\n AuthUser: UserCredentials;\n AuthApp: AppCredentials;\n AuthApi: ServerAuthSchemeObjectApi;\n AuthCredentialsExtra: Record;\n AuthArtifactsExtra: Record;\n\n Rules: RouteRules;\n Bind: object | null;\n RouteApp: RouteOptionsApp;\n}\n\n/**\n * Default request references. Used to give typing to requests,\n * route handlers, lifecycle methods, auth credentials, etc.\n * This can be overwritten to whatever is suitable and universal\n * in your specific app, but whatever references you pass to\n * server route generic, or lifecycle methods will take precedence\n * over these.\n */\nexport interface ReqRefDefaults extends InternalRequestDefaults {}\n\n/**\n * Route request overrides\n */\nexport type ReqRef = Partial>;\n\n/**\n * Utilities for merging request refs and other things\n */\nexport type MergeType = Omit & U;\n\nexport type MergeRefs = MergeType;\n\n/**\n * The request object is created internally for each incoming request. It is not the same object received from the node\n * HTTP server callback (which is available via [request.raw.req](https://github.com/hapijs/hapi/blob/master/API.md#request.raw)). The request properties change throughout\n * the request [lifecycle](https://github.com/hapijs/hapi/blob/master/API.md#request-lifecycle).\n */\nexport interface Request extends Podium {\n /**\n * Application-specific state. Provides a safe place to store application data without potential conflicts with the framework. Should not be used by plugins which should use plugins[name].\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestapp)\n */\n app: MergeRefs['RequestApp'];\n\n /**\n * Authentication information:\n * * artifacts - an artifact object received from the authentication strategy and used in authentication-related actions.\n * * credentials - the credential object received during the authentication process. The presence of an object does not mean successful authentication.\n * * error - the authentication error is failed and mode set to 'try'.\n * * isAuthenticated - true if the request has been successfully authenticated, otherwise false.\n * * isAuthorized - true is the request has been successfully authorized against the route authentication access configuration. If the route has not access rules defined or if the request failed\n * authorization, set to false.\n * * mode - the route authentication mode.\n * * strategy - the name of the strategy used.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestauth)\n */\n readonly auth: RequestAuth<\n MergeRefs['AuthUser'],\n MergeRefs['AuthApp'],\n MergeRefs['AuthCredentialsExtra'],\n MergeRefs['AuthArtifactsExtra']\n >;\n\n /**\n * Access: read only and the public podium interface.\n * The request.events supports the following events:\n * * 'peek' - emitted for each chunk of payload data read from the client connection. The event method signature is function(chunk, encoding).\n * * 'finish' - emitted when the request payload finished reading. The event method signature is function ().\n * * 'disconnect' - emitted when a request errors or aborts unexpectedly.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestevents)\n */\n events: RequestEvents;\n\n /**\n * The raw request headers (references request.raw.req.headers).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestheaders)\n */\n readonly headers: MergeRefs['Headers'];\n\n /**\n * Request information:\n * * acceptEncoding - the request preferred encoding.\n * * cors - if CORS is enabled for the route, contains the following:\n * * isOriginMatch - true if the request 'Origin' header matches the configured CORS restrictions. Set to false if no 'Origin' header is found or if it does not match. Note that this is only\n * available after the 'onRequest' extension point as CORS is configured per-route and no routing decisions are made at that point in the request lifecycle.\n * * host - content of the HTTP 'Host' header (e.g. 'example.com:8080').\n * * hostname - the hostname part of the 'Host' header (e.g. 'example.com').\n * * id - a unique request identifier (using the format '{now}:{connection.info.id}:{5 digits counter}').\n * * received - request reception timestamp.\n * * referrer - content of the HTTP 'Referrer' (or 'Referer') header.\n * * remoteAddress - remote client IP address.\n * * remotePort - remote client port.\n * * responded - request response timestamp (0 is not responded yet).\n * Note that the request.info object is not meant to be modified.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestinfo)\n */\n readonly info: RequestInfo;\n\n /**\n * An array containing the logged request events.\n * Note that this array will be empty if route log.collect is set to false.\n */\n readonly logs: RequestLog[];\n\n /**\n * The request method in lower case (e.g. 'get', 'post').\n */\n readonly method: Lowercase;\n\n /**\n * The parsed content-type header. Only available when payload parsing enabled and no payload error occurred.\n */\n readonly mime: string;\n\n /**\n * An object containing the values of params, query, and payload before any validation modifications made. Only set when input validation is performed.\n */\n readonly orig: RequestOrig;\n\n /**\n * An object where each key is a path parameter name with matching value as described in [Path parameters](https://github.com/hapijs/hapi/blob/master/API.md#path-parameters).\n */\n readonly params: MergeRefs['Params'];\n\n /**\n * An array containing all the path params values in the order they appeared in the path.\n */\n readonly paramsArray: keyof MergeRefs['Params'] | string[];\n\n /**\n * The request URI's pathname component.\n */\n readonly path: string;\n\n /**\n * The request payload based on the route payload.output and payload.parse settings.\n * TODO check this typing and add references / links.\n */\n readonly payload: MergeRefs['Payload'];\n\n /**\n * Plugin-specific state. Provides a place to store and pass request-level plugin data. The plugins is an object where each key is a plugin name and the value is the state.\n */\n plugins: PluginsStates;\n\n /**\n * An object where each key is the name assigned by a route pre-handler methods function. The values are the raw values provided to the continuation function as argument. For the wrapped response\n * object, use responses.\n */\n readonly pre: MergeRefs['Pres'];\n\n /**\n * Access: read / write (see limitations below).\n * The response object when set. The object can be modified but must not be assigned another object. To replace the response with another from within an extension point, use reply(response) to\n * override with a different response.\n * In case of an aborted request the status code will be set to `disconnectStatusCode`.\n */\n response: ResponseObject | Boom;\n\n /**\n * Same as pre but represented as the response object created by the pre method.\n */\n readonly preResponses: Record;\n\n /**\n * By default the object outputted from node's URL parse() method.\n */\n readonly query: MergeRefs['Query'];\n\n /**\n * An object containing the Node HTTP server objects. Direct interaction with these raw objects is not recommended.\n * * req - the node request object.\n * * res - the node response object.\n */\n readonly raw: {\n req: http.IncomingMessage;\n res: http.ServerResponse;\n };\n\n /**\n * The request route information object and method\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestroute)\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestrouteauthaccessrequest)\n */\n readonly route: RequestRoute;\n\n /**\n * Access: read only and the public server interface.\n * The server object.\n */\n readonly server: MergeRefs['Server'];\n\n /**\n * An object containing parsed HTTP state information (cookies) where each key is the cookie name and value is the matching cookie content after processing using any registered cookie definition.\n */\n readonly state: Record;\n\n /**\n * The parsed request URI.\n */\n readonly url: url.URL;\n\n /**\n * Returns `true` when the request is active and processing should continue and `false` when the\n * request terminated early or completed its lifecycle. Useful when request processing is a\n * resource-intensive operation and should be terminated early if the request is no longer active\n * (e.g. client disconnected or aborted early).\n */\n active(): boolean;\n\n /**\n * Returns a response which you can pass into the reply interface where:\n * @param source - the value to set as the source of the reply interface, optional.\n * @param options - options for the method, optional.\n * @return ResponseObject\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestgenerateresponsesource-options)\n */\n /* tslint:disable-next-line:max-line-length */\n generateResponse(source: string | object | null, options?: { variety?: string | undefined; prepare?: ((response: ResponseObject) => Promise) | undefined; marshal?: ((response: ResponseObject) => Promise) | undefined; close?: ((response: ResponseObject) => void) | undefined; } | undefined): ResponseObject;\n\n /**\n * Logs request-specific events. When called, the server emits a 'request' event which can be used by other listeners or plugins. The arguments are:\n * @param tags - a string or an array of strings (e.g. ['error', 'database', 'read']) used to identify the event. Tags are used instead of log levels and provide a much more expressive mechanism\n * for describing and filtering events.\n * @param data - (optional) an message string or object with the application data being logged. If data is a function, the function signature is function() and it called once to generate (return\n * value) the actual data emitted to the listeners. Any logs generated by the server internally will be emitted only on the 'request-internal' channel and will include the event.internal flag\n * set to true.\n * @return void\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-requestlogtags-data)\n */\n log(tags: string | string[], data?: string | object | (() => string | object) | undefined): void;\n\n /**\n * Changes the request method before the router begins processing the request where:\n * @param method - is the request HTTP method (e.g. 'GET').\n * @return void\n * Can only be called from an 'onRequest' extension method.\n * [See docs](https://hapijs.com/api/17.0.1#-requestsetmethodmethod)\n */\n setMethod(method: HTTP_METHODS | Lowercase): void;\n\n /**\n * Changes the request URI before the router begins processing the request where:\n * Can only be called from an 'onRequest' extension method.\n * @param url - the new request URI. If url is a string, it is parsed with node's URL parse() method with parseQueryString set to true. url can also be set to an object compatible with node's URL\n * parse() method output.\n * @param stripTrailingSlash - if true, strip the trailing slash from the path. Defaults to false.\n * @return void\n * [See docs](https://hapijs.com/api/17.0.1#-requestseturlurl-striptrailingslash)\n */\n setUrl(url: string | url.URL, stripTrailingSlash?: boolean | undefined): void;\n}\n" }, { "path": "lib/types/response.d.ts", "content": "\nimport { Podium } from '@hapi/podium';\n\nimport { PluginsStates, ServerRealm } from './plugin';\nimport {\n UserCredentials,\n AppCredentials,\n AuthArtifacts,\n AuthCredentials,\n ReqRef,\n ReqRefDefaults,\n MergeRefs,\n Request\n} from './request';\nimport { PeekListener, Lifecycle, Json } from './utils';\nimport { ServerStateCookieOptions } from './server';\n\n/**\n * User-extensible type for application specific state on responses (`response.app`).\n */\nexport interface ResponseApplicationState {\n}\n\n/**\n * Access: read only and the public podium interface.\n * The response.events object supports the following events:\n * * 'peek' - emitted for each chunk of data written back to the client connection. The event method signature is function(chunk, encoding).\n * * 'finish' - emitted when the response finished writing but before the client response connection is ended. The event method signature is function ().\n * [See docs](https://hapijs.com/api/17.0.1#-responseevents)\n */\nexport interface ResponseEvents extends Podium {\n /**\n * 'peek' - emitted for each chunk of data written back to the client connection. The event method signature is function(chunk, encoding).\n * 'finish' - emitted when the response finished writing but before the client response connection is ended. The event method signature is function ().\n */\n on(criteria: 'peek', listener: PeekListener): this;\n\n on(criteria: 'finish', listener: (data: undefined) => void): this;\n\n /**\n * 'peek' - emitted for each chunk of data written back to the client connection. The event method signature is function(chunk, encoding).\n * 'finish' - emitted when the response finished writing but before the client response connection is ended. The event method signature is function ().\n */\n once(criteria: 'peek', listener: PeekListener): this;\n once(criteria: 'peek'): Promise>;\n\n once(criteria: 'finish', listener: (data: undefined) => void): this;\n}\n\n/**\n * Object where:\n * * append - if true, the value is appended to any existing header value using separator. Defaults to false.\n * * separator - string used as separator when appending to an existing value. Defaults to ','.\n * * override - if false, the header value is not set if an existing value present. Defaults to true.\n * * duplicate - if false, the header value is not modified if the provided value is already included. Does not apply when append is false or if the name is 'set-cookie'. Defaults to true.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responseheadername-value-options)\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#response-object)\n */\nexport interface ResponseObjectHeaderOptions {\n append?: boolean | undefined;\n separator?: string | undefined;\n override?: boolean | undefined;\n duplicate?: boolean | undefined;\n}\n\n/**\n * The response object contains the request response value along with various HTTP headers and flags. When a lifecycle\n * method returns a value, the value is wrapped in a response object along with some default flags (e.g. 200 status\n * code). In order to customize a response before it is returned, the h.response() method is provided.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#response-object)\n * TODO, check extending from Podium is correct. Extending because of \"The response object supports the following events\" [See docs](https://hapijs.com/api/17.0.1#-responseevents)\n */\nexport interface ResponseObject extends Podium {\n /**\n * @default {}.\n * Application-specific state. Provides a safe place to store application data without potential conflicts with the framework. Should not be used by plugins which should use plugins[name].\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responseapp)\n */\n app: ResponseApplicationState;\n\n /**\n * Access: read only and the public podium interface.\n * The response.events object supports the following events:\n * * 'peek' - emitted for each chunk of data written back to the client connection. The event method signature is function(chunk, encoding).\n * * 'finish' - emitted when the response finished writing but before the client response connection is ended. The event method signature is function ().\n * [See docs](https://hapijs.com/api/17.0.1#-responseevents)\n */\n readonly events: ResponseEvents;\n\n /**\n * @default {}.\n * An object containing the response headers where each key is a header field name and the value is the string header value or array of string.\n * Note that this is an incomplete list of headers to be included with the response. Additional headers will be added once the response is prepared for transmission.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responseheaders)\n */\n readonly headers: Record;\n\n /**\n * @default {}.\n * Plugin-specific state. Provides a place to store and pass request-level plugin data. plugins is an object where each key is a plugin name and the value is the state.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responseplugins)\n */\n plugins: PluginsStates;\n\n /**\n * Object containing the response handling flags.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsesettings)\n */\n readonly settings: ResponseSettings;\n\n /**\n * The raw value returned by the lifecycle method.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsesource)\n */\n readonly source: Lifecycle.ReturnValue;\n\n /**\n * @default 200.\n * The HTTP response status code.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsestatuscode)\n */\n readonly statusCode: number;\n\n /**\n * A string indicating the type of source with available values:\n * * 'plain' - a plain response such as string, number, null, or simple object.\n * * 'buffer' - a Buffer.\n * * 'stream' - a Stream.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsevariety)\n */\n readonly variety: 'plain' | 'buffer' | 'stream';\n\n /**\n * Sets the HTTP 'Content-Length' header (to avoid chunked transfer encoding) where:\n * @param length - the header value. Must match the actual payload size.\n * @return Return value: the current response object.\n * [See docs](https://hapijs.com/api/17.0.1#-responsebyteslength)\n */\n bytes(length: number): ResponseObject;\n\n /**\n * Controls the 'Content-Type' HTTP header 'charset' property of the response.\n * * When invoked without any parameter, will prevent hapi from applying its default charset normalization to 'utf-8'\n * * When 'charset' parameter is provided, will set the 'Content-Type' HTTP header 'charset' property where:\n * @param charset - the charset property value.\n * @return Return value: the current response object.\n * [See docs](https://hapijs.com/api/17.0.1#-responsecharsetcharset)\n */\n charset(charset?: string): ResponseObject | undefined;\n\n /**\n * Sets the HTTP status code where:\n * @param statusCode - the HTTP status code (e.g. 200).\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsecodestatuscode)\n */\n code(statusCode: number): ResponseObject;\n\n /**\n * Sets the HTTP status message where:\n * @param httpMessage - the HTTP status message (e.g. 'Ok' for status code 200).\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsemessagehttpmessage)\n */\n message(httpMessage: string): ResponseObject;\n\n /**\n * Sets the HTTP 'content-encoding' header where:\n * @param encoding - the header value string.\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsecompressedencoding)\n */\n compressed(encoding: string): ResponseObject;\n\n /**\n * Sets the HTTP status code to Created (201) and the HTTP 'Location' header where:\n * @param uri - an absolute or relative URI used as the 'Location' header value.\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsecreateduri)\n */\n created(uri: string): ResponseObject;\n\n /**\n * Sets the string encoding scheme used to serial data into the HTTP payload where:\n * @param encoding the encoding property value (see node Buffer encoding [See docs](https://nodejs.org/api/buffer.html#buffer_buffers_and_character_encodings)).\n * * 'ascii' - for 7-bit ASCII data only. This encoding is fast and will strip the high bit if set.\n * * 'utf8' - Multibyte encoded Unicode characters. Many web pages and other document formats use UTF-8.\n * * 'utf16le' - 2 or 4 bytes, little-endian encoded Unicode characters. Surrogate pairs (U+10000 to U+10FFFF) are supported.\n * * 'ucs2' - Alias of 'utf16le'.\n * * 'base64' - Base64 encoding. When creating a Buffer from a string, this encoding will also correctly accept \"URL and Filename Safe Alphabet\" as specified in RFC4648, Section 5.\n * * 'latin1' - A way of encoding the Buffer into a one-byte encoded string (as defined by the IANA in RFC1345, page 63, to be the Latin-1 supplement block and C0/C1 control codes).\n * * 'binary' - Alias for 'latin1'.\n * * 'hex' - Encode each byte as two hexadecimal characters.\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responseencodingencoding)\n */\n encoding(encoding: 'ascii' | 'utf8' | 'utf16le' | 'ucs2' | 'base64' | 'latin1' | 'binary' | 'hex'): ResponseObject;\n\n /**\n * Sets the representation entity tag where:\n * @param tag - the entity tag string without the double-quote.\n * @param options - (optional) settings where:\n * * weak - if true, the tag will be prefixed with the 'W/' weak signifier. Weak tags will fail to match identical tags for the purpose of determining 304 response status. Defaults to false.\n * * vary - if true and content encoding is set or applied to the response (e.g 'gzip' or 'deflate'), the encoding name will be automatically added to the tag at transmission time (separated by\n * a '-' character). Ignored when weak is true. Defaults to true.\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responseetagtag-options)\n */\n etag(tag: string, options?: {weak: boolean, vary: boolean} | undefined): ResponseObject;\n\n /**\n * Sets an HTTP header where:\n * @param name - the header name.\n * @param value - the header value.\n * @param options - (optional) object where:\n * * append - if true, the value is appended to any existing header value using separator. Defaults to false.\n * * separator - string used as separator when appending to an existing value. Defaults to ','.\n * * override - if false, the header value is not set if an existing value present. Defaults to true.\n * * duplicate - if false, the header value is not modified if the provided value is already included. Does not apply when append is false or if the name is 'set-cookie'. Defaults to true.\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responseheadername-value-options)\n */\n header(name: string, value: string, options?: ResponseObjectHeaderOptions | undefined): ResponseObject;\n\n /**\n * Sets the HTTP 'Location' header where:\n * @param uri - an absolute or relative URI used as the 'Location' header value.\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responselocationuri)\n */\n location(uri: string): ResponseObject;\n\n /**\n * Sets an HTTP redirection response (302) and decorates the response with additional methods, where:\n * @param uri - an absolute or relative URI used to redirect the client to another resource.\n * @return Return value: the current response object.\n * Decorates the response object with the response.temporary(), response.permanent(), and response.rewritable() methods to easily change the default redirection code (302).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responseredirecturi)\n */\n redirect(uri: string): ResponseObject;\n\n /**\n * Sets the JSON.stringify() replacer argument where:\n * @param method - the replacer function or array. Defaults to none.\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsereplacermethod)\n */\n replacer(method: Json.StringifyReplacer): ResponseObject;\n\n /**\n * Sets the JSON.stringify() space argument where:\n * @param count - the number of spaces to indent nested object keys. Defaults to no indentation.\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsespacescount)\n */\n spaces(count: number): ResponseObject;\n\n /**\n * Sets an HTTP cookie where:\n * @param name - the cookie name.\n * @param value - the cookie value. If no options.encoding is defined, must be a string. See server.state() for supported encoding values.\n * @param options - (optional) configuration. If the state was previously registered with the server using server.state(), the specified keys in options are merged with the default server\n * definition.\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsestatename-value-options)\n */\n state(name: string, value: object | string, options?: ServerStateCookieOptions | undefined): ResponseObject;\n\n /**\n * Sets a string suffix when the response is process via JSON.stringify() where:\n * @param suffix - the string suffix.\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsesuffixsuffix)\n */\n suffix(suffix: string): ResponseObject;\n\n /**\n * Overrides the default route cache expiration rule for this response instance where:\n * @param msec - the time-to-live value in milliseconds.\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsettlmsec)\n */\n ttl(msec: number): ResponseObject;\n\n /**\n * Sets the HTTP 'Content-Type' header where:\n * @param mimeType - is the mime type.\n * @return Return value: the current response object.\n * Should only be used to override the built-in default for each response type.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsetypemimetype)\n */\n type(mimeType: string): ResponseObject;\n\n /**\n * Clears the HTTP cookie by setting an expired value where:\n * @param name - the cookie name.\n * @param options - (optional) configuration for expiring cookie. If the state was previously registered with the server using server.state(), the specified options are merged with the server\n * definition.\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responseunstatename-options)\n */\n unstate(name: string, options?: ServerStateCookieOptions | undefined): ResponseObject;\n\n /**\n * Adds the provided header to the list of inputs affected the response generation via the HTTP 'Vary' header where:\n * @param header - the HTTP request header name.\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsevaryheader)\n */\n vary(header: string): ResponseObject;\n\n /**\n * Marks the response object as a takeover response.\n * @return Return value: the current response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsetakeover)\n */\n takeover(): ResponseObject;\n\n /**\n * Sets the status code to 302 or 307 (based on the response.rewritable() setting) where:\n * @param isTemporary - if false, sets status to permanent. Defaults to true.\n * @return Return value: the current response object.\n * Only available after calling the response.redirect() method.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsetemporaryistemporary)\n */\n temporary(isTemporary?: boolean): ResponseObject;\n\n /**\n * Sets the status code to 301 or 308 (based on the response.rewritable() setting) where:\n * @param isPermanent - if false, sets status to temporary. Defaults to true.\n * @return Return value: the current response object.\n * Only available after calling the response.redirect() method.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsepermanentispermanent)\n */\n permanent(isPermanent?: boolean): ResponseObject;\n\n /**\n * Sets the status code to 301/302 for rewritable (allows changing the request method from 'POST' to 'GET') or 307/308 for non-rewritable (does not allow changing the request method from 'POST'\n * to 'GET'). Exact code based on the response.temporary() or response.permanent() setting. Arguments:\n * @param isRewritable - if false, sets to non-rewritable. Defaults to true.\n * @return Return value: the current response object.\n * Only available after calling the response.redirect() method.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responserewritableisrewritable)\n */\n rewritable(isRewritable?: boolean): ResponseObject;\n}\n\n/**\n * Object containing the response handling flags.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-responsesettings)\n */\nexport interface ResponseSettings {\n /**\n * Defaults value: true.\n * If true and source is a Stream, copies the statusCode and headers properties of the stream object to the outbound response.\n */\n readonly passThrough: boolean;\n\n /**\n * @default null (use route defaults).\n * Override the route json options used when source value requires stringification.\n */\n readonly stringify: Json.StringifyArguments;\n\n /**\n * @default null (use route defaults).\n * If set, overrides the route cache with an expiration value in milliseconds.\n */\n readonly ttl: number;\n\n /**\n * @default false.\n * If true, a suffix will be automatically added to the 'ETag' header at transmission time (separated by a '-' character) when the HTTP 'Vary' header is present.\n */\n varyEtag: boolean;\n}\n\n/**\n * See more about Lifecycle\n * https://github.com/hapijs/hapi/blob/master/API.md#request-lifecycle\n *\n */\n\nexport type ResponseValue = string | object;\n\nexport interface AuthenticationData<\n\n AuthUser = UserCredentials,\n AuthApp = AppCredentials,\n CredentialsExtra = Record,\n ArtifactsExtra = AuthArtifacts\n> {\n credentials: AuthCredentials & CredentialsExtra;\n artifacts?: ArtifactsExtra | undefined;\n}\n\nexport interface Auth<\n AuthUser = UserCredentials,\n AuthApp = AppCredentials,\n CredentialsExtra = Record,\n ArtifactsExtra = AuthArtifacts\n> {\n readonly isAuth: true;\n readonly error?: Error | null | undefined;\n readonly data?: AuthenticationData | undefined;\n}\n\n/**\n * The response toolkit is a collection of properties and utilities passed to every [lifecycle method](https://github.com/hapijs/hapi/blob/master/API.md#lifecycle-methods)\n * It is somewhat hard to define as it provides both utilities for manipulating responses as well as other information. Since the\n * toolkit is passed as a function argument, developers can name it whatever they want. For the purpose of this\n * document the h notation is used. It is named in the spirit of the RethinkDB r method, with h for hapi.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#response-toolkit)\n */\nexport interface ResponseToolkit {\n /**\n * A response symbol. When returned by a lifecycle method, the request lifecycle skips to the finalizing step\n * without further interaction with the node response stream. It is the developer's responsibility to write\n * and end the response directly via [request.raw.res](https://github.com/hapijs/hapi/blob/master/API.md#request.raw).\n */\n readonly abandon: symbol;\n\n /**\n * A response symbol. When returned by a lifecycle method, the request lifecycle skips to the finalizing step after\n * calling request.raw.res.end()) to close the the node response stream.\n */\n readonly close: symbol;\n\n /**\n * A response symbol. Provides access to the route or server context set via the route [bind](https://github.com/hapijs/hapi/blob/master/API.md#route.options.bind)\n * option or [server.bind()](https://github.com/hapijs/hapi/blob/master/API.md#server.bind()).\n */\n readonly context: any;\n\n /**\n * A response symbol. When returned by a lifecycle method, the request lifecycle continues without changing the response.\n */\n readonly continue: symbol;\n\n /**\n * The [server realm](https://github.com/hapijs/hapi/blob/master/API.md#server.realm) associated with the matching\n * route. Defaults to the root server realm in the onRequest step.\n */\n readonly realm: ServerRealm;\n\n /**\n * Access: read only and public request interface.\n * The [request] object. This is a duplication of the request lifecycle method argument used by\n * [toolkit decorations](https://github.com/hapijs/hapi/blob/master/API.md#server.decorate()) to access the current request.\n */\n readonly request: Readonly>;\n\n /**\n * Used by the [authentication] method to pass back valid credentials where:\n * @param data - an object with:\n * * credentials - (required) object representing the authenticated entity.\n * * artifacts - (optional) authentication artifacts object specific to the authentication scheme.\n * @return Return value: an internal authentication object.\n */\n authenticated <\n AuthUser = MergeRefs['AuthUser'],\n AuthApp = MergeRefs['AuthApp'],\n CredentialsExtra = MergeRefs['AuthCredentialsExtra'],\n ArtifactsExtra = MergeRefs['AuthArtifactsExtra']\n >(\n data: (\n AuthenticationData<\n AuthUser,\n AuthApp,\n CredentialsExtra,\n ArtifactsExtra\n >\n )\n ): Auth<\n AuthUser,\n AuthApp,\n CredentialsExtra,\n ArtifactsExtra\n >;\n\n /**\n * Sets the response 'ETag' and 'Last-Modified' headers and checks for any conditional request headers to decide if\n * the response is going to qualify for an HTTP 304 (Not Modified). If the entity values match the request\n * conditions, h.entity() returns a response object for the lifecycle method to return as its value which will\n * set a 304 response. Otherwise, it sets the provided entity headers and returns undefined.\n * The method arguments are:\n * @param options - a required configuration object with:\n * * etag - the ETag string. Required if modified is not present. Defaults to no header.\n * * modified - the Last-Modified header value. Required if etag is not present. Defaults to no header.\n * * vary - same as the response.etag() option. Defaults to true.\n * @return Return value: - a response object if the response is unmodified. - undefined if the response has changed.\n * If undefined is returned, the developer must return a valid lifecycle method value. If a response is returned,\n * it should be used as the return value (but may be customize using the response methods).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-hentityoptions)\n */\n entity(options?: {etag?: string | undefined, modified?: string | undefined, vary?: boolean | undefined} | undefined): ResponseObject;\n\n /**\n * Redirects the client to the specified uri. Same as calling h.response().redirect(uri).\n * @param url\n * @return Returns a response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-hredirecturi)\n */\n redirect(uri?: string | undefined): ResponseObject;\n\n /**\n * Wraps the provided value and returns a response object which allows customizing the response\n * (e.g. setting the HTTP status code, custom headers, etc.), where:\n * @param value - (optional) return value. Defaults to null.\n * @return Returns a response object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-hresponsevalue)\n */\n response(value?: ResponseValue | undefined): ResponseObject;\n\n /**\n * Sets a response cookie using the same arguments as response.state().\n * @param name of the cookie\n * @param value of the cookie\n * @param (optional) ServerStateCookieOptions object.\n * @return Return value: none.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-hstatename-value-options)\n */\n state(name: string, value: string | object, options?: ServerStateCookieOptions | undefined): void;\n\n /**\n * Used by the [authentication] method to indicate authentication failed and pass back the credentials received where:\n * @param error - (required) the authentication error.\n * @param data - (optional) an object with:\n * * credentials - (required) object representing the authenticated entity.\n * * artifacts - (optional) authentication artifacts object specific to the authentication scheme.\n * @return void.\n * The method is used to pass both the authentication error and the credentials. For example, if a request included\n * expired credentials, it allows the method to pass back the user information (combined with a 'try'\n * authentication mode) for error customization.\n * There is no difference between throwing the error or passing it with the h.unauthenticated() method is no credentials are passed, but it might still be helpful for code clarity.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-hunauthenticatederror-data)\n */\n unauthenticated <\n AuthUser = MergeRefs['AuthUser'],\n AuthApp = MergeRefs['AuthApp'],\n CredentialsExtra = MergeRefs['AuthCredentialsExtra'],\n ArtifactsExtra = MergeRefs['AuthArtifactsExtra']\n >(\n error: Error,\n data?: (\n AuthenticationData<\n AuthUser,\n AuthApp,\n CredentialsExtra,\n ArtifactsExtra\n >\n ) | undefined\n ): Auth<\n AuthUser,\n AuthApp,\n CredentialsExtra,\n ArtifactsExtra\n >;\n\n /**\n * Clears a response cookie using the same arguments as\n * @param name of the cookie\n * @param options (optional) ServerStateCookieOptions object.\n * @return void.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-hunstatename-options)\n */\n unstate(name: string, options?: ServerStateCookieOptions | undefined): void;\n}\n" }, { "path": "lib/types/route.d.ts", "content": "\nimport { ObjectSchema, ValidationOptions, SchemaMap, Schema } from 'joi';\n\nimport { PluginSpecificConfiguration} from './plugin';\nimport { MergeType, ReqRef, ReqRefDefaults, MergeRefs, AuthMode } from './request';\nimport { ContentDecoders, ContentEncoders, RouteRequestExtType, RouteExtObject, Server } from './server';\nimport { Lifecycle, Json, HTTP_METHODS } from './utils';\n\n/**\n * Overrides for `InternalRouteOptionType`. Extend this to have\n * typings for route.options.auth['strategy' || 'scope']\n *\n * @example\n *\n * interface RoutOptionTypes {\n * Strategy: 'jwt' | 'basic' | 'myCustom'\n * Scope: 'user' | 'admin' | 'manager-users'\n * }\n */\nexport interface RouteOptionTypes {\n}\n\nexport interface InternalRouteOptionType {\n Strategy: string;\n Scope: RouteOptionsAccessScope;\n}\n\nexport type RouteOptionsAccessScope = false | string | string[];\n\nexport type AccessEntity = 'any' | 'user' | 'app';\n\nexport interface RouteOptionsAccessScopeObject {\n scope: RouteOptionsAccessScope;\n}\n\nexport interface RouteOptionsAccessEntityObject {\n entity: AccessEntity;\n}\n\nexport type RouteOptionsAccessObject =\n RouteOptionsAccessScopeObject\n | RouteOptionsAccessEntityObject\n | (RouteOptionsAccessScopeObject & RouteOptionsAccessEntityObject);\n\n/**\n * Route Authentication Options\n */\nexport interface RouteOptionsAccess {\n /**\n * @default none.\n * An object or array of objects specifying the route access rules. Each rule is evaluated against an incoming request and access is granted if at least one of the rules matches. Each rule object\n * must include at least one of scope or entity.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsauthaccess)\n */\n access?: RouteOptionsAccessObject | RouteOptionsAccessObject[] | undefined;\n\n /**\n * @default false (no scope requirements).\n * The application scope required to access the route. Value can be a scope string or an array of scope strings. When authenticated, the credentials object scope property must contain at least\n * one of the scopes defined to access the route. If a scope string begins with a + character, that scope is required. If a scope string begins with a ! character, that scope is forbidden. For\n * example, the scope ['!a', '+b', 'c', 'd'] means the incoming request credentials' scope must not include 'a', must include 'b', and must include one of 'c' or 'd'. You may also access\n * properties on the request object (query, params, payload, and credentials) to populate a dynamic scope by using the '{' and '}' characters around the property name, such as 'user-{params.id}'.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsauthaccessscope)\n */\n scope?: MergeType['Scope'] | undefined;\n\n /**\n * @default 'any'.\n * The required authenticated entity type. If set, must match the entity value of the request authenticated credentials. Available values:\n * * 'any' - the authentication can be on behalf of a user or application.\n * * 'user' - the authentication must be on behalf of a user which is identified by the presence of a 'user' attribute in the credentials object returned by the authentication strategy.\n * * 'app' - the authentication must be on behalf of an application which is identified by the lack of presence of a user attribute in the credentials object returned by the authentication\n * strategy.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsauthaccessentity)\n */\n entity?: AccessEntity | undefined;\n\n /**\n * @default 'required'.\n * The authentication mode. Available values:\n * * 'required' - authentication is required.\n * * 'optional' - authentication is optional - the request must include valid credentials or no credentials at all.\n * * 'try' - similar to 'optional', any request credentials are attempted authentication, but if the credentials are invalid, the request proceeds regardless of the authentication error.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsauthmode)\n */\n mode?: AuthMode | undefined;\n\n /**\n * @default false, unless the scheme requires payload authentication.\n * If set, the incoming request payload is authenticated after it is processed. Requires a strategy with payload authentication support (e.g. Hawk). Cannot be set to a value other than 'required'\n * when the scheme sets the authentication options.payload to true. Available values:\n * * false - no payload authentication.\n * * 'required' - payload authentication required.\n * * 'optional' - payload authentication performed only when the client includes payload authentication information (e.g. hash attribute in Hawk).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsauthpayload)\n */\n payload?: false | 'required' | 'optional' | undefined;\n\n /**\n * @default the default strategy set via server.auth.default().\n * An array of string strategy names in the order they should be attempted. Cannot be used together with strategy.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsauthstrategies)\n */\n strategies?: (MergeType['Strategy'])[] | undefined;\n\n /**\n * @default the default strategy set via server.auth.default().\n * A string strategy names. Cannot be used together with strategies.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsauthstrategy)\n */\n strategy?: MergeType['Strategy'] | undefined;\n}\n\n/**\n * Values are:\n * * * 'default' - no privacy flag.\n * * * 'public' - mark the response as suitable for public caching.\n * * * 'private' - mark the response as suitable only for private caching.\n * * expiresIn - relative expiration expressed in the number of milliseconds since the item was saved in the cache. Cannot be used together with expiresAt.\n * * expiresAt - time of day expressed in 24h notation using the 'HH:MM' format, at which point all cache records for the route expire. Cannot be used together with expiresIn.\n * * statuses - an array of HTTP response status code numbers (e.g. 200) which are allowed to include a valid caching directive.\n * * otherwise - a string with the value of the 'Cache-Control' header when caching is disabled.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionscache)\n */\nexport type RouteOptionsCache = {\n privacy?: 'default' | 'public' | 'private' | undefined;\n statuses?: number[] | undefined;\n otherwise?: string | undefined;\n} & (\n {\n expiresIn?: number | undefined;\n expiresAt?: undefined;\n } | {\n expiresIn?: undefined;\n expiresAt?: string | undefined;\n} | {\n expiresIn?: undefined;\n expiresAt?: undefined;\n}\n );\n\n/**\n * @default false (no CORS headers).\n * The Cross-Origin Resource Sharing protocol allows browsers to make cross-origin API calls. CORS is required by web applications running inside a browser which are loaded from a different domain\n * than the API server. To enable, set cors to true, or to an object with the following options:\n * * origin - an array of allowed origin servers strings ('Access-Control-Allow-Origin'). The array can contain any combination of fully qualified origins along with origin strings containing a\n * wildcard '*' character, or a single '*' origin string. If set to 'ignore', any incoming Origin header is ignored (present or not) and the 'Access-Control-Allow-Origin' header is set to '*'.\n * Defaults to any origin ['*'].\n * * maxAge - number of seconds the browser should cache the CORS response ('Access-Control-Max-Age'). The greater the value, the longer it will take before the browser checks for changes in policy.\n * Defaults to 86400 (one day).\n * * headers - a strings array of allowed headers ('Access-Control-Allow-Headers'). Defaults to ['Accept', 'Authorization', 'Content-Type', 'If-None-Match'].\n * * additionalHeaders - a strings array of additional headers to headers. Use this to keep the default headers in place.\n * * exposedHeaders - a strings array of exposed headers ('Access-Control-Expose-Headers'). Defaults to ['WWW-Authenticate', 'Server-Authorization'].\n * * additionalExposedHeaders - a strings array of additional headers to exposedHeaders. Use this to keep the default headers in place.\n * * credentials - if true, allows user credentials to be sent ('Access-Control-Allow-Credentials'). Defaults to false.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionscors)\n */\nexport interface RouteOptionsCors {\n /**\n * an array of allowed origin servers strings ('Access-Control-Allow-Origin'). The array can contain any combination of fully qualified origins along with origin strings containing a wildcard '*'\n * character, or a single '*' origin string. If set to 'ignore', any incoming Origin header is ignored (present or not) and the 'Access-Control-Allow-Origin' header is set to '*'. Defaults to any\n * origin ['*'].\n */\n origin?: string[] | '*' | 'ignore' | undefined;\n /**\n * number of seconds the browser should cache the CORS response ('Access-Control-Max-Age'). The greater the value, the longer it will take before the browser checks for changes in policy.\n * Defaults to 86400 (one day).\n */\n maxAge?: number | undefined;\n /**\n * a strings array of allowed headers ('Access-Control-Allow-Headers'). Defaults to ['Accept', 'Authorization', 'Content-Type', 'If-None-Match'].\n */\n headers?: string[] | undefined;\n /**\n * a strings array of additional headers to headers. Use this to keep the default headers in place.\n */\n additionalHeaders?: string[] | undefined;\n /**\n * a strings array of exposed headers ('Access-Control-Expose-Headers'). Defaults to ['WWW-Authenticate', 'Server-Authorization'].\n */\n exposedHeaders?: string[] | undefined;\n /**\n * a strings array of additional headers to exposedHeaders. Use this to keep the default headers in place.\n */\n additionalExposedHeaders?: string[] | undefined;\n /**\n * if true, allows user credentials to be sent ('Access-Control-Allow-Credentials'). Defaults to false.\n */\n credentials?: boolean | undefined;\n /**\n * the status code used for CORS preflight responses, either 200 or 204. Defaults to 200.\n */\n preflightStatusCode?: 200 | 204;\n}\n\n/**\n * The value must be one of:\n * * 'data' - the incoming payload is read fully into memory. If parse is true, the payload is parsed (JSON, form-decoded, multipart) based on the 'Content-Type' header. If parse is false, a raw\n * Buffer is returned.\n * * 'stream' - the incoming payload is made available via a Stream.Readable interface. If the payload is 'multipart/form-data' and parse is true, field values are presented as text while files are\n * provided as streams. File streams from a 'multipart/form-data' upload will also have a hapi property containing the filename and headers properties. Note that payload streams for multipart\n * payloads are a synthetic interface created on top of the entire multipart content loaded into memory. To avoid loading large multipart payloads into memory, set parse to false and handle the\n * multipart payload in the handler using a streaming parser (e.g. pez).\n * * 'file' - the incoming payload is written to temporary file in the directory specified by the uploads settings. If the payload is 'multipart/form-data' and parse is true, field values are\n * presented as text while files are saved to disk. Note that it is the sole responsibility of the application to clean up the files generated by the framework. This can be done by keeping track of\n * which files are used (e.g. using the request.app object), and listening to the server 'response' event to perform cleanup. For context [See\n * docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayloadoutput)\n */\nexport type PayloadOutput = 'data' | 'stream' | 'file';\n\n/**\n * Determines how the request payload is processed.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayload)\n */\nexport interface RouteOptionsPayload {\n /**\n * @default allows parsing of the following mime types:\n * * application/json\n * * application/*+json\n * * application/octet-stream\n * * application/x-www-form-urlencoded\n * * multipart/form-data\n * * text/*\n * A string or an array of strings with the allowed mime types for the endpoint. Use this settings to limit the set of allowed mime types. Note that allowing additional mime types not listed\n * above will not enable them to be parsed, and if parse is true, the request will result in an error response.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayloadallow)\n */\n allow?: string | string[] | undefined;\n\n /**\n * @default none.\n * An object where each key is a content-encoding name and each value is an object with the desired decoder settings. Note that encoder settings are set in compression.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayloadcompression)\n */\n compression?: { [P in keyof ContentDecoders]?: Parameters[0] } | undefined;\n\n /**\n * @default 'application/json'.\n * The default content type if the 'Content-Type' request header is missing.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayloaddefaultcontenttype)\n */\n defaultContentType?: string | undefined;\n\n /**\n * @default 'error' (return a Bad Request (400) error response).\n * A failAction value which determines how to handle payload parsing errors.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayloadfailaction)\n */\n failAction?: Lifecycle.FailAction | undefined;\n\n /**\n * @default 1048576 (1MB).\n * Limits the size of incoming payloads to the specified byte count. Allowing very large payloads may cause the server to run out of memory.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayloadmaxbytes)\n */\n maxBytes?: number | undefined;\n\n /**\n * @default 1000\n * Limits the number of parts allowed in multipart payloads.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayloadmaxparts)\n */\n maxParts?: number;\n\n /**\n * @default none.\n * Overrides payload processing for multipart requests. Value can be one of:\n * * false - disable multipart processing.\n * an object with the following required options:\n * * output - same as the output option with an additional value option:\n * * * annotated - wraps each multipart part in an object with the following keys: // TODO type this?\n * * * * headers - the part headers.\n * * * * filename - the part file name.\n * * * * payload - the processed part payload.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayloadmultipart)\n */\n multipart?: boolean | { output: PayloadOutput | 'annotated' };\n\n /**\n * @default 'data'.\n * The processed payload format. The value must be one of:\n * * 'data' - the incoming payload is read fully into memory. If parse is true, the payload is parsed (JSON, form-decoded, multipart) based on the 'Content-Type' header. If parse is false, a raw\n * Buffer is returned.\n * * 'stream' - the incoming payload is made available via a Stream.Readable interface. If the payload is 'multipart/form-data' and parse is true, field values are presented as text while files\n * are provided as streams. File streams from a 'multipart/form-data' upload will also have a hapi property containing the filename and headers properties. Note that payload streams for multipart\n * payloads are a synthetic interface created on top of the entire multipart content loaded into memory. To avoid loading large multipart payloads into memory, set parse to false and handle the\n * multipart payload in the handler using a streaming parser (e.g. pez).\n * * 'file' - the incoming payload is written to temporary file in the directory specified by the uploads settings. If the payload is 'multipart/form-data' and parse is true, field values are\n * presented as text while files are saved to disk. Note that it is the sole responsibility of the application to clean up the files generated by the framework. This can be done by keeping track\n * of which files are used (e.g. using the request.app object), and listening to the server 'response' event to perform cleanup.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayloadoutput)\n */\n output?: PayloadOutput | undefined;\n\n /**\n * @default none.\n * A mime type string overriding the 'Content-Type' header value received.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayloadoverride)\n */\n override?: string | undefined;\n\n /**\n * @default true.\n * Determines if the incoming payload is processed or presented raw. Available values:\n * * true - if the request 'Content-Type' matches the allowed mime types set by allow (for the whole payload as well as parts), the payload is converted into an object when possible. If the\n * format is unknown, a Bad Request (400) error response is sent. Any known content encoding is decoded.\n * * false - the raw payload is returned unmodified.\n * * 'gunzip' - the raw payload is returned unmodified after any known content encoding is decoded.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayloadparse)\n */\n parse?: boolean | 'gunzip' | undefined;\n\n /**\n * @default to 'error'.\n * Sets handling of incoming payload that may contain a prototype poisoning security attack.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayloadprotoaction)\n */\n protoAction?: 'error' | 'remove' | 'ignore';\n\n /**\n * @default to 10000 (10 seconds).\n * Payload reception timeout in milliseconds. Sets the maximum time allowed for the client to transmit the request payload (body) before giving up and responding with a Request Timeout (408)\n * error response. Set to false to disable.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayloadtimeout)\n */\n timeout?: false | number | undefined;\n\n /**\n * @default os.tmpdir().\n * The directory used for writing file uploads.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayloaduploads)\n */\n uploads?: string | undefined;\n}\n\n/**\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspre)\n */\nexport type RouteOptionsPreArray = RouteOptionsPreAllOptions[];\n\n/**\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspre)\n */\nexport type RouteOptionsPreAllOptions = RouteOptionsPreObject | RouteOptionsPreObject[] | Lifecycle.Method;\n\n/**\n * An object with:\n * * method - a lifecycle method.\n * * assign - key name used to assign the response of the method to in request.pre and request.preResponses.\n * * failAction - A failAction value which determine what to do when a pre-handler method throws an error. If assign is specified and the failAction setting is not 'error', the error will be assigned.\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspre)\n */\nexport interface RouteOptionsPreObject {\n /**\n * a lifecycle method.\n */\n method: Lifecycle.Method;\n /**\n * key name used to assign the response of the method to in request.pre and request.preResponses.\n */\n assign?: keyof MergeRefs['Pres'] | undefined;\n /**\n * A failAction value which determine what to do when a pre-handler method throws an error. If assign is specified and the failAction setting is not 'error', the error will be assigned.\n */\n failAction?: Lifecycle.FailAction | undefined;\n}\n\nexport type ValidationObject = SchemaMap;\n\n/**\n * * true - any query parameter value allowed (no validation performed). false - no parameter value allowed.\n * * a joi validation object.\n * * a validation function using the signature async function(value, options) where:\n * * * value - the request.* object containing the request parameters.\n * * * options - options.\n */\nexport type RouteOptionsResponseSchema =\n boolean\n | ValidationObject\n | Schema\n | ((value: object | Buffer | string, options: ValidationOptions) => Promise);\n\n/**\n * Processing rules for the outgoing response.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsresponse)\n */\nexport interface RouteOptionsResponse {\n /**\n * @default 204.\n * The default HTTP status code when the payload is considered empty. Value can be 200 or 204. Note that a 200 status code is converted to a 204 only at the time of response transmission (the\n * response status code will remain 200 throughout the request lifecycle unless manually set).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsresponseemptystatuscode)\n */\n emptyStatusCode?: 200 | 204 | undefined;\n\n /**\n * @default 'error' (return an Internal Server Error (500) error response).\n * A failAction value which defines what to do when a response fails payload validation.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsresponsefailaction)\n */\n failAction?: Lifecycle.FailAction | undefined;\n\n /**\n * @default false.\n * If true, applies the validation rule changes to the response payload.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsresponsemodify)\n */\n modify?: boolean | undefined;\n\n /**\n * @default none.\n * [joi](https://github.com/hapijs/joi) options object pass to the validation function. Useful to set global options such as stripUnknown or abortEarly (the complete list is available here). If a\n * custom validation function is defined via schema or status then options can an arbitrary object that will be passed to this function as the second argument.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsresponseoptions)\n */\n options?: ValidationOptions | undefined; // TODO needs validation\n\n /**\n * @default true.\n * If false, payload range support is disabled.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsresponseranges)\n */\n ranges?: boolean | undefined;\n\n /**\n * @default 100 (all responses).\n * The percent of response payloads validated (0 - 100). Set to 0 to disable all validation.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsresponsesample)\n */\n sample?: number | undefined;\n\n /**\n * @default true (no validation).\n * The default response payload validation rules (for all non-error responses) expressed as one of:\n * * true - any payload allowed (no validation).\n * * false - no payload allowed.\n * * a joi validation object. The options along with the request context ({ headers, params, query, payload, app, auth }) are passed to the validation function.\n * * a validation function using the signature async function(value, options) where:\n * * * value - the pending response payload.\n * * * options - The options along with the request context ({ headers, params, query, payload, app, auth }).\n * * * if the function returns a value and modify is true, the value is used as the new response. If the original response is an error, the return value is used to override the original error\n * output.payload. If an error is thrown, the error is processed according to failAction.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsresponseschema)\n */\n schema?: RouteOptionsResponseSchema | undefined;\n\n /**\n * @default none.\n * Validation schemas for specific HTTP status codes. Responses (excluding errors) not matching the listed status codes are validated using the default schema.\n * status is set to an object where each key is a 3 digit HTTP status code and the value has the same definition as schema.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsresponsestatus)\n */\n status?: Record | undefined;\n\n /**\n * The default HTTP status code used to set a response error when the request is closed or aborted before the\n * response is fully transmitted.\n * Value can be any integer greater or equal to 400.\n * The default value 499 is based on the non-standard nginx \"CLIENT CLOSED REQUEST\" error.\n * The value is only used for logging as the request has already ended.\n * @default 499\n */\n disconnectStatusCode?: number | undefined;\n}\n\n/**\n * @see https://www.w3.org/TR/referrer-policy/\n */\nexport type ReferrerPolicy = '' | 'no-referrer' | 'no-referrer-when-downgrade' | 'unsafe-url' |\n 'same-origin' | 'origin' | 'strict-origin' | 'origin-when-cross-origin' | 'strict-origin-when-cross-origin';\n\n/**\n * @default false (security headers disabled).\n * Sets common security headers. To enable, set security to true or to an object with the following options:\n * * hsts - controls the 'Strict-Transport-Security' header, where:\n * * * true - the header will be set to max-age=15768000. This is the default value.\n * * * a number - the maxAge parameter will be set to the provided value.\n * * * an object with the following fields:\n * * * * maxAge - the max-age portion of the header, as a number. Default is 15768000.\n * * * * includeSubDomains - a boolean specifying whether to add the includeSubDomains flag to the header.\n * * * * preload - a boolean specifying whether to add the 'preload' flag (used to submit domains inclusion in Chrome's HTTP Strict Transport Security (HSTS) preload list) to the header.\n * * xframe - controls the 'X-Frame-Options' header, where:\n * * * true - the header will be set to 'DENY'. This is the default value.\n * * * 'deny' - the headers will be set to 'DENY'.\n * * * 'sameorigin' - the headers will be set to 'SAMEORIGIN'.\n * * * an object for specifying the 'allow-from' rule, where:\n * * * * rule - one of:\n * * * * * 'deny'\n * * * * * 'sameorigin'\n * * * * * 'allow-from'\n * * * * source - when rule is 'allow-from' this is used to form the rest of the header, otherwise this field is ignored. If rule is 'allow-from' but source is unset, the rule will be automatically\n * changed to 'sameorigin'.\n * * xss - controls the 'X-XSS-Protection' header, where:\n * * * 'disabled' - the header will be set to '0'. This is the default value.\n * * * 'enabled' - the header will be set to '1; mode=block'.\n * * * false - the header will be omitted\n * * noOpen - boolean controlling the 'X-Download-Options' header for Internet Explorer, preventing downloads from executing in your context. Defaults to true setting the header to 'noopen'.\n * * noSniff - boolean controlling the 'X-Content-Type-Options' header. Defaults to true setting the header to its only and default option, 'nosniff'.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionssecurity)\n */\nexport interface RouteOptionsSecureObject {\n /**\n * hsts - controls the 'Strict-Transport-Security' header\n */\n hsts?: boolean | number | {\n /**\n * the max-age portion of the header, as a number. Default is 15768000.\n */\n maxAge?: number;\n /**\n * a boolean specifying whether to add the includeSubDomains flag to the header.\n */\n includeSubDomains?: boolean;\n /**\n * a boolean specifying whether to add the 'preload' flag (used to submit domains inclusion in Chrome's HTTP Strict Transport Security (HSTS) preload list) to the header.\n */\n preload?: boolean;\n } | undefined;\n /**\n * controls the 'X-Frame-Options' header\n */\n xframe?: true | 'deny' | 'sameorigin' | {\n /**\n * an object for specifying the 'allow-from' rule,\n */\n rule: 'deny' | 'sameorigin' | 'allow-from';\n /**\n * when rule is 'allow-from' this is used to form the rest of the header, otherwise this field is ignored. If rule is 'allow-from' but source is unset, the rule will be automatically changed\n * to 'sameorigin'.\n */\n source: string;\n } | undefined;\n /**\n * controls the 'X-XSS-Protection' header, where:\n * * 'disabled' - the header will be set to '0'. This is the default value.\n * * 'enabled' - the header will be set to '1; mode=block'.\n * * false - the header will be omitted\n */\n xss?: 'disabled' | 'enabled' | false | undefined;\n /**\n * boolean controlling the 'X-Download-Options' header for Internet Explorer, preventing downloads from executing in your context. Defaults to true setting the header to 'noopen'.\n */\n noOpen?: boolean | undefined;\n /**\n * boolean controlling the 'X-Content-Type-Options' header. Defaults to true setting the header to its only and default option, 'nosniff'.\n */\n noSniff?: boolean | undefined;\n\n /**\n * Controls the `Referrer-Policy` header, which has the following possible values.\n * @default false Header will not be send.\n */\n referrer?: false | ReferrerPolicy | undefined;\n}\n\nexport type RouteOptionsSecure = boolean | RouteOptionsSecureObject;\n\n/**\n * @default { headers: true, params: true, query: true, payload: true, failAction: 'error' }.\n * Request input validation rules for various request components.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsvalidate)\n */\nexport interface RouteOptionsValidate {\n /**\n * @default none.\n * An optional object with error fields copied into every validation error response.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsvalidateerrorfields)\n */\n errorFields?: object | undefined;\n\n /**\n * @default 'error' (return a Bad Request (400) error response).\n * A failAction value which determines how to handle failed validations. When set to a function, the err argument includes the type of validation error under err.output.payload.validation.source.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsvalidatefailaction)\n */\n failAction?: Lifecycle.FailAction | undefined;\n\n /**\n * Validation rules for incoming request headers:\n * * If a value is returned, the value is used as the new request.headers value and the original value is stored in request.orig.headers. Otherwise, the headers are left unchanged. If an error\n * is thrown, the error is handled according to failAction. Note that all header field names must be in lowercase to match the headers normalized by node.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsvalidateheaders)\n * @default true\n */\n headers?: RouteOptionsResponseSchema | undefined;\n\n /**\n * An options object passed to the joi rules or the custom validation methods. Used for setting global options such as stripUnknown or abortEarly (the complete list is available here).\n * If a custom validation function (see headers, params, query, or payload above) is defined then options can an arbitrary object that will be passed to this function as the second parameter.\n * The values of the other inputs (i.e. headers, query, params, payload, app, and auth) are added to the options object under the validation context (accessible in rules as\n * Joi.ref('$query.key')).\n * Note that validation is performed in order (i.e. headers, params, query, and payload) and if type casting is used (e.g. converting a string to a number), the value of inputs not yet validated\n * will reflect the raw, unvalidated and unmodified values. If the validation rules for headers, params, query, and payload are defined at both the server routes level and at the route level, the\n * individual route settings override the routes defaults (the rules are not merged).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsvalidateparams)\n * @default true\n */\n options?: ValidationOptions | object | undefined;\n\n /**\n * Validation rules for incoming request path parameters, after matching the path against the route, extracting any parameters, and storing them in request.params, where:\n * * true - any path parameter value allowed (no validation performed).\n * * a joi validation object.\n * * a validation function using the signature async function(value, options) where:\n * * * value - the request.params object containing the request path parameters.\n * * * options - options.\n * if a value is returned, the value is used as the new request.params value and the original value is stored in request.orig.params. Otherwise, the path parameters are left unchanged. If an\n * error is thrown, the error is handled according to failAction. Note that failing to match the validation rules to the route path parameters definition will cause all requests to fail.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsvalidateparams)\n * @default true\n */\n params?: RouteOptionsResponseSchema | undefined;\n\n /**\n * Validation rules for incoming request payload (request body), where:\n * * If a value is returned, the value is used as the new request.payload value and the original value is stored in request.orig.payload. Otherwise, the payload is left unchanged. If an error is\n * thrown, the error is handled according to failAction. Note that validating large payloads and modifying them will cause memory duplication of the payload (since the original is kept), as well\n * as the significant performance cost of validating large amounts of data.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsvalidatepayload)\n * @default true\n */\n payload?: RouteOptionsResponseSchema | undefined;\n\n /**\n * Validation rules for incoming request URI query component (the key-value part of the URI between '?' and '#'). The query is parsed into its individual key-value pairs, decoded, and stored in\n * request.query prior to validation. Where:\n * * If a value is returned, the value is used as the new request.query value and the original value is stored in request.orig.query. Otherwise, the query parameters are left unchanged.\n * If an error\n * is thrown, the error is handled according to failAction. Note that changes to the query parameters will not be reflected in request.url.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsvalidatequery)\n * @default true\n */\n query?: RouteOptionsResponseSchema | undefined;\n\n /**\n * Validation rules for incoming cookies.\n * The cookie header is parsed and decoded into the request.state prior to validation.\n * @default true\n */\n state?: RouteOptionsResponseSchema | undefined;\n}\n\nexport interface CommonRouteProperties {\n /**\n * Application-specific route configuration state. Should not be used by plugins which should use options.plugins[name] instead.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsapp)\n */\n app?: MergeRefs['RouteApp'] | undefined;\n\n /**\n * @default null.\n * An object passed back to the provided handler (via this) when called. Ignored if the method is an arrow function.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsbind)\n */\n bind?: MergeRefs['Bind'] | undefined;\n\n /**\n * @default { privacy: 'default', statuses: [200], otherwise: 'no-cache' }.\n * If the route method is 'GET', the route can be configured to include HTTP caching directives in the response. Caching can be customized using an object with the following options:\n * privacy - determines the privacy flag included in client-side caching using the 'Cache-Control' header. Values are:\n * * * 'default' - no privacy flag.\n * * * 'public' - mark the response as suitable for public caching.\n * * * 'private' - mark the response as suitable only for private caching.\n * * expiresIn - relative expiration expressed in the number of milliseconds since the item was saved in the cache. Cannot be used together with expiresAt.\n * * expiresAt - time of day expressed in 24h notation using the 'HH:MM' format, at which point all cache records for the route expire. Cannot be used together with expiresIn.\n * * statuses - an array of HTTP response status code numbers (e.g. 200) which are allowed to include a valid caching directive.\n * * otherwise - a string with the value of the 'Cache-Control' header when caching is disabled.\n * The default Cache-Control: no-cache header can be disabled by setting cache to false.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionscache)\n */\n cache?: false | RouteOptionsCache | undefined;\n\n /**\n * An object where each key is a content-encoding name and each value is an object with the desired encoder settings. Note that decoder settings are set in compression.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionscompression)\n */\n compression?: { [P in keyof ContentEncoders]?: Parameters[0] } | undefined;\n\n /**\n * @default false (no CORS headers).\n * The Cross-Origin Resource Sharing protocol allows browsers to make cross-origin API calls. CORS is required by web applications running inside a browser which are loaded from a different\n * domain than the API server. To enable, set cors to true, or to an object with the following options:\n * * origin - an array of allowed origin servers strings ('Access-Control-Allow-Origin'). The array can contain any combination of fully qualified origins along with origin strings containing a\n * wildcard '*' character, or a single '*' origin string. If set to 'ignore', any incoming Origin header is ignored (present or not) and the 'Access-Control-Allow-Origin' header is set to '*'.\n * Defaults to any origin ['*'].\n * * maxAge - number of seconds the browser should cache the CORS response ('Access-Control-Max-Age'). The greater the value, the longer it will take before the browser checks for changes in\n * policy. Defaults to 86400 (one day).\n * * headers - a strings array of allowed headers ('Access-Control-Allow-Headers'). Defaults to ['Accept', 'Authorization', 'Content-Type', 'If-None-Match'].\n * * additionalHeaders - a strings array of additional headers to headers. Use this to keep the default headers in place.\n * * exposedHeaders - a strings array of exposed headers ('Access-Control-Expose-Headers'). Defaults to ['WWW-Authenticate', 'Server-Authorization'].\n * * additionalExposedHeaders - a strings array of additional headers to exposedHeaders. Use this to keep the default headers in place.\n * * credentials - if true, allows user credentials to be sent ('Access-Control-Allow-Credentials'). Defaults to false.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionscors)\n */\n cors?: boolean | RouteOptionsCors | undefined;\n\n /**\n * @default none.\n * Route description used for generating documentation (string).\n * This setting is not available when setting server route defaults using server.options.routes.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsdescription)\n */\n description?: string | undefined;\n\n /**\n * @default none.\n * Route-level request extension points by setting the option to an object with a key for each of the desired extension points ('onRequest' is not allowed), and the value is the same as the\n * server.ext(events) event argument.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsext)\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#request-lifecycle)\n */\n ext?: {\n [key in RouteRequestExtType]?: RouteExtObject | RouteExtObject[] | undefined;\n } | undefined;\n\n /**\n * @default { relativeTo: '.' }.\n * Defines the behavior for accessing files:\n * * relativeTo - determines the folder relative paths are resolved against.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsfiles)\n */\n files?: {\n relativeTo: string;\n } | undefined;\n\n /**\n * @default none.\n * The route handler function performs the main business logic of the route and sets the response. handler can be assigned:\n * * a lifecycle method.\n * * an object with a single property using the name of a handler type registered with the server.handler() method. The matching property value is passed as options to the registered handler\n * generator. Note: handlers using a fat arrow style function cannot be bound to any bind property. Instead, the bound context is available under h.context.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionshandler)\n */\n handler?: Lifecycle.Method | object | undefined;\n\n /**\n * @default none.\n * An optional unique identifier used to look up the route using server.lookup(). Cannot be assigned to routes added with an array of methods.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsid)\n */\n id?: string | undefined;\n\n /**\n * @default false.\n * If true, the route cannot be accessed through the HTTP listener but only through the server.inject() interface with the allowInternals option set to true. Used for internal routes that should\n * not be accessible to the outside world.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsisinternal)\n */\n isInternal?: boolean | undefined;\n\n /**\n * @default none.\n * Optional arguments passed to JSON.stringify() when converting an object or error response to a string payload or escaping it after stringification. Supports the following:\n * * replacer - the replacer function or array. Defaults to no action.\n * * space - number of spaces to indent nested object keys. Defaults to no indentation.\n * * suffix - string suffix added after conversion to JSON string. Defaults to no suffix.\n * * escape - calls Hoek.jsonEscape() after conversion to JSON string. Defaults to false.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsjson)\n */\n json?: Json.StringifyArguments | undefined;\n\n /**\n * @default { collect: false }.\n * Request logging options:\n * collect - if true, request-level logs (both internal and application) are collected and accessible via request.logs.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionslog)\n */\n log?: {\n collect: boolean;\n } | undefined;\n\n /**\n * @default none.\n * Route notes used for generating documentation (string or array of strings).\n * This setting is not available when setting server route defaults using server.options.routes.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsnotes)\n */\n notes?: string | string[] | undefined;\n\n /**\n * Determines how the request payload is processed.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspayload)\n */\n payload?: RouteOptionsPayload | undefined;\n\n /**\n * @default {}.\n * Plugin-specific configuration. plugins is an object where each key is a plugin name and the value is the plugin configuration.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsplugins)\n */\n plugins?: PluginSpecificConfiguration | undefined;\n\n /**\n * @default none.\n * The pre option allows defining methods for performing actions before the handler is called. These methods allow breaking the handler logic into smaller, reusable components that can be shared\n * across routes, as well as provide a cleaner error handling of prerequisite operations (e.g. load required reference data from a database). pre is assigned an ordered array of methods which\n * are called serially in order. If the pre array contains another array of methods as one of its elements, those methods are called in parallel. Note that during parallel execution, if any of\n * the methods error, return a takeover response, or abort signal, the other parallel methods will continue to execute but will be ignored once completed. pre can be assigned a mixed array of:\n * * an array containing the elements listed below, which are executed in parallel.\n * * an object with:\n * * * method - a lifecycle method.\n * * * assign - key name used to assign the response of the method to in request.pre and request.preResponses.\n * * * failAction - A failAction value which determine what to do when a pre-handler method throws an error. If assign is specified and the failAction setting is not 'error', the error will be\n * assigned.\n * * a method function - same as including an object with a single method key.\n * Note that pre-handler methods do not behave the same way other lifecycle methods do when a value is returned. Instead of the return value becoming the new response payload, the value is used\n * to assign the corresponding request.pre and request.preResponses properties. Otherwise, the handling of errors, takeover response response, or abort signal behave the same as any other\n * lifecycle methods.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionspre)\n */\n pre?: RouteOptionsPreArray | undefined;\n\n /**\n * Processing rules for the outgoing response.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsresponse)\n */\n response?: RouteOptionsResponse | undefined;\n\n /**\n * @default false (security headers disabled).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionssecurity)\n */\n security?: RouteOptionsSecure | undefined;\n\n /**\n * @default { parse: true, failAction: 'error' }.\n * HTTP state management (cookies) allows the server to store information on the client which is sent back to the server with every request (as defined in RFC 6265). state supports the following\n * options: parse - determines if incoming 'Cookie' headers are parsed and stored in the request.state object. failAction - A failAction value which determines how to handle cookie parsing\n * errors. Defaults to 'error' (return a Bad Request (400) error response).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsstate)\n */\n state?: {\n parse?: boolean | undefined;\n failAction?: Lifecycle.FailAction | undefined;\n } | undefined;\n\n /**\n * @default none.\n * Route tags used for generating documentation (array of strings).\n * This setting is not available when setting server route defaults using server.options.routes.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionstags)\n */\n tags?: string[] | undefined;\n\n /**\n * @default { server: false }.\n * Timeouts for processing durations.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionstimeout)\n */\n timeout?: {\n /**\n * Response timeout in milliseconds. Sets the maximum time allowed for the server to respond to an incoming request before giving up and responding with a Service Unavailable (503) error\n * response.\n */\n server?: boolean | number | undefined;\n\n /**\n * @default none (use node default of 2 minutes).\n * By default, node sockets automatically timeout after 2 minutes. Use this option to override this behavior. Set to false to disable socket timeouts.\n */\n socket?: boolean | number | undefined;\n } | undefined;\n\n /**\n * @default { headers: true, params: true, query: true, payload: true, failAction: 'error' }.\n * Request input validation rules for various request components.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsvalidate)\n */\n validate?: RouteOptionsValidate | undefined;\n}\n\nexport interface AccessScopes {\n forbidden?: string[] | undefined;\n required?: string[] | undefined;\n selection?: string[] | undefined;\n}\n\nexport interface AccessSetting {\n entity?: AccessEntity | undefined;\n scope: AccessScopes | false;\n}\n\nexport interface AuthSettings {\n strategies: string[];\n mode: AuthMode;\n access?: AccessSetting[] | undefined;\n}\n\nexport interface RouteSettings extends CommonRouteProperties {\n auth?: AuthSettings | undefined;\n}\n\n/**\n * Each route can be customized to change the default behavior of the request lifecycle.\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#route-options)\n */\nexport interface RouteOptions extends CommonRouteProperties {\n /**\n * Route authentication configuration. Value can be:\n * false to disable authentication if a default strategy is set.\n * a string with the name of an authentication strategy registered with server.auth.strategy(). The strategy will be set to 'required' mode.\n * an authentication configuration object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsapp)\n */\n auth?: false | string | RouteOptionsAccess | undefined;\n}\n\nexport interface HandlerDecorations {}\n\nexport interface RouteRules {}\n\nexport interface RulesInfo {\n method: string;\n path: string;\n vhost: string;\n}\n\nexport interface RulesOptions {\n validate: {\n schema?: ObjectSchema['Rules']> | Record['Rules'], Schema> | undefined;\n options?: ValidationOptions | undefined;\n };\n}\n\nexport interface RulesProcessor {\n (rules: MergeRefs['Rules'] | null, info: RulesInfo): Partial> | null;\n}\n\ntype RouteDefMethods = Exclude, 'HEAD' | 'head'>;\n\n/**\n * A route configuration object or an array of configuration objects where each object contains:\n * * path - (required) the absolute path used to match incoming requests (must begin with '/'). Incoming requests are compared to the configured paths based on the server's router configuration. The\n * path can include named parameters enclosed in {} which will be matched against literal values in the request as described in Path parameters.\n * * method - (required) the HTTP method. Typically one of 'GET', 'POST', 'PUT', 'PATCH', 'DELETE', or 'OPTIONS'. Any HTTP method is allowed, except for 'HEAD'. Use '*' to match against any HTTP\n * method (only when an exact match was not found, and any match with a specific method will be given a higher priority over a wildcard match). Can be assigned an array of methods which has the same\n * result as adding the same route with different methods manually.\n * * vhost - (optional) a domain string or an array of domain strings for limiting the route to only requests with a matching host header field. Matching is done against the hostname part of the\n * header only (excluding the port). Defaults to all hosts.\n * * handler - (required when handler is not set) the route handler function called to generate the response after successful authentication and validation.\n * * options - additional route options. The options value can be an object or a function that returns an object using the signature function(server) where server is the server the route is being\n * added to and this is bound to the current realm's bind option.\n * * rules - route custom rules object. The object is passed to each rules processor registered with server.rules(). Cannot be used if route.options.rules is defined.\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverrouteroute)\n */\nexport interface ServerRoute {\n /**\n * (required) the absolute path used to match incoming requests (must begin with '/'). Incoming requests are compared to the configured paths based on the server's router configuration. The path\n * can include named parameters enclosed in {} which will be matched against literal values in the request as described in Path parameters. For context [See\n * docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverrouteroute) For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#path-parameters)\n */\n path: string;\n\n /**\n * (required) the HTTP method. Typically one of 'GET', 'POST', 'PUT', 'PATCH', 'DELETE', or 'OPTIONS'. Any HTTP method is allowed, except for 'HEAD'. Use '*' to match against any HTTP method\n * (only when an exact match was not found, and any match with a specific method will be given a higher priority over a wildcard match). Can be assigned an array of methods which has the same\n * result as adding the same route with different methods manually.\n */\n method: RouteDefMethods | RouteDefMethods[] | '*';\n\n /**\n * (optional) a domain string or an array of domain strings for limiting the route to only requests with a matching host header field. Matching is done against the hostname part of the header\n * only (excluding the port). Defaults to all hosts.\n */\n vhost?: string | string[] | undefined;\n\n /**\n * (required when handler is not set) the route handler function called to generate the response after successful authentication and validation.\n */\n handler?: Lifecycle.Method | HandlerDecorations | undefined;\n\n /**\n * additional route options. The options value can be an object or a function that returns an object using the signature function(server) where server is the server the route is being added to\n * and this is bound to the current realm's bind option.\n */\n options?: RouteOptions | ((server: Server) => RouteOptions) | undefined;\n\n /**\n * route custom rules object. The object is passed to each rules processor registered with server.rules(). Cannot be used if route.options.rules is defined.\n */\n rules?: MergeRefs['Rules'] | undefined;\n}\n" }, { "path": "lib/types/server/auth.d.ts", "content": "import { Server } from './server';\nimport {\n MergeType,\n ReqRef,\n ReqRefDefaults,\n MergeRefs,\n Request,\n RequestAuth} from '../request';\nimport { ResponseToolkit, AuthenticationData } from '../response';\nimport { RouteOptionsAccess, InternalRouteOptionType, RouteOptionTypes} from '../route';\nimport { Lifecycle } from '../utils';\n\n/**\n * The scheme options argument passed to server.auth.strategy() when instantiation a strategy.\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverauthschemename-scheme)\n */\nexport type ServerAuthSchemeOptions = object;\n\n/**\n * the method implementing the scheme with signature function(server, options) where:\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverauthschemename-scheme)\n * @param server - a reference to the server object the scheme is added to.\n * @param options - (optional) the scheme options argument passed to server.auth.strategy() when instantiation a strategy.\n */\nexport type ServerAuthScheme<\n // tslint:disable-next-line no-unnecessary-generics\n Options extends ServerAuthSchemeOptions = ServerAuthSchemeOptions,\n // tslint:disable-next-line no-unnecessary-generics\n Refs extends ReqRef = ReqRefDefaults\n> = (server: Server, options?: Options) => ServerAuthSchemeObject;\n\nexport interface ServerAuthSchemeObjectApi {}\n\n/**\n * The scheme method must return an object with the following\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#authentication-scheme)\n */\n\nexport interface ServerAuthSchemeObject {\n /**\n * optional object which is exposed via the [server.auth.api](https://github.com/hapijs/hapi/blob/master/API.md#server.auth.api) object.\n */\n api?: MergeRefs['AuthApi'] | undefined;\n\n /**\n * A lifecycle method function called for each incoming request configured with the authentication scheme. The\n * method is provided with two special toolkit methods for returning an authenticated or an unauthenticated result:\n * * h.authenticated() - indicate request authenticated successfully.\n * * h.unauthenticated() - indicate request failed to authenticate.\n * @param request the request object.\n * @param h the ResponseToolkit\n * @return the Lifecycle.ReturnValue\n */\n authenticate(request: Request, h: ResponseToolkit): Lifecycle.ReturnValue;\n\n /**\n * A lifecycle method to authenticate the request payload.\n * When the scheme payload() method returns an error with a message, it means payload validation failed due to bad\n * payload. If the error has no message but includes a scheme name (e.g. Boom.unauthorized(null, 'Custom')),\n * authentication may still be successful if the route auth.payload configuration is set to 'optional'.\n * @param request the request object.\n * @param h the ResponseToolkit\n * @return the Lifecycle.ReturnValue\n */\n payload?(request: Request, h: ResponseToolkit): Lifecycle.ReturnValue;\n\n /**\n * A lifecycle method to decorate the response with authentication headers before the response headers or payload is written.\n * @param request the request object.\n * @param h the ResponseToolkit\n * @return the Lifecycle.ReturnValue\n */\n response?(request: Request, h: ResponseToolkit): Lifecycle.ReturnValue;\n\n /**\n * a method used to verify the authentication credentials provided\n * are still valid (e.g. not expired or revoked after the initial authentication).\n * the method throws an `Error` when the credentials passed are no longer valid (e.g. expired or\n * revoked). Note that the method does not have access to the original request, only to the\n * credentials and artifacts produced by the `authenticate()` method.\n */\n verify?(\n auth: RequestAuth<\n MergeRefs['AuthUser'],\n MergeRefs['AuthApp'],\n MergeRefs['AuthCredentialsExtra'],\n MergeRefs['AuthArtifactsExtra']\n >\n ): Promise;\n\n /**\n * An object with the following keys:\n * * payload\n */\n options?: {\n /**\n * if true, requires payload validation as part of the scheme and forbids routes from disabling payload auth validation. Defaults to false.\n */\n payload?: boolean | undefined;\n } | undefined;\n}\n\n/**\n * An authentication configuration object using the same format as the route auth handler options.\n * For reference [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverauthdefaultoptions)\n */\n\nexport interface ServerAuthConfig extends RouteOptionsAccess {\n}\n\nexport interface ServerAuth {\n /**\n * An object where each key is an authentication strategy name and the value is the exposed strategy API.\n * Available only when the authentication scheme exposes an API by returning an api key in the object\n * returned from its implementation function.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverauthapi)\n */\n api: Record;\n\n /**\n * Contains the default authentication configuration is a default strategy was set via\n * [server.auth.default()](https://github.com/hapijs/hapi/blob/master/API.md#server.auth.default()).\n */\n readonly settings: {\n default: ServerAuthConfig;\n };\n\n /**\n * Sets a default strategy which is applied to every route where:\n * @param options - one of:\n * * a string with the default strategy name\n * * an authentication configuration object using the same format as the route auth handler options.\n * @return void.\n * The default does not apply when a route config specifies auth as false, or has an authentication strategy\n * configured (contains the strategy or strategies authentication settings). Otherwise, the route authentication\n * config is applied to the defaults.\n * Note that if the route has authentication configured, the default only applies at the time of adding the route,\n * not at runtime. This means that calling server.auth.default() after adding a route with some authentication\n * config will have no impact on the routes added prior. However, the default will apply to routes added\n * before server.auth.default() is called if those routes lack any authentication config.\n * The default auth strategy configuration can be accessed via server.auth.settings.default. To obtain the active\n * authentication configuration of a route, use server.auth.lookup(request.route).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverauthdefaultoptions)\n */\n default(options: string | ServerAuthConfig): void;\n\n /**\n * Registers an authentication scheme where:\n * @param name the scheme name.\n * @param scheme - the method implementing the scheme with signature function(server, options) where:\n * * server - a reference to the server object the scheme is added to.\n * * options - (optional) the scheme options argument passed to server.auth.strategy() when instantiation a strategy.\n * @return void.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverauthschemename-scheme)\n */\n\n scheme <\n Refs extends ReqRef = ReqRefDefaults,\n Options extends object = {}\n // tslint:disable-next-line no-unnecessary-generics\n >(name: string, scheme: ServerAuthScheme): void;\n\n /**\n * Registers an authentication strategy where:\n * @param name - the strategy name.\n * @param scheme - the scheme name (must be previously registered using server.auth.scheme()).\n * @param options - scheme options based on the scheme requirements.\n * @return Return value: none.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverauthstrategyname-scheme-options)\n */\n strategy(\n name: MergeType['Strategy'],\n scheme: string,\n options?: object\n ): void;\n\n /**\n * Tests a request against an authentication strategy where:\n * @param strategy - the strategy name registered with server.auth.strategy().\n * @param request - the request object.\n * @return an object containing the authentication credentials and artifacts if authentication was successful, otherwise throws an error.\n * Note that the test() method does not take into account the route authentication configuration. It also does not\n * perform payload authentication. It is limited to the basic strategy authentication execution. It does not\n * include verifying scope, entity, or other route properties.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-await-serverauthteststrategy-request)\n */\n test(strategy: string, request: Request): Promise;\n\n /**\n * Verify a request's authentication credentials against an authentication strategy.\n * Returns nothing if verification was successful, otherwise throws an error.\n *\n * Note that the `verify()` method does not take into account the route authentication configuration\n * or any other information from the request other than the `request.auth` object. It also does not\n * perform payload authentication. It is limited to verifying that the previously valid credentials\n * are still valid (e.g. have not been revoked or expired). It does not include verifying scope,\n * entity, or other route properties.\n */\n // tslint:disable-next-line no-unnecessary-generics\n verify (request: Request): Promise;\n}\n" }, { "path": "lib/types/server/cache.d.ts", "content": "import { PolicyOptionVariants, Policy, ClientApi, ClientOptions, EnginePrototype, PolicyOptions } from '@hapi/catbox';\n\nexport type CachePolicyOptions = PolicyOptionVariants & {\n /**\n * @default '_default'\n */\n cache?: string | undefined;\n segment?: string | undefined;\n};\n\n/**\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servercacheoptions)\n */\nexport interface ServerCache {\n /**\n * Provisions a cache segment within the server cache facility where:\n * @param options - [catbox policy](https://github.com/hapijs/catbox#policy) configuration where:\n * * expiresIn - relative expiration expressed in the number of milliseconds since the item was saved in the cache. Cannot be used together with expiresAt.\n * * expiresAt - time of day expressed in 24h notation using the 'HH:MM' format, at which point all cache records expire. Uses local time. Cannot be used together with expiresIn.\n * * generateFunc - a function used to generate a new cache item if one is not found in the cache when calling get(). The method's signature is async function(id, flags) where:\n * - `id` - the `id` string or object provided to the `get()` method.\n * - `flags` - an object used to pass back additional flags to the cache where:\n * - `ttl` - the cache ttl value in milliseconds. Set to `0` to skip storing in the cache. Defaults to the cache global policy.\n * * staleIn - number of milliseconds to mark an item stored in cache as stale and attempt to regenerate it when generateFunc is provided. Must be less than expiresIn.\n * * staleTimeout - number of milliseconds to wait before checking if an item is stale.\n * * generateTimeout - number of milliseconds to wait before returning a timeout error when the generateFunc function takes too long to return a value. When the value is eventually returned, it\n * is stored in the cache for future requests. Required if generateFunc is present. Set to false to disable timeouts which may cause all get() requests to get stuck forever.\n * * generateOnReadError - if false, an upstream cache read error will stop the cache.get() method from calling the generate function and will instead pass back the cache error. Defaults to true.\n * * generateIgnoreWriteError - if false, an upstream cache write error when calling cache.get() will be passed back with the generated value when calling. Defaults to true.\n * * dropOnError - if true, an error or timeout in the generateFunc causes the stale value to be evicted from the cache. Defaults to true.\n * * pendingGenerateTimeout - number of milliseconds while generateFunc call is in progress for a given id, before a subsequent generateFunc call is allowed. Defaults to 0 (no blocking of\n * concurrent generateFunc calls beyond staleTimeout).\n * * cache - the cache name configured in server.cache. Defaults to the default cache.\n * * segment - string segment name, used to isolate cached items within the cache partition. When called within a plugin, defaults to '!name' where 'name' is the plugin name. When called within a\n * server method, defaults to '#name' where 'name' is the server method name. Required when called outside of a plugin.\n * * shared - if true, allows multiple cache provisions to share the same segment. Default to false.\n * @return Catbox Policy.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servercacheoptions)\n */\n = CachePolicyOptions>(options: O): Policy;\n\n /**\n * Provisions a server cache as described in server.cache where:\n * @param options - same as the server cache configuration options.\n * @return Return value: none.\n * Note that if the server has been initialized or started, the cache will be automatically started to match the state of any other provisioned server cache.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-await-servercacheprovisionoptions)\n */\n provision(options: ServerOptionsCache): Promise;\n}\n\nexport type CacheProvider = EnginePrototype | {\n constructor: EnginePrototype;\n options?: T | undefined;\n};\n\n/**\n * hapi uses catbox for its cache implementation which includes support for common storage solutions (e.g. Redis,\n * MongoDB, Memcached, Riak, among others). Caching is only utilized if methods and plugins explicitly store their state in the cache.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-cache)\n */\nexport interface ServerOptionsCache extends PolicyOptions {\n /** catbox engine object. */\n engine?: ClientApi | undefined;\n\n /**\n * a class or a prototype function\n */\n provider?: CacheProvider | undefined;\n\n /**\n * an identifier used later when provisioning or configuring caching for server methods or plugins. Each cache name must be unique. A single item may omit the name option which defines\n * the default cache. If every cache includes a name, a default memory cache is provisioned as well.\n */\n name?: string | undefined;\n\n /** if true, allows multiple cache users to share the same segment (e.g. multiple methods using the same cache storage container). Default to false. */\n shared?: boolean | undefined;\n\n /** (optional) string used to isolate cached data. Defaults to 'hapi-cache'. */\n partition?: string | undefined;\n\n /** other options passed to the catbox strategy used. Other options are only passed to catbox when engine above is a class or function and ignored if engine is a catbox engine object). */\n [s: string]: any;\n}\n" }, { "path": "lib/types/server/encoders.d.ts", "content": "import { createDeflate, createGunzip, createGzip, createInflate } from 'zlib';\n\n/**\n * Available [content encoders](https://github.com/hapijs/hapi/blob/master/API.md#-serverencoderencoding-encoder).\n */\nexport interface ContentEncoders {\n\n deflate: typeof createDeflate;\n gzip: typeof createGzip;\n}\n\n/**\n * Available [content decoders](https://github.com/hapijs/hapi/blob/master/API.md#-serverdecoderencoding-decoder).\n */\nexport interface ContentDecoders {\n\n deflate: typeof createInflate;\n gzip: typeof createGunzip;\n}\n" }, { "path": "lib/types/server/events.d.ts", "content": "import { Podium } from '@hapi/podium';\n\nimport { Request, RequestRoute } from '../request';\n\n/**\n * an event name string.\n * an event options object.\n * a podium emitter object.\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servereventevents)\n */\nexport type ServerEventsApplication = string | ServerEventsApplicationObject | Podium;\n\n/**\n * Object that it will be used in Event\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servereventevents)\n */\nexport interface ServerEventsApplicationObject {\n /** the event name string (required). */\n name: string;\n /** a string or array of strings specifying the event channels available. Defaults to no channel restrictions (event updates can specify a channel or not). */\n channels?: string | string[] | undefined;\n /**\n * if true, the data object passed to server.events.emit() is cloned before it is passed to the listeners (unless an override specified by each listener). Defaults to false (data is passed as-is).\n */\n clone?: boolean | undefined;\n /**\n * if true, the data object passed to server.event.emit() must be an array and the listener method is called with each array element passed as a separate argument (unless an override specified\n * by each listener). This should only be used when the emitted data structure is known and predictable. Defaults to false (data is emitted as a single argument regardless of its type).\n */\n spread?: boolean | undefined;\n /**\n * if true and the criteria object passed to server.event.emit() includes tags, the tags are mapped to an object (where each tag string is the key and the value is true) which is appended to\n * the arguments list at the end. A configuration override can be set by each listener. Defaults to false.\n */\n tags?: boolean | undefined;\n /**\n * if true, the same event name can be registered multiple times where the second registration is ignored. Note that if the registration config is changed between registrations, only the first\n * configuration is used. Defaults to false (a duplicate registration will throw an error).\n */\n shared?: boolean | undefined;\n}\n\n/**\n * A criteria object with the following optional keys (unless noted otherwise):\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servereventsoncriteria-listener)\n *\n * The type parameter T is the type of the name of the event.\n */\nexport interface ServerEventCriteria {\n /** (required) the event name string. */\n name: T;\n /**\n * a string or array of strings specifying the event channels to subscribe to. If the event registration specified a list of allowed channels, the channels array must match the allowed\n * channels. If channels are specified, event updates without any channel designation will not be included in the subscription. Defaults to no channels filter.\n */\n channels?: string | string[] | undefined;\n /** if true, the data object passed to server.event.emit() is cloned before it is passed to the listener method. Defaults to the event registration option (which defaults to false). */\n clone?: boolean | undefined;\n /**\n * a positive integer indicating the number of times the listener can be called after which the subscription is automatically removed. A count of 1 is the same as calling server.events.once().\n * Defaults to no limit.\n */\n count?: number | undefined;\n /**\n * filter - the event tags (if present) to subscribe to which can be one of:\n * * a tag string.\n * * an array of tag strings.\n * * an object with the following:\n * * * tags - a tag string or array of tag strings.\n * * * all - if true, all tags must be present for the event update to match the subscription. Defaults to false (at least one matching tag).\n */\n filter?: string | string[] | { tags: string | string[] | undefined, all?: boolean | undefined } | undefined;\n /**\n * if true, and the data object passed to server.event.emit() is an array, the listener method is called with each array element passed as a separate argument. This should only be used\n * when the emitted data structure is known and predictable. Defaults to the event registration option (which defaults to false).\n */\n spread?: boolean | undefined;\n /**\n * if true and the criteria object passed to server.event.emit() includes tags, the tags are mapped to an object (where each tag string is the key and the value is true) which is appended\n * to the arguments list at the end. Defaults to the event registration option (which defaults to false).\n */\n tags?: boolean | undefined;\n}\n\nexport interface LogEvent {\n /** the event timestamp. */\n timestamp: string;\n /** an array of tags identifying the event (e.g. ['error', 'http']) */\n tags: string[];\n /** set to 'internal' for internally generated events, otherwise 'app' for events generated by server.log() */\n channel: 'internal' | 'app';\n /** the request identifier. */\n request: string;\n /** event-specific information. Available when event data was provided and is not an error. Errors are passed via error. */\n data: T;\n /** the error object related to the event if applicable. Cannot appear together with data */\n error: object;\n}\n\nexport interface RequestEvent {\n /** the event timestamp. */\n timestamp: string;\n /** an array of tags identifying the event (e.g. ['error', 'http']) */\n tags: string[];\n /** set to 'internal' for internally generated events, otherwise 'app' for events generated by server.log() */\n channel: 'internal' | 'app' | 'error';\n /** event-specific information. Available when event data was provided and is not an error. Errors are passed via error. */\n data: object | string;\n /** the error object related to the event if applicable. Cannot appear together with data */\n error: object;\n}\n\nexport type LogEventHandler = (event: LogEvent, tags: { [key: string]: true }) => void;\nexport type RequestEventHandler = (request: Request, event: RequestEvent, tags: { [key: string]: true }) => void;\nexport type ResponseEventHandler = (request: Request) => void;\nexport type RouteEventHandler = (route: RequestRoute) => void;\nexport type StartEventHandler = () => void;\nexport type StopEventHandler = () => void;\n\nexport interface PodiumEvent {\n emit(criteria: K, listener: (value: T) => void): void;\n\n on(criteria: K, listener: (value: T) => void): void;\n\n once(criteria: K, listener: (value: T) => void): void;\n\n once(criteria: K): Promise;\n\n removeListener(criteria: K, listener: Podium.Listener): this;\n\n removeAllListeners(criteria: K): this;\n\n hasListeners(criteria: K): this;\n}\n\n/**\n * Access: podium public interface.\n * The server events emitter. Utilizes the podium with support for event criteria validation, channels, and filters.\n * Use the following methods to interact with server.events:\n * [server.event(events)](https://github.com/hapijs/hapi/blob/master/API.md#server.event()) - register application events.\n * [server.events.emit(criteria, data)](https://github.com/hapijs/hapi/blob/master/API.md#server.events.emit()) - emit server events.\n * [server.events.on(criteria, listener)](https://github.com/hapijs/hapi/blob/master/API.md#server.events.on()) - subscribe to all events.\n * [server.events.once(criteria, listener)](https://github.com/hapijs/hapi/blob/master/API.md#server.events.once()) - subscribe to\n * Other methods include: server.events.removeListener(name, listener), server.events.removeAllListeners(name), and server.events.hasListeners(name).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverevents)\n */\nexport interface ServerEvents extends Podium {\n /**\n * Subscribe to an event where:\n * @param criteria - the subscription criteria which must be one of:\n * * event name string which can be any of the built-in server events\n * * a custom application event registered with server.event().\n * * a criteria object\n * @param listener - the handler method set to receive event updates. The function signature depends on the event argument, and the spread and tags options.\n * @return Return value: none.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servereventsoncriteria-listener)\n * See ['log' event](https://github.com/hapijs/hapi/blob/master/API.md#-log-event)\n * See ['request' event](https://github.com/hapijs/hapi/blob/master/API.md#-request-event)\n * See ['response' event](https://github.com/hapijs/hapi/blob/master/API.md#-response-event)\n * See ['route' event](https://github.com/hapijs/hapi/blob/master/API.md#-route-event)\n * See ['start' event](https://github.com/hapijs/hapi/blob/master/API.md#-start-event)\n * See ['stop' event](https://github.com/hapijs/hapi/blob/master/API.md#-stop-event)\n */\n on(criteria: 'log' | ServerEventCriteria<'log'>, listener: LogEventHandler): this;\n on(criteria: 'request' | ServerEventCriteria<'request'>, listener: RequestEventHandler): this;\n on(criteria: 'response' | ServerEventCriteria<'response'>, listener: ResponseEventHandler): this;\n on(criteria: 'route' | ServerEventCriteria<'route'>, listener: RouteEventHandler): this;\n on(criteria: 'start' | ServerEventCriteria<'start'>, listener: StartEventHandler): this;\n on(criteria: 'stop' | ServerEventCriteria<'stop'>, listener: StopEventHandler): this;\n on(criteria: string | ServerEventCriteria, listener: (value: any) => void): this;\n\n /**\n * Same as calling [server.events.on()](https://github.com/hapijs/hapi/blob/master/API.md#server.events.on()) with the count option set to 1.\n * @param criteria - the subscription criteria which must be one of:\n * * event name string which can be any of the built-in server events\n * * a custom application event registered with server.event().\n * * a criteria object\n * @param listener - the handler method set to receive event updates. The function signature depends on the event argument, and the spread and tags options.\n * @return Return value: none.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servereventsoncecriteria-listener)\n */\n once(criteria: 'log' | ServerEventCriteria<'log'>, listener: LogEventHandler): this;\n once(criteria: 'request' | ServerEventCriteria<'request'>, listener: RequestEventHandler): this;\n once(criteria: 'response' | ServerEventCriteria<'response'>, listener: ResponseEventHandler): this;\n once(criteria: 'route' | ServerEventCriteria<'route'>, listener: RouteEventHandler): this;\n once(criteria: 'start' | ServerEventCriteria<'start'>, listener: StartEventHandler): this;\n once(criteria: 'stop' | ServerEventCriteria<'stop'>, listener: StopEventHandler): this;\n\n /**\n * Same as calling server.events.on() with the count option set to 1.\n * @param criteria - the subscription criteria which must be one of:\n * * event name string which can be any of the built-in server events\n * * a custom application event registered with server.event().\n * * a criteria object\n * @return Return value: a promise that resolves when the event is emitted.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-await-servereventsoncecriteria)\n */\n once(criteria: string | ServerEventCriteria): Promise;\n\n /**\n * The follow method is only mentioned in Hapi API. The doc about that method can be found [here](https://github.com/hapijs/podium/blob/master/API.md#podiumremovelistenername-listener)\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverevents)\n */\n removeListener(name: string, listener: Podium.Listener): this;\n\n /**\n * The follow method is only mentioned in Hapi API. The doc about that method can be found [here](https://github.com/hapijs/podium/blob/master/API.md#podiumremovealllistenersname)\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverevents)\n */\n removeAllListeners(name: string): this;\n\n /**\n * The follow method is only mentioned in Hapi API. The doc about that method can be found [here](https://github.com/hapijs/podium/blob/master/API.md#podiumhaslistenersname)\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverevents)\n */\n hasListeners(name: string): boolean;\n}\n" }, { "path": "lib/types/server/ext.d.ts", "content": "import { Server, ServerApplicationState } from './server';\nimport { ReqRef, ReqRefDefaults } from '../request';\nimport { Lifecycle } from '../utils';\n\n/**\n * The extension point event name. The available extension points include the request extension points as well as the following server extension points:\n * 'onPreStart' - called before the connection listeners are started.\n * 'onPostStart' - called after the connection listeners are started.\n * 'onPreStop' - called before the connection listeners are stopped.\n * 'onPostStop' - called after the connection listeners are stopped.\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverextevents)\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#request-lifecycle)\n */\nexport type ServerExtType = 'onPreStart' | 'onPostStart' | 'onPreStop' | 'onPostStop';\nexport type RouteRequestExtType = 'onPreAuth'\n | 'onCredentials'\n | 'onPostAuth'\n | 'onPreHandler'\n | 'onPostHandler'\n | 'onPreResponse'\n | 'onPostResponse';\n\nexport type ServerRequestExtType =\n RouteRequestExtType\n | 'onRequest';\n\n/**\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverextevents)\n * Registers an extension function in one of the request lifecycle extension points where:\n * @param events - an object or array of objects with the following:\n * * type - (required) the extension point event name. The available extension points include the request extension points as well as the following server extension points:\n * * * 'onPreStart' - called before the connection listeners are started.\n * * * 'onPostStart' - called after the connection listeners are started.\n * * * 'onPreStop' - called before the connection listeners are stopped.\n * * * 'onPostStop' - called after the connection listeners are stopped.\n * * method - (required) a function or an array of functions to be executed at a specified point during request processing. The required extension function signature is:\n * * * server extension points: async function(server) where:\n * * * * server - the server object.\n * * * * this - the object provided via options.bind or the current active context set with server.bind().\n * * * request extension points: a lifecycle method.\n * * options - (optional) an object with the following:\n * * * before - a string or array of strings of plugin names this method must execute before (on the same event). Otherwise, extension methods are executed in the order added.\n * * * after - a string or array of strings of plugin names this method must execute after (on the same event). Otherwise, extension methods are executed in the order added.\n * * * bind - a context object passed back to the provided method (via this) when called. Ignored if the method is an arrow function.\n * * * sandbox - if set to 'plugin' when adding a request extension points the extension is only added to routes defined by the current plugin. Not allowed when configuring route-level extensions, or\n * when adding server extensions. Defaults to 'server' which applies to any route added to the server the extension is added to.\n * @return void\n */\nexport interface ServerExtEventsObject {\n /**\n * (required) the extension point event name. The available extension points include the request extension points as well as the following server extension points:\n * * 'onPreStart' - called before the connection listeners are started.\n * * 'onPostStart' - called after the connection listeners are started.\n * * 'onPreStop' - called before the connection listeners are stopped.\n */\n type: ServerExtType;\n /**\n * (required) a function or an array of functions to be executed at a specified point during request processing. The required extension function signature is:\n * * server extension points: async function(server) where:\n * * * server - the server object.\n * * * this - the object provided via options.bind or the current active context set with server.bind().\n * * request extension points: a lifecycle method.\n */\n method: ServerExtPointFunction | ServerExtPointFunction[];\n options?: ServerExtOptions | undefined;\n}\n\nexport interface RouteExtObject {\n method: Lifecycle.Method;\n options?: ServerExtOptions | undefined;\n}\n\n/**\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverextevents)\n * Registers an extension function in one of the request lifecycle extension points where:\n * @param events - an object or array of objects with the following:\n * * type - (required) the extension point event name. The available extension points include the request extension points as well as the following server extension points:\n * * * 'onPreStart' - called before the connection listeners are started.\n * * * 'onPostStart' - called after the connection listeners are started.\n * * * 'onPreStop' - called before the connection listeners are stopped.\n * * * 'onPostStop' - called after the connection listeners are stopped.\n * * method - (required) a function or an array of functions to be executed at a specified point during request processing. The required extension function signature is:\n * * * server extension points: async function(server) where:\n * * * * server - the server object.\n * * * * this - the object provided via options.bind or the current active context set with server.bind().\n * * * request extension points: a lifecycle method.\n * * options - (optional) an object with the following:\n * * * before - a string or array of strings of plugin names this method must execute before (on the same event). Otherwise, extension methods are executed in the order added.\n * * * after - a string or array of strings of plugin names this method must execute after (on the same event). Otherwise, extension methods are executed in the order added.\n * * * bind - a context object passed back to the provided method (via this) when called. Ignored if the method is an arrow function.\n * * * sandbox - if set to 'plugin' when adding a request extension points the extension is only added to routes defined by the current plugin. Not allowed when configuring route-level extensions, or\n * when adding server extensions. Defaults to 'server' which applies to any route added to the server the extension is added to.\n * @return void\n */\nexport interface ServerExtEventsRequestObject {\n /**\n * (required) the extension point event name. The available extension points include the request extension points as well as the following server extension points:\n * * 'onPreStart' - called before the connection listeners are started.\n * * 'onPostStart' - called after the connection listeners are started.\n * * 'onPreStop' - called before the connection listeners are stopped.\n * * 'onPostStop' - called after the connection listeners are stopped.\n */\n type: ServerRequestExtType;\n /**\n * (required) a function or an array of functions to be executed at a specified point during request processing. The required extension function signature is:\n * * server extension points: async function(server) where:\n * * * server - the server object.\n * * * this - the object provided via options.bind or the current active context set with server.bind().\n * * request extension points: a lifecycle method.\n */\n method: Lifecycle.Method | Lifecycle.Method[];\n /**\n * (optional) an object with the following:\n * * before - a string or array of strings of plugin names this method must execute before (on the same event). Otherwise, extension methods are executed in the order added.\n * * after - a string or array of strings of plugin names this method must execute after (on the same event). Otherwise, extension methods are executed in the order added.\n * * bind - a context object passed back to the provided method (via this) when called. Ignored if the method is an arrow function.\n * * sandbox - if set to 'plugin' when adding a request extension points the extension is only added to routes defined by the current plugin. Not allowed when configuring route-level extensions,\n * or when adding server extensions. Defaults to 'server' which applies to any route added to the server the extension is added to.\n */\n options?: ServerExtOptions | undefined;\n}\n\nexport type ServerExtPointFunction = (server: Server) => void;\n\n/**\n * An object with the following:\n * * before - a string or array of strings of plugin names this method must execute before (on the same event). Otherwise, extension methods are executed in the order added.\n * * after - a string or array of strings of plugin names this method must execute after (on the same event). Otherwise, extension methods are executed in the order added.\n * * bind - a context object passed back to the provided method (via this) when called. Ignored if the method is an arrow function.\n * * sandbox - if set to 'plugin' when adding a request extension points the extension is only added to routes defined by the current plugin. Not allowed when configuring route-level extensions, or\n * when adding server extensions. Defaults to 'server' which applies to any route added to the server the extension is added to. For context [See\n * docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverextevents)\n */\nexport interface ServerExtOptions {\n /**\n * a string or array of strings of plugin names this method must execute before (on the same event). Otherwise, extension methods are executed in the order added.\n */\n before?: string | string[] | undefined;\n /**\n * a string or array of strings of plugin names this method must execute after (on the same event). Otherwise, extension methods are executed in the order added.\n */\n after?: string | string[] | undefined;\n /**\n * a context object passed back to the provided method (via this) when called. Ignored if the method is an arrow function.\n */\n bind?: object | undefined;\n /**\n * if set to 'plugin' when adding a request extension points the extension is only added to routes defined by the current plugin. Not allowed when configuring route-level extensions, or when\n * adding server extensions. Defaults to 'server' which applies to any route added to the server the extension is added to.\n */\n sandbox?: 'server' | 'plugin' | undefined;\n}\n" }, { "path": "lib/types/server/index.d.ts", "content": "export * from './auth';\nexport * from './cache';\nexport * from './encoders';\nexport * from './events';\nexport * from './ext';\nexport * from './info';\nexport * from './inject';\nexport * from './methods';\nexport * from './options';\nexport * from './server';\nexport * from './state';\n" }, { "path": "lib/types/server/info.d.ts", "content": "/**\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverinfo)\n * An object containing information about the server where:\n */\nexport interface ServerInfo {\n /**\n * a unique server identifier (using the format '{hostname}:{pid}:{now base36}').\n */\n id: string;\n\n /**\n * server creation timestamp.\n */\n created: number;\n\n /**\n * server start timestamp (0 when stopped).\n */\n started: number;\n\n /**\n * the connection [port](https://github.com/hapijs/hapi/blob/master/API.md#server.options.port) based on the following rules:\n * * before the server has been started: the configured port value.\n * * after the server has been started: the actual port assigned when no port is configured or was set to 0.\n */\n port: number | string;\n\n /**\n * The [host](https://github.com/hapijs/hapi/blob/master/API.md#server.options.host) configuration value.\n */\n host: string;\n\n /**\n * the active IP address the connection was bound to after starting. Set to undefined until the server has been\n * started or when using a non TCP port (e.g. UNIX domain socket).\n */\n address: undefined | string;\n\n /**\n * the protocol used:\n * * 'http' - HTTP.\n * * 'https' - HTTPS.\n * * 'socket' - UNIX domain socket or Windows named pipe.\n */\n protocol: 'http' | 'https' | 'socket';\n\n /**\n * a string representing the connection (e.g. 'http://example.com:8080' or 'socket:/unix/domain/socket/path'). Contains\n * the uri value if set, otherwise constructed from the available settings. If no port is configured or is set\n * to 0, the uri will not include a port component until the server is started.\n */\n uri: string;\n}\n" }, { "path": "lib/types/server/inject.d.ts", "content": "import { RequestOptions as ShotRequestOptions, ResponseObject as ShotResponseObject } from '@hapi/shot';\nimport { PluginsStates } from '../plugin';\nimport { AuthArtifacts, AuthCredentials, Request, RequestApplicationState } from '../request';\n\n/**\n * An object with:\n * * method - (optional) the request HTTP method (e.g. 'POST'). Defaults to 'GET'.\n * * url - (required) the request URL. If the URI includes an authority (e.g. 'example.com:8080'), it is used to automatically set an HTTP 'Host' header, unless one was specified in headers.\n * * headers - (optional) an object with optional request headers where each key is the header name and the value is the header content. Defaults to no additions to the default shot headers.\n * * payload - (optional) an string, buffer or object containing the request payload. In case of an object it will be converted to a string for you. Defaults to no payload. Note that payload\n * processing defaults to 'application/json' if no 'Content-Type' header provided.\n * * credentials - (optional) an credentials object containing authentication information. The credentials are used to bypass the default authentication strategies, and are validated directly as if\n * they were received via an authentication scheme. Defaults to no credentials.\n * * artifacts - (optional) an artifacts object containing authentication artifact information. The artifacts are used to bypass the default authentication strategies, and are validated directly as\n * if they were received via an authentication scheme. Ignored if set without credentials. Defaults to no artifacts.\n * * app - (optional) sets the initial value of request.app, defaults to {}.\n * * plugins - (optional) sets the initial value of request.plugins, defaults to {}.\n * * allowInternals - (optional) allows access to routes with config.isInternal set to true. Defaults to false.\n * * remoteAddress - (optional) sets the remote address for the incoming connection.\n * * simulate - (optional) an object with options used to simulate client request stream conditions for testing:\n * * error - if true, emits an 'error' event after payload transmission (if any). Defaults to false.\n * * close - if true, emits a 'close' event after payload transmission (if any). Defaults to false.\n * * end - if false, does not end the stream. Defaults to true.\n * * split - indicates whether the request payload will be split into chunks. Defaults to undefined, meaning payload will not be chunked.\n * * validate - (optional) if false, the options inputs are not validated. This is recommended for run-time usage of inject() to make it perform faster where input validation can be tested\n * separately.\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-await-serverinjectoptions)\n * For context [Shot module](https://github.com/hapijs/shot)\n */\nexport interface ServerInjectOptions extends ShotRequestOptions {\n /**\n * Authentication bypass options.\n */\n auth?: {\n /**\n * The authentication strategy name matching the provided credentials.\n */\n strategy: string;\n /**\n * The credentials are used to bypass the default authentication strategies,\n * and are validated directly as if they were received via an authentication scheme.\n */\n credentials: AuthCredentials;\n /**\n * The artifacts are used to bypass the default authentication strategies,\n * and are validated directly as if they were received via an authentication scheme. Defaults to no artifacts.\n */\n artifacts?: AuthArtifacts | undefined;\n } | undefined;\n /**\n * sets the initial value of request.app, defaults to {}.\n */\n app?: RequestApplicationState | undefined;\n /**\n * sets the initial value of request.plugins, defaults to {}.\n */\n plugins?: PluginsStates | undefined;\n /**\n * allows access to routes with config.isInternal set to true. Defaults to false.\n */\n allowInternals?: boolean | undefined;\n}\n\n/**\n * A response object with the following properties:\n * * statusCode - the HTTP status code.\n * * headers - an object containing the headers set.\n * * payload - the response payload string.\n * * rawPayload - the raw response payload buffer.\n * * raw - an object with the injection request and response objects:\n * * req - the simulated node request object.\n * * res - the simulated node response object.\n * * result - the raw handler response (e.g. when not a stream or a view) before it is serialized for transmission. If not available, the value is set to payload. Useful for inspection and reuse of\n * the internal objects returned (instead of parsing the response string).\n * * request - the request object.\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-await-serverinjectoptions)\n * For context [Shot module](https://github.com/hapijs/shot)\n */\nexport interface ServerInjectResponse extends ShotResponseObject {\n /**\n * the raw handler response (e.g. when not a stream or a view) before it is serialized for transmission. If not available, the value is set to payload. Useful for inspection and reuse of the\n * internal objects returned (instead of parsing the response string).\n */\n result: Result | undefined;\n /**\n * the request object.\n */\n request: Request;\n}\n" }, { "path": "lib/types/server/methods.d.ts", "content": "import { CacheStatisticsObject, PolicyOptions } from \"@hapi/catbox\";\n\ntype AnyMethod = (...args: any[]) => any;\n\nexport type CachedServerMethod = T & {\n cache?: {\n drop(...args: Parameters): Promise;\n stats: CacheStatisticsObject\n }\n};\n\n/**\n * The method function with a signature async function(...args, [flags]) where:\n * * ...args - the method function arguments (can be any number of arguments or none).\n * * flags - when caching is enabled, an object used to set optional method result flags:\n * * * ttl - 0 if result is valid but cannot be cached. Defaults to cache policy.\n * For reference [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servermethodname-method-options)\n */\nexport type ServerMethod = AnyMethod;\n\n/**\n * The same cache configuration used in server.cache().\n * The generateTimeout option is required.\n * For reference [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servermethodname-method-options)\n * For reference [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servercacheoptions)\n */\nexport interface ServerMethodCache extends PolicyOptions {\n generateTimeout: number | false;\n cache?: string;\n segment?: string;\n}\n\n/**\n * Configuration object:\n * * bind - a context object passed back to the method function (via this) when called. Defaults to active context (set via server.bind() when the method is registered. Ignored if the method is an\n * arrow function.\n * * cache - the same cache configuration used in server.cache(). The generateTimeout option is required.\n * * generateKey - a function used to generate a unique key (for caching) from the arguments passed to the method function (the flags argument is not passed as input). The server will automatically\n * generate a unique key if the function's arguments are all of types 'string', 'number', or 'boolean'. However if the method uses other types of arguments, a key generation function must be provided\n * which takes the same arguments as the function and returns a unique string (or null if no key can be generated). For reference [See\n * docs](https://github.com/hapijs/hapi/blob/master/API.md#-servermethodname-method-options)\n */\nexport interface ServerMethodOptions {\n /**\n * a context object passed back to the method function (via this) when called. Defaults to active context (set via server.bind() when the method is registered. Ignored if the method is an arrow\n * function.\n */\n bind?: object | undefined;\n /**\n * the same cache configuration used in server.cache(). The generateTimeout option is required.\n */\n cache?: ServerMethodCache | undefined;\n /**\n * a function used to generate a unique key (for caching) from the arguments passed to the method function (the flags argument is not passed as input). The server will automatically generate a\n * unique key if the function's arguments are all of types 'string', 'number', or 'boolean'. However if the method uses other types of arguments, a key generation function must be provided which\n * takes the same arguments as the function and returns a unique string (or null if no key can be generated).\n */\n generateKey?(...args: any[]): string | null;\n}\n\n/**\n * An object or an array of objects where each one contains:\n * * name - the method name.\n * * method - the method function.\n * * options - (optional) settings.\n * For reference [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servermethodmethods)\n */\nexport interface ServerMethodConfigurationObject {\n /**\n * the method name.\n */\n name: string;\n /**\n * the method function.\n */\n method: ServerMethod;\n /**\n * (optional) settings.\n */\n options?: ServerMethodOptions | undefined;\n}\n\ninterface BaseServerMethods {\n [name: string]: (\n ServerMethod |\n CachedServerMethod |\n BaseServerMethods\n );\n}\n\n/**\n * An empty interface to allow typings of custom server.methods.\n */\nexport interface ServerMethods extends BaseServerMethods {\n}\n" }, { "path": "lib/types/server/options.d.ts", "content": "import * as http from 'http';\nimport * as https from 'https';\n\nimport { MimosOptions } from '@hapi/mimos';\n\nimport { PluginSpecificConfiguration } from '../plugin';\nimport { RouteOptions } from '../route';\nimport { CacheProvider, ServerOptionsCache } from './cache';\nimport { SameSitePolicy, ServerStateCookieOptions } from './state';\n\nexport interface ServerOptionsCompression {\n minBytes: number;\n}\n\n/**\n * Empty interface to allow for custom augmentation.\n */\n\nexport interface ServerOptionsApp {\n}\n\n/**\n * The server options control the behavior of the server object. Note that the options object is deeply cloned\n * (with the exception of listener which is shallowly copied) and should not contain any values that are unsafe to perform deep copy on.\n * All options are optionals.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-server-options)\n */\nexport interface ServerOptions {\n /**\n * @default '0.0.0.0' (all available network interfaces).\n * Sets the hostname or IP address the server will listen on. If not configured, defaults to host if present, otherwise to all available network interfaces. Set to '127.0.0.1' or 'localhost' to\n * restrict the server to only those coming from the same host.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serveroptionsaddress)\n */\n address?: string | undefined;\n\n /**\n * @default {}.\n * Provides application-specific configuration which can later be accessed via server.settings.app. The framework does not interact with this object. It is simply a reference made available\n * anywhere a server reference is provided. Note the difference between server.settings.app which is used to store static configuration values and server.app which is meant for storing run-time\n * state.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serveroptionsapp)\n */\n app?: ServerOptionsApp | undefined;\n\n /**\n * @default true.\n * Used to disable the automatic initialization of the listener. When false, indicates that the listener will be started manually outside the framework.\n * Cannot be set to true along with a port value.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serveroptionsautolisten)\n */\n autoListen?: boolean | undefined;\n\n /**\n * @default { engine: require('@hapi/catbox-memory' }.\n * Sets up server-side caching providers. Every server includes a default cache for storing application state. By default, a simple memory-based cache is created which has limited capacity and\n * capabilities. hapi uses catbox for its cache implementation which includes support for common storage solutions (e.g. Redis, MongoDB, Memcached, Riak, among others). Caching is only utilized\n * if methods and plugins explicitly store their state in the cache. The server cache configuration only defines the storage container itself. The configuration can be assigned one or more\n * (array):\n * * a class or prototype function (usually obtained by calling require() on a catbox strategy such as require('@hapi/catbox-redis')). A new catbox client will be created internally using this\n * function.\n * * a configuration object with the following:\n * * * engine - a class, a prototype function, or a catbox engine object.\n * * * name - an identifier used later when provisioning or configuring caching for server methods or plugins. Each cache name must be unique. A single item may omit the name option which defines\n * the default cache. If every cache includes a name, a default memory cache is provisioned as well.\n * * * shared - if true, allows multiple cache users to share the same segment (e.g. multiple methods using the same cache storage container). Default to false.\n * * * partition - (optional) string used to isolate cached data. Defaults to 'hapi-cache'.\n * * * other options passed to the catbox strategy used. Other options are only passed to catbox when engine above is a class or function and ignored if engine is a catbox engine object).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serveroptionscache)\n */\n cache?: CacheProvider | ServerOptionsCache | ServerOptionsCache[] | undefined;\n\n /**\n * @default { minBytes: 1024 }.\n * Defines server handling of content encoding requests. If false, response content encoding is disabled and no compression is performed by the server.\n */\n compression?: boolean | ServerOptionsCompression | undefined;\n\n /**\n * @default { request: ['implementation'] }.\n * Determines which logged events are sent to the console. This should only be used for development and does not affect which events are actually logged internally and recorded. Set to false to\n * disable all console logging, or to an object with:\n * * log - a string array of server log tags to be displayed via console.error() when the events are logged via server.log() as well as internally generated server logs. Defaults to no output.\n * * request - a string array of request log tags to be displayed via console.error() when the events are logged via request.log() as well as internally generated request logs. For example, to\n * display all errors, set the option to ['error']. To turn off all console debug messages set it to false. To display all request logs, set it to '*'. Defaults to uncaught errors thrown in\n * external code (these errors are handled automatically and result in an Internal Server Error response) or runtime errors due to developer error. For example, to display all errors, set the log\n * or request to ['error']. To turn off all output set the log or request to false. To display all server logs, set the log or request to '*'. To disable all debug information, set debug to\n * false.\n */\n debug?: false | {\n log?: string | string[] | false | undefined;\n request?: string | string[] | false | undefined;\n } | undefined;\n\n /**\n * @default the operating system hostname and if not available, to 'localhost'.\n * The public hostname or IP address. Used to set server.info.host and server.info.uri and as address is none provided.\n */\n host?: string | undefined;\n\n info?: {\n /**\n * @default false.\n * If true, the request.info.remoteAddress and request.info.remotePort are populated when the request is received which can consume more resource (but is ok if the information is needed,\n * especially for aborted requests). When false, the fields are only populated upon demand (but will be undefined if accessed after the request is aborted).\n */\n remote?: boolean | undefined;\n } | undefined;\n\n /**\n * @default none.\n * An optional node HTTP (or HTTPS) http.Server object (or an object with a compatible interface).\n * If the listener needs to be manually started, set autoListen to false.\n * If the listener uses TLS, set tls to true.\n */\n listener?: http.Server | undefined;\n\n /**\n * @default { sampleInterval: 0 }.\n * Server excessive load handling limits where:\n * * sampleInterval - the frequency of sampling in milliseconds. When set to 0, the other load options are ignored. Defaults to 0 (no sampling).\n * * maxHeapUsedBytes - maximum V8 heap size over which incoming requests are rejected with an HTTP Server Timeout (503) response. Defaults to 0 (no limit).\n * * maxRssBytes - maximum process RSS size over which incoming requests are rejected with an HTTP Server Timeout (503) response. Defaults to 0 (no limit).\n * * maxEventLoopDelay - maximum event loop delay duration in milliseconds over which incoming requests are rejected with an HTTP Server Timeout (503) response. Defaults to 0 (no limit).\n */\n load?: {\n /** the frequency of sampling in milliseconds. When set to 0, the other load options are ignored. Defaults to 0 (no sampling). */\n sampleInterval?: number | undefined;\n\n /** maximum V8 heap size over which incoming requests are rejected with an HTTP Server Timeout (503) response. Defaults to 0 (no limit). */\n maxHeapUsedBytes?: number | undefined;\n /**\n * maximum process RSS size over which incoming requests are rejected with an HTTP Server Timeout (503) response. Defaults to 0 (no limit).\n */\n maxRssBytes?: number | undefined;\n /**\n * maximum event loop delay duration in milliseconds over which incoming requests are rejected with an HTTP Server Timeout (503) response.\n * Defaults to 0 (no limit).\n */\n maxEventLoopDelay?: number | undefined;\n } | undefined;\n\n /**\n * @default none.\n * Options passed to the mimos module when generating the mime database used by the server (and accessed via server.mime):\n * * override - an object hash that is merged into the built in mime information specified here. Each key value pair represents a single mime object. Each override value must contain:\n * * key - the lower-cased mime-type string (e.g. 'application/javascript').\n * * value - an object following the specifications outlined here. Additional values include:\n * * * type - specify the type value of result objects, defaults to key.\n * * * predicate - method with signature function(mime) when this mime type is found in the database, this function will execute to allows customizations.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serveroptionsmime)\n */\n mime?: MimosOptions | undefined;\n\n /**\n * @default { cleanStop: true }\n * Defines server handling of server operations.\n */\n operations?: {\n /**\n * @default true\n * If true, the server keeps track of open connections and properly closes them when the server is stopped.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serveroptionsoperations)\n */\n cleanStop?: boolean;\n }\n\n /**\n * @default {}.\n * Plugin-specific configuration which can later be accessed via server.settings.plugins. plugins is an object where each key is a plugin name and the value is the configuration. Note the\n * difference between server.settings.plugins which is used to store static configuration values and server.plugins which is meant for storing run-time state.\n */\n plugins?: PluginSpecificConfiguration | undefined;\n\n /**\n * @default 0 (an ephemeral port).\n * The TCP port the server will listen to. Defaults the next available port when the server is started (and assigned to server.info.port).\n * If port is a string containing a '/' character, it is used as a UNIX domain socket path. If it starts with '\\.\\pipe', it is used as a Windows named pipe.\n */\n port?: number | string | undefined;\n\n /**\n * @default { isCaseSensitive: true, stripTrailingSlash: false }.\n * Controls how incoming request URIs are matched against the routing table:\n * * isCaseSensitive - determines whether the paths '/example' and '/EXAMPLE' are considered different resources. Defaults to true.\n * * stripTrailingSlash - removes trailing slashes on incoming paths. Defaults to false.\n */\n router?: {\n isCaseSensitive?: boolean | undefined;\n stripTrailingSlash?: boolean | undefined;\n } | undefined;\n\n /**\n * @default none.\n * A route options object used as the default configuration for every route.\n */\n routes?: RouteOptions | undefined;\n\n /**\n * Default value:\n * {\n * strictHeader: true,\n * ignoreErrors: false,\n * isSecure: true,\n * isHttpOnly: true,\n * isSameSite: 'Strict',\n * encoding: 'none'\n * }\n * Sets the default configuration for every state (cookie) set explicitly via server.state() or implicitly (without definition) using the state configuration object.\n */\n state?: ServerStateCookieOptions | undefined;\n\n /**\n * @default none.\n * Used to create an HTTPS connection. The tls object is passed unchanged to the node HTTPS server as described in the node HTTPS documentation.\n */\n tls?: boolean | https.ServerOptions | undefined;\n\n /**\n * @default constructed from runtime server information.\n * The full public URI without the path (e.g. 'http://example.com:8080'). If present, used as the server server.info.uri, otherwise constructed from the server settings.\n */\n uri?: string | undefined;\n\n /**\n * Query parameter configuration.\n */\n query?: {\n /**\n * the method must return an object where each key is a parameter and matching value is the parameter value.\n * If the method throws, the error is used as the response or returned when `request.setUrl` is called.\n */\n parser(raw: Record): Record;\n } | undefined;\n}\n" }, { "path": "lib/types/server/server.d.ts", "content": "import * as http from 'http';\nimport { Stream } from 'stream';\n\nimport { Root } from 'joi';\nimport { Mimos } from '@hapi/mimos';\n\nimport {\n Dependencies,\n PluginsListRegistered,\n Plugin,\n ServerRealm,\n ServerRegisterOptions,\n ServerRegisterPluginObject,\n ServerRegisterPluginObjectArray,\n HandlerDecorationMethod,\n PluginProperties\n} from '../plugin';\nimport {\n ReqRef,\n ReqRefDefaults,\n Request,\n RequestRoute\n} from '../request';\nimport { ResponseToolkit } from '../response';\nimport {\n RulesOptions,\n RulesProcessor,\n ServerRoute\n} from '../route';\nimport { HTTP_METHODS, Lifecycle } from '../utils';\nimport { ServerAuth } from './auth';\nimport { ServerCache } from './cache';\nimport { ContentDecoders, ContentEncoders } from './encoders';\nimport { ServerEventsApplication, ServerEvents } from './events';\nimport {\n ServerExtEventsObject,\n ServerExtEventsRequestObject,\n ServerExtType,\n ServerExtPointFunction,\n ServerExtOptions,\n ServerRequestExtType\n} from './ext';\nimport { ServerInfo } from './info';\nimport { ServerInjectOptions, ServerInjectResponse } from './inject';\nimport {\n ServerMethod,\n ServerMethodOptions,\n ServerMethodConfigurationObject,\n ServerMethods\n} from './methods';\nimport { ServerOptions } from './options';\nimport { ServerState, ServerStateCookieOptions } from './state';\n\n/**\n * The general case for decorators added via server.decorate.\n */\nexport type DecorationMethod = (this: T, ...args: any[]) => any;\n\nexport type DecorateName = string | symbol;\n\nexport type DecorationValue = object | any[] | boolean | number | string | symbol | Map | Set;\n\ntype ReservedRequestKeys = (\n 'server' | 'url' | 'query' | 'path' | 'method' |\n 'mime' | 'setUrl' | 'setMethod' | 'headers' | 'id' |\n 'app' | 'plugins' | 'route' | 'auth' | 'pre' |\n 'preResponses' | 'info' | 'isInjected' | 'orig' |\n 'params' | 'paramsArray' | 'payload' | 'state' |\n 'response' | 'raw' | 'domain' | 'log' | 'logs' |\n 'generateResponse' |\n\n // Private functions\n '_allowInternals' | '_closed' | '_core' |\n '_entity' | '_eventContext' | '_events' | '_expectContinue' |\n '_isInjected' | '_isPayloadPending' | '_isReplied' |\n '_route' | '_serverTimeoutId' | '_states' | '_url' |\n '_urlError' | '_initializeUrl' | '_setUrl' | '_parseUrl' |\n '_parseQuery'\n\n);\n\ntype ReservedToolkitKeys = (\n 'abandon' | 'authenticated' | 'close' | 'context' | 'continue' |\n 'entity' | 'redirect' | 'realm' | 'request' | 'response' |\n 'state' | 'unauthenticated' | 'unstate'\n);\n\ntype ReservedServerKeys = (\n // Public functions\n 'app' | 'auth' | 'cache' | 'decorations' | 'events' | 'info' |\n 'listener' | 'load' | 'methods' | 'mime' | 'plugins' | 'registrations' |\n 'settings' | 'states' | 'type' | 'version' | 'realm' | 'control' | 'decoder' |\n 'bind' | 'control' | 'decoder' | 'decorate' | 'dependency' | 'encoder' |\n 'event' | 'expose' | 'ext' | 'inject' | 'log' | 'lookup' | 'match' | 'method' |\n 'path' | 'register' | 'route' | 'rules' | 'state' | 'table' | 'validator' |\n 'start' | 'initialize' | 'stop' |\n\n // Private functions\n '_core' | '_initialize' | '_start' | '_stop' | '_cachePolicy' | '_createCache' |\n '_clone' | '_ext' | '_addRoute'\n);\n\ntype ExceptName = Property extends ReservedKeys ? never : Property;\n\n/**\n * User-extensible type for application specific state (`server.app`).\n */\nexport interface ServerApplicationState {\n}\n\n/**\n * The server object is the main application container. The server manages all incoming requests along with all\n * the facilities provided by the framework. Each server supports a single connection (e.g. listen to port 80).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#server)\n */\nexport class Server {\n /**\n * Creates a new server object\n * @param options server configuration object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serveroptions)\n */\n constructor(options?: ServerOptions);\n\n /**\n * Provides a safe place to store server-specific run-time application data without potential conflicts with\n * the framework internals. The data can be accessed whenever the server is accessible.\n * Initialized with an empty object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverapp)\n */\n app: A;\n\n /**\n * Server Auth: properties and methods\n */\n readonly auth: ServerAuth;\n\n /**\n * Links another server to the initialize/start/stop state of the current server by calling the\n * controlled server `initialize()`/`start()`/`stop()` methods whenever the current server methods\n * are called, where:\n */\n control(server: Server): void;\n\n /**\n * Provides access to the decorations already applied to various framework interfaces. The object must not be\n * modified directly, but only through server.decorate.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverdecorations)\n */\n readonly decorations: {\n /**\n * decorations on the request object.\n */\n request: string[],\n /**\n * decorations on the response toolkit.\n */\n toolkit: string[],\n /**\n * decorations on the server object.\n */\n server: string[]\n };\n\n /**\n * Register custom application events where:\n * @param events must be one of:\n * * an event name string.\n * * an event options object with the following optional keys (unless noted otherwise):\n * * * name - the event name string (required).\n * * * channels - a string or array of strings specifying the event channels available. Defaults to no channel restrictions (event updates can specify a channel or not).\n * * * clone - if true, the data object passed to server.events.emit() is cloned before it is passed to the listeners (unless an override specified by each listener). Defaults to false (data is\n * passed as-is).\n * * * spread - if true, the data object passed to server.event.emit() must be an array and the listener method is called with each array element passed as a separate argument (unless an override\n * specified by each listener). This should only be used when the emitted data structure is known and predictable. Defaults to false (data is emitted as a single argument regardless of its\n * type).\n * * * tags - if true and the criteria object passed to server.event.emit() includes tags, the tags are mapped to an object (where each tag string is the key and the value is true) which is\n * appended to the arguments list at the end. A configuration override can be set by each listener. Defaults to false.\n * * * shared - if true, the same event name can be registered multiple times where the second registration is ignored. Note that if the registration config is changed between registrations, only\n * the first configuration is used. Defaults to false (a duplicate registration will throw an error).\n * * a podium emitter object.\n * * an array containing any of the above.\n * @return Return value: none.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverevents)\n */\n event(events: ServerEventsApplication | ServerEventsApplication[]): void;\n\n /**\n * Access: podium public interface.\n * The server events emitter. Utilizes the podium with support for event criteria validation, channels, and filters.\n * Use the following methods to interact with server.events:\n * [server.events.emit(criteria, data)](https://github.com/hapijs/hapi/blob/master/API.md#server.events.emit()) - emit server events.\n * [server.events.on(criteria, listener)](https://github.com/hapijs/hapi/blob/master/API.md#server.events.on()) - subscribe to all events.\n * [server.events.once(criteria, listener)](https://github.com/hapijs/hapi/blob/master/API.md#server.events.once()) - subscribe to\n * Other methods include: server.events.removeListener(name, listener), server.events.removeAllListeners(name), and server.events.hasListeners(name).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverevents)\n */\n events: ServerEvents;\n\n /**\n * An object containing information about the server where:\n * * id - a unique server identifier (using the format '{hostname}:{pid}:{now base36}').\n * * created - server creation timestamp.\n * * started - server start timestamp (0 when stopped).\n * * port - the connection port based on the following rules:\n * * host - The host configuration value.\n * * address - the active IP address the connection was bound to after starting. Set to undefined until the server has been started or when using a non TCP port (e.g. UNIX domain socket).\n * * protocol - the protocol used:\n * * 'http' - HTTP.\n * * 'https' - HTTPS.\n * * 'socket' - UNIX domain socket or Windows named pipe.\n * * uri - a string representing the connection (e.g. 'http://example.com:8080' or 'socket:/unix/domain/socket/path'). Contains the uri value if set, otherwise constructed from the available\n * settings. If no port is configured or is set to 0, the uri will not include a port component until the server is started.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverinfo)\n */\n readonly info: ServerInfo;\n\n /**\n * Access: read only and listener public interface.\n * The node HTTP server object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverlistener)\n */\n listener: http.Server;\n\n /**\n * An object containing the process load metrics (when load.sampleInterval is enabled):\n * * eventLoopDelay - event loop delay milliseconds.\n * * heapUsed - V8 heap usage.\n * * rss - RSS memory usage.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverload)\n */\n readonly load: {\n /**\n * event loop delay milliseconds.\n */\n eventLoopDelay: number;\n\n /**\n * V8 heap usage.\n */\n heapUsed: number;\n /**\n * RSS memory usage.\n */\n rss: number;\n };\n\n /**\n * Server methods are functions registered with the server and used throughout the application as a common utility.\n * Their advantage is in the ability to configure them to use the built-in cache and share across multiple request\n * handlers without having to create a common module.\n * sever.methods is an object which provides access to the methods registered via server.method() where each\n * server method name is an object property.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servermethods\n */\n readonly methods: ServerMethods;\n\n /**\n * Provides access to the server MIME database used for setting content-type information. The object must not be\n * modified directly but only through the [mime](https://github.com/hapijs/hapi/blob/master/API.md#server.options.mime) server setting.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servermime)\n */\n mime: Mimos;\n\n /**\n * An object containing the values exposed by each registered plugin where each key is a plugin name and the values\n * are the exposed properties by each plugin using server.expose(). Plugins may set the value of\n * the server.plugins[name] object directly or via the server.expose() method.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverplugins)\n */\n plugins: PluginProperties;\n\n /**\n * The realm object contains sandboxed server settings specific to each plugin or authentication strategy. When\n * registering a plugin or an authentication scheme, a server object reference is provided with a new server.realm\n * container specific to that registration. It allows each plugin to maintain its own settings without leaking\n * and affecting other plugins.\n * For example, a plugin can set a default file path for local resources without breaking other plugins' configured\n * paths. When calling server.bind(), the active realm's settings.bind property is set which is then used by\n * routes and extensions added at the same level (server root or plugin).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverrealm)\n */\n readonly realm: ServerRealm;\n\n /**\n * An object of the currently registered plugins where each key is a registered plugin name and the value is\n * an object containing:\n * * version - the plugin version.\n * * name - the plugin name.\n * * options - (optional) options passed to the plugin during registration.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverregistrations)\n */\n readonly registrations: PluginsListRegistered;\n\n /**\n * The server configuration object after defaults applied.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serversettings)\n */\n readonly settings: ServerOptions;\n\n /**\n * The server cookies manager.\n * Access: read only and statehood public interface.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverstates)\n */\n readonly states: ServerState;\n\n /**\n * A string indicating the listener type where:\n * * 'socket' - UNIX domain socket or Windows named pipe.\n * * 'tcp' - an HTTP listener.\n */\n readonly type: 'socket' | 'tcp';\n\n /**\n * The hapi module version number.\n */\n readonly version: string;\n\n /**\n * Sets a global context used as the default bind object when adding a route or an extension where:\n * @param context - the object used to bind this in lifecycle methods such as the route handler and extension methods. The context is also made available as h.context.\n * @return Return value: none.\n * When setting a context inside a plugin, the context is applied only to methods set up by the plugin. Note that the context applies only to routes and extensions added after it has been set.\n * Ignored if the method being bound is an arrow function.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverbindcontext)\n */\n bind(context: object): void;\n\n /**\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servercacheoptions)\n */\n cache: ServerCache;\n\n /**\n * Registers a custom content decoding compressor to extend the built-in support for 'gzip' and 'deflate' where:\n * @param encoding - the decoder name string.\n * @param decoder - a function using the signature function(options) where options are the encoding specific options configured in the route payload.compression configuration option, and the\n * return value is an object compatible with the output of node's zlib.createGunzip().\n * @return Return value: none.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverdecoderencoding-decoder)\n */\n decoder(encoding: T, decoder: ContentDecoders[T]): void;\n decoder(encoding: string, decoder: ((options?: object) => Stream)): void;\n\n /**\n * Extends various framework interfaces with custom methods where:\n * @param type - the interface being decorated. Supported types:\n * 'handler' - adds a new handler type to be used in routes handlers.\n * 'request' - adds methods to the Request object.\n * 'server' - adds methods to the Server object.\n * 'toolkit' - adds methods to the response toolkit.\n * @param property - the object decoration key name.\n * @param method - the extension function or other value.\n * @param options - (optional) supports the following optional settings:\n * apply - when the type is 'request', if true, the method function is invoked using the signature function(request) where request is the current request object and the returned value is assigned\n * as the decoration. extend - if true, overrides an existing decoration. The method must be a function with the signature function(existing) where: existing - is the previously set\n * decoration method value. must return the new decoration function or value. cannot be used to extend handler decorations.\n * @return void;\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverdecoratetype-property-method-options)\n */\n decorate

(type: 'handler', property: P, method: HandlerDecorationMethod, options?: { apply?: boolean | undefined, extend?: never }): void;\n\n decorate

(type: 'request', property: ExceptName, method: (existing: ((...args: any[]) => any)) => (request: Request) => DecorationMethod, options: {apply: true, extend: true}): void;\n decorate

(type: 'request', property: ExceptName, method: (request: Request) => DecorationMethod, options: {apply: true, extend?: boolean | undefined}): void;\n decorate

(type: 'request', property: ExceptName, method: DecorationMethod, options?: {apply?: boolean | undefined, extend?: boolean | undefined}): void;\n decorate

(type: 'request', property: ExceptName, value: (existing: ((...args: any[]) => any)) => (request: Request) => any, options: {apply: true, extend: true}): void;\n decorate

(type: 'request', property: ExceptName, value: (request: Request) => any, options: {apply: true, extend?: boolean | undefined}): void;\n decorate

(type: 'request', property: ExceptName, value: DecorationValue, options?: never): void;\n\n decorate

(type: 'toolkit', property: ExceptName, method: (existing: ((...args: any[]) => any)) => DecorationMethod, options: {apply?: boolean | undefined, extend: true}): void;\n decorate

(type: 'toolkit', property: ExceptName, method: DecorationMethod, options?: {apply?: boolean | undefined, extend?: boolean | undefined}): void;\n decorate

(type: 'toolkit', property: ExceptName, value: (existing: ((...args: any[]) => any)) => any, options: {apply?: boolean | undefined, extend: true}): void;\n decorate

(type: 'toolkit', property: ExceptName, value: DecorationValue, options?: never): void;\n\n decorate

(type: 'server', property: ExceptName, method: (existing: ((...args: any[]) => any)) => DecorationMethod, options: {apply?: boolean | undefined, extend: true}): void;\n decorate

(type: 'server', property: ExceptName, method: DecorationMethod, options?: {apply?: boolean | undefined, extend?: boolean | undefined}): void;\n decorate

(type: 'server', property: ExceptName, value: (existing: ((...args: any[]) => any)) => any, options: {apply?: boolean | undefined, extend: true}): void;\n decorate

(type: 'server', property: ExceptName, value: DecorationValue, options?: never): void;\n\n /**\n * Used within a plugin to declare a required dependency on other plugins where:\n * @param dependencies - plugins which must be registered in order for this plugin to operate. Plugins listed must be registered before the server is\n * initialized or started.\n * @param after - (optional) a function that is called after all the specified dependencies have been registered and before the server starts. The function is only called if the server is\n * initialized or started. The function signature is async function(server) where: server - the server the dependency() method was called on.\n * @return Return value: none.\n * The after method is identical to setting a server extension point on 'onPreStart'.\n * If a circular dependency is detected, an exception is thrown (e.g. two plugins each has an after function to be called after the other).\n * The method does not provide version dependency which should be implemented using npm peer dependencies.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverdependencydependencies-after)\n */\n dependency(dependencies: Dependencies, after?: ((server: Server) => Promise) | undefined): void;\n\n /**\n * Registers a custom content encoding compressor to extend the built-in support for 'gzip' and 'deflate' where:\n * @param encoding - the encoder name string.\n * @param encoder - a function using the signature function(options) where options are the encoding specific options configured in the route compression option, and the return value is an object\n * compatible with the output of node's zlib.createGzip().\n * @return Return value: none.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverencoderencoding-encoder)\n */\n encoder(encoding: T, encoder: ContentEncoders[T]): void;\n encoder(encoding: string, encoder: ((options?: object) => Stream)): void;\n\n /**\n * Used within a plugin to expose a property via server.plugins[name] where:\n * @param key - the key assigned (server.plugins[name][key]).\n * @param value - the value assigned.\n * @return Return value: none.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverexposekey-value)\n */\n expose(key: string, value: any): void;\n\n /**\n * Merges an object into to the existing content of server.plugins[name] where:\n * @param obj - the object merged into the exposed properties container.\n * @return Return value: none.\n * Note that all the properties of obj are deeply cloned into server.plugins[name], so avoid using this method\n * for exposing large objects that may be expensive to clone or singleton objects such as database client\n * objects. Instead favor server.expose(key, value), which only copies a reference to value.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverexposeobj)\n */\n expose(obj: object): void;\n\n /**\n * Registers an extension function in one of the request lifecycle extension points where:\n * @param events - an object or array of objects with the following:\n * * type - (required) the extension point event name. The available extension points include the request extension points as well as the following server extension points:\n * * * 'onPreStart' - called before the connection listeners are started.\n * * * 'onPostStart' - called after the connection listeners are started.\n * * * 'onPreStop' - called before the connection listeners are stopped.\n * * * 'onPostStop' - called after the connection listeners are stopped.\n * * method - (required) a function or an array of functions to be executed at a specified point during request processing. The required extension function signature is:\n * * * server extension points: async function(server) where:\n * * * * server - the server object.\n * * * * this - the object provided via options.bind or the current active context set with server.bind().\n * * * request extension points: a lifecycle method.\n * * options - (optional) an object with the following:\n * * * before - a string or array of strings of plugin names this method must execute before (on the same event). Otherwise, extension methods are executed in the order added.\n * * * after - a string or array of strings of plugin names this method must execute after (on the same event). Otherwise, extension methods are executed in the order added.\n * * * bind - a context object passed back to the provided method (via this) when called. Ignored if the method is an arrow function.\n * * * sandbox - if set to 'plugin' when adding a request extension points the extension is only added to routes defined by the current plugin. Not allowed when configuring route-level\n * extensions, or when adding server extensions. Defaults to 'server' which applies to any route added to the server the extension is added to.\n * @return void\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverextevents)\n */\n ext(events: ServerExtEventsObject | ServerExtEventsObject[] | ServerExtEventsRequestObject | ServerExtEventsRequestObject[]): void;\n\n /**\n * Registers a single extension event using the same properties as used in server.ext(events), but passed as arguments.\n * @return Return value: none.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverextevent-method-options)\n */\n ext(event: ServerExtType, method: ServerExtPointFunction, options?: ServerExtOptions | undefined): void;\n ext(event: ServerRequestExtType, method: Lifecycle.Method, options?: ServerExtOptions | undefined): void;\n\n /**\n * Initializes the server (starts the caches, finalizes plugin registration) but does not start listening on the connection port.\n * @return Return value: none.\n * Note that if the method fails and throws an error, the server is considered to be in an undefined state and\n * should be shut down. In most cases it would be impossible to fully recover as the various plugins, caches, and\n * other event listeners will get confused by repeated attempts to start the server or make assumptions about the\n * healthy state of the environment. It is recommended to abort the process when the server fails to start properly.\n * If you must try to resume after an error, call server.stop() first to reset the server state.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-await-serverinitialize)\n */\n initialize(): Promise;\n\n /**\n * Injects a request into the server simulating an incoming HTTP request without making an actual socket connection. Injection is useful for testing purposes as well as for invoking routing logic\n * internally without the overhead and limitations of the network stack. The method utilizes the shot module for performing injections, with some additional options and response properties:\n * @param options - can be assigned a string with the requested URI, or an object with:\n * * method - (optional) the request HTTP method (e.g. 'POST'). Defaults to 'GET'.\n * * url - (required) the request URL. If the URI includes an authority (e.g. 'example.com:8080'), it is used to automatically set an HTTP 'Host' header, unless one was specified in headers.\n * * headers - (optional) an object with optional request headers where each key is the header name and the value is the header content. Defaults to no additions to the default shot headers.\n * * payload - (optional) an string, buffer or object containing the request payload. In case of an object it will be converted to a string for you. Defaults to no payload. Note that payload\n * processing defaults to 'application/json' if no 'Content-Type' header provided.\n * * credentials - (optional) an credentials object containing authentication information. The credentials are used to bypass the default authentication strategies, and are validated directly as\n * if they were received via an authentication scheme. Defaults to no credentials.\n * * artifacts - (optional) an artifacts object containing authentication artifact information. The artifacts are used to bypass the default authentication strategies, and are validated directly\n * as if they were received via an authentication scheme. Ignored if set without credentials. Defaults to no artifacts.\n * * app - (optional) sets the initial value of request.app, defaults to {}.\n * * plugins - (optional) sets the initial value of request.plugins, defaults to {}.\n * * allowInternals - (optional) allows access to routes with config.isInternal set to true. Defaults to false.\n * * remoteAddress - (optional) sets the remote address for the incoming connection.\n * * simulate - (optional) an object with options used to simulate client request stream conditions for testing:\n * * error - if true, emits an 'error' event after payload transmission (if any). Defaults to false.\n * * close - if true, emits a 'close' event after payload transmission (if any). Defaults to false.\n * * end - if false, does not end the stream. Defaults to true.\n * * split - indicates whether the request payload will be split into chunks. Defaults to undefined, meaning payload will not be chunked.\n * * validate - (optional) if false, the options inputs are not validated. This is recommended for run-time usage of inject() to make it perform faster where input validation can be tested\n * separately.\n * @return Return value: a response object with the following properties:\n * * statusCode - the HTTP status code.\n * * headers - an object containing the headers set.\n * * payload - the response payload string.\n * * rawPayload - the raw response payload buffer.\n * * raw - an object with the injection request and response objects:\n * * req - the simulated node request object.\n * * res - the simulated node response object.\n * * result - the raw handler response (e.g. when not a stream or a view) before it is serialized for transmission. If not available, the value is set to payload. Useful for inspection and reuse\n * of the internal objects returned (instead of parsing the response string).\n * * request - the request object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-await-serverinjectoptions)\n */\n inject (options: string | ServerInjectOptions): Promise>;\n\n /**\n * Logs server events that cannot be associated with a specific request. When called the server emits a 'log' event which can be used by other listeners or plugins to record the information or\n * output to the console. The arguments are:\n * @param tags - (required) a string or an array of strings (e.g. ['error', 'database', 'read']) used to identify the event. Tags are used instead of log levels and provide a much more expressive\n * mechanism for describing and filtering events. Any logs generated by the server internally include the 'hapi' tag along with event-specific information.\n * @param data - (optional) an message string or object with the application data being logged. If data is a function, the function signature is function() and it called once to generate (return\n * value) the actual data emitted to the listeners. If no listeners match the event, the data function is not invoked.\n * @param timestamp - (optional) an timestamp expressed in milliseconds. Defaults to Date.now() (now).\n * @return Return value: none.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverlogtags-data-timestamp)\n */\n log(tags: string | string[], data?: string | object | (() => any) | undefined, timestamp?: number | undefined): void;\n\n /**\n * Looks up a route configuration where:\n * @param id - the route identifier.\n * @return Return value: the route information if found, otherwise null.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverlookupid)\n */\n lookup(id: string): RequestRoute | null;\n\n /**\n * Looks up a route configuration where:\n * @param method - the HTTP method (e.g. 'GET', 'POST').\n * @param path - the requested path (must begin with '/').\n * @param host - (optional) hostname (to match against routes with vhost).\n * @return Return value: the route information if found, otherwise null.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servermatchmethod-path-host)\n */\n match(method: HTTP_METHODS | Lowercase, path: string, host?: string | undefined): RequestRoute | null;\n\n /**\n * Registers a server method where:\n * @param name - a unique method name used to invoke the method via server.methods[name].\n * @param method - the method function with a signature async function(...args, [flags]) where:\n * * ...args - the method function arguments (can be any number of arguments or none).\n * * flags - when caching is enabled, an object used to set optional method result flags:\n * * * ttl - 0 if result is valid but cannot be cached. Defaults to cache policy.\n * @param options - (optional) configuration object:\n * * bind - a context object passed back to the method function (via this) when called. Defaults to active context (set via server.bind() when the method is registered. Ignored if the method is\n * an arrow function.\n * * cache - the same cache configuration used in server.cache(). The generateTimeout option is required.\n * * generateKey - a function used to generate a unique key (for caching) from the arguments passed to the method function (the flags argument is not passed as input). The server will\n * automatically generate a unique key if the function's arguments are all of types 'string', 'number', or 'boolean'. However if the method uses other types of arguments, a key generation\n * function must be provided which takes the same arguments as the function and returns a unique string (or null if no key can be generated).\n * @return Return value: none.\n * Method names can be nested (e.g. utils.users.get) which will automatically create the full path under server.methods (e.g. accessed via server.methods.utils.users.get).\n * When configured with caching enabled, server.methods[name].cache is assigned an object with the following properties and methods: - await drop(...args) - a function that can be used to clear\n * the cache for a given key. - stats - an object with cache statistics, see catbox for stats documentation.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servermethodname-method-options)\n */\n method(name: string, method: ServerMethod, options?: ServerMethodOptions | undefined): void;\n\n /**\n * Registers a server method function as described in server.method() using a configuration object where:\n * @param methods - an object or an array of objects where each one contains:\n * * name - the method name.\n * * method - the method function.\n * * options - (optional) settings.\n * @return Return value: none.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servermethodmethods)\n */\n method(methods: ServerMethodConfigurationObject | ServerMethodConfigurationObject[]): void;\n\n /**\n * Sets the path prefix used to locate static resources (files and view templates) when relative paths are used where:\n * @param relativeTo - the path prefix added to any relative file path starting with '.'.\n * @return Return value: none.\n * Note that setting a path within a plugin only applies to resources accessed by plugin methods. If no path is set, the server default route configuration files.relativeTo settings is used. The\n * path only applies to routes added after it has been set.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverpathrelativeto)\n */\n path(relativeTo: string): void;\n\n /**\n * Registers a plugin where:\n * @param plugins - one or an array of:\n * * a plugin object.\n * * an object with the following:\n * * * plugin - a plugin object.\n * * * options - (optional) options passed to the plugin during registration.\n * * * once, routes - (optional) plugin-specific registration options as defined below.\n * @param options - (optional) registration options (different from the options passed to the registration function):\n * * once - if true, subsequent registrations of the same plugin are skipped without error. Cannot be used with plugin options. Defaults to false. If not set to true, an error will be thrown the\n * second time a plugin is registered on the server.\n * * routes - modifiers applied to each route added by the plugin:\n * * * prefix - string added as prefix to any route path (must begin with '/'). If a plugin registers a child plugin the prefix is passed on to the child or is added in front of the\n * child-specific prefix.\n * * * vhost - virtual host string (or array of strings) applied to every route. The outer-most vhost overrides the any nested configuration.\n * @return Return value: none.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-await-serverregisterplugins-options)\n */\n register(plugins: Plugin, options?: ServerRegisterOptions | undefined): Promise;\n register(plugin: ServerRegisterPluginObject, options?: ServerRegisterOptions | undefined): Promise;\n register(plugins: Plugin[], options?: ServerRegisterOptions | undefined): Promise;\n register(plugins: ServerRegisterPluginObject[], options?: ServerRegisterOptions | undefined): Promise;\n register(plugins: ServerRegisterPluginObjectArray, options?: ServerRegisterOptions | undefined): Promise;\n\n /**\n * Adds a route where:\n * @param route - a route configuration object or an array of configuration objects where each object contains:\n * * path - (required) the absolute path used to match incoming requests (must begin with '/'). Incoming requests are compared to the configured paths based on the server's router configuration.\n * The path can include named parameters enclosed in {} which will be matched against literal values in the request as described in Path parameters.\n * * method - (required) the HTTP method. Typically one of 'GET', 'POST', 'PUT', 'PATCH', 'DELETE', or 'OPTIONS'. Any HTTP method is allowed, except for 'HEAD'. Use '*' to match against any HTTP\n * method (only when an exact match was not found, and any match with a specific method will be given a higher priority over a wildcard match). Can be assigned an array of methods which has\n * the same result as adding the same route with different methods manually.\n * * vhost - (optional) a domain string or an array of domain strings for limiting the route to only requests with a matching host header field. Matching is done against the hostname part of the\n * header only (excluding the port). Defaults to all hosts.\n * * handler - (required when handler is not set) the route handler function called to generate the response after successful authentication and validation.\n * * options - additional route options. The options value can be an object or a function that returns an object using the signature function(server) where server is the server the route is being\n * added to and this is bound to the current realm's bind option.\n * * rules - route custom rules object. The object is passed to each rules processor registered with server.rules(). Cannot be used if route.options.rules is defined.\n * @return Return value: none.\n * Note that the options object is deeply cloned (with the exception of bind which is shallowly copied) and cannot contain any values that are unsafe to perform deep copy on.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverrouteroute)\n */\n route (route: ServerRoute | ServerRoute[]): void;\n\n /**\n * Defines a route rules processor for converting route rules object into route configuration where:\n * @param processor - a function using the signature function(rules, info) where:\n * * rules -\n * * info - an object with the following properties:\n * * * method - the route method.\n * * * path - the route path.\n * * * vhost - the route virtual host (if any defined).\n * * returns a route config object.\n * @param options - optional settings:\n * * validate - rules object validation:\n * * * schema - joi schema.\n * * * options - optional joi validation options. Defaults to { allowUnknown: true }.\n * Note that the root server and each plugin server instance can only register one rules processor. If a route is added after the rules are configured, it will not include the rules config.\n * Routes added by plugins apply the rules to each of the parent realms' rules from the root to the route's realm. This means the processor defined by the plugin override the config generated\n * by the root processor if they overlap. The route config overrides the rules config if the overlap.\n * @return void\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverrulesprocessor-options)\n */\n rules (\n processor: RulesProcessor,\n options?: RulesOptions | undefined\n ): void;\n\n /**\n * Starts the server by listening for incoming requests on the configured port (unless the connection was configured with autoListen set to false).\n * @return Return value: none.\n * Note that if the method fails and throws an error, the server is considered to be in an undefined state and should be shut down. In most cases it would be impossible to fully recover as the\n * various plugins, caches, and other event listeners will get confused by repeated attempts to start the server or make assumptions about the healthy state of the environment. It is\n * recommended to abort the process when the server fails to start properly. If you must try to resume after an error, call server.stop() first to reset the server state. If a started server\n * is started again, the second call to server.start() is ignored. No events will be emitted and no extension points invoked.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-await-serverstart)\n */\n start(): Promise;\n\n /**\n * HTTP state management uses client cookies to persist a state across multiple requests.\n * @param name - the cookie name string.\n * @param options - are the optional cookie settings\n * @return Return value: none.\n * State defaults can be modified via the server default state configuration option.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverstatename-options)\n */\n state(name: string, options?: ServerStateCookieOptions | undefined): void;\n\n /**\n * Stops the server's listener by refusing to accept any new connections or requests (existing connections will continue until closed or timeout), where:\n * @param options - (optional) object with:\n * * timeout - overrides the timeout in millisecond before forcefully terminating a connection. Defaults to 5000 (5 seconds).\n * @return Return value: none.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-await-serverstopoptions)\n */\n stop(options?: {timeout: number} | undefined): Promise;\n\n /**\n * Returns a copy of the routing table where:\n * @param host - (optional) host to filter routes matching a specific virtual host. Defaults to all virtual hosts.\n * @return Return value: an array of routes where each route contains:\n * * settings - the route config with defaults applied.\n * * method - the HTTP method in lower case.\n * * path - the route path.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-servertablehost)\n */\n table(host?: string | string[] | undefined): RequestRoute[];\n\n /**\n * Registers a server validation module used to compile raw validation rules into validation schemas for all routes.\n * The validator is only used when validation rules are not pre-compiled schemas. When a validation rules is a function or schema object, the rule is used as-is and the validator is not used.\n */\n validator(joi: Root): void;\n}\n\n/**\n * Factory function to create a new server object (introduced in v17).\n */\nexport function server(opts?: ServerOptions | undefined): Server;\n" }, { "path": "lib/types/server/state.d.ts", "content": "import { StateOptions, SameSitePolicy } from '@hapi/statehood';\n\nimport { Request } from '../request';\n\nexport { SameSitePolicy };\n\n/**\n * Optional cookie settings\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverstatename-options)\n */\nexport interface ServerStateCookieOptions extends StateOptions {}\n\n/**\n * A single object or an array of object where each contains:\n * * name - the cookie name.\n * * value - the cookie value.\n * * options - cookie configuration to override the server settings.\n */\nexport interface ServerStateFormat {\n name: string;\n value: string;\n options: ServerStateCookieOptions;\n}\n\n/**\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serverstatename-options)\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-serveroptionsstate)\n */\nexport interface ServerState {\n /**\n * The server cookies manager.\n * Access: read only and statehood public interface.\n */\n readonly states: object;\n\n /**\n * The server cookies manager settings. The settings are based on the values configured in [server.options.state](https://github.com/hapijs/hapi/blob/master/API.md#server.options.state).\n */\n readonly settings: ServerStateCookieOptions;\n\n /**\n * An object containing the configuration of each cookie added via [server.state()](https://github.com/hapijs/hapi/blob/master/API.md#server.state()) where each key is the\n * cookie name and value is the configuration object.\n */\n readonly cookies: {\n [key: string]: ServerStateCookieOptions;\n };\n\n /**\n * An array containing the names of all configured cookies.\n */\n readonly names: string[];\n\n /**\n * Same as calling [server.state()](https://github.com/hapijs/hapi/blob/master/API.md#server.state()).\n */\n add(name: string, options?: ServerStateCookieOptions | undefined): void;\n\n /**\n * Formats an HTTP 'Set-Cookie' header based on the server.options.state where:\n * @param cookies - a single object or an array of object where each contains:\n * * name - the cookie name.\n * * value - the cookie value.\n * * options - cookie configuration to override the server settings.\n * @return Return value: a header string.\n * Note that this utility uses the server configuration but does not change the server state. It is provided for manual cookie formatting (e.g. when headers are set manually).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-async-serverstatesformatcookies)\n */\n format(cookies: ServerStateFormat | ServerStateFormat[]): Promise;\n\n /**\n * Parses an HTTP 'Cookies' header based on the server.options.state where:\n * @param header - the HTTP header.\n * @return Return value: an object where each key is a cookie name and value is the parsed cookie.\n * Note that this utility uses the server configuration but does not change the server state. It is provided for manual cookie parsing (e.g. when server parsing is disabled).\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-async-serverstatesparseheader)\n */\n parse(header: string): Promise>;\n}\n" }, { "path": "lib/types/utils.d.ts", "content": "import * as https from 'https';\nimport * as stream from 'stream';\n\nimport { Boom } from '@hapi/boom';\nimport { ResponseObject as ShotResponseObject } from '@hapi/shot';\n\nimport {\n ReqRef,\n ReqRefDefaults,\n MergeRefs,\n Request} from './request';\nimport { ResponseToolkit, Auth } from './response';\n\n/**\n * All http parser [supported HTTP methods](https://nodejs.org/api/http.html#httpmethods).\n */\nexport type HTTP_METHODS = 'ACL' | 'BIND' | 'CHECKOUT' | 'CONNECT' | 'COPY' | 'DELETE' | 'GET' | 'HEAD' | 'LINK' | 'LOCK' |\n 'M-SEARCH' | 'MERGE' | 'MKACTIVITY' | 'MKCALENDAR' | 'MKCOL' | 'MOVE' | 'NOTIFY' | 'OPTIONS' | 'PATCH' | 'POST' |\n 'PROPFIND' | 'PROPPATCH' | 'PURGE' | 'PUT' | 'REBIND' | 'REPORT' | 'SEARCH' | 'SOURCE' | 'SUBSCRIBE' | 'TRACE' |\n 'UNBIND' | 'UNLINK' | 'UNLOCK' | 'UNSUBSCRIBE';\n\nexport type PeekListener = (chunk: string, encoding: string) => void;\n\nexport namespace Json {\n /**\n * @see {@link https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify#The_replacer_parameter}\n */\n type StringifyReplacer = ((key: string, value: any) => any) | (string | number)[] | undefined;\n\n /**\n * Any value greater than 10 is truncated.\n */\n type StringifySpace = number | string;\n\n /**\n * For context [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-routeoptionsjson)\n */\n interface StringifyArguments {\n /** the replacer function or array. Defaults to no action. */\n replacer?: StringifyReplacer | undefined;\n /** number of spaces to indent nested object keys. Defaults to no indentation. */\n space?: StringifySpace | undefined;\n /* string suffix added after conversion to JSON string. Defaults to no suffix. */\n suffix?: string | undefined;\n /* calls Hoek.jsonEscape() after conversion to JSON string. Defaults to false. */\n escape?: boolean | undefined;\n }\n}\n\nexport namespace Lifecycle {\n /**\n * Lifecycle methods are the interface between the framework and the application. Many of the request lifecycle steps:\n * extensions, authentication, handlers, pre-handler methods, and failAction function values are lifecycle methods\n * provided by the developer and executed by the framework.\n * Each lifecycle method is a function with the signature await function(request, h, [err]) where:\n * * request - the request object.\n * * h - the response toolkit the handler must call to set a response and return control back to the framework.\n * * err - an error object available only when the method is used as a failAction value.\n */\n type Method<\n Refs extends ReqRef = ReqRefDefaults,\n R extends ReturnValue = ReturnValue\n > = (\n this: MergeRefs['Bind'],\n request: Request,\n h: ResponseToolkit,\n err?: Error | undefined\n ) => R;\n\n /**\n * Each lifecycle method must return a value or a promise that resolves into a value. If a lifecycle method returns\n * without a value or resolves to an undefined value, an Internal Server Error (500) error response is sent.\n * The return value must be one of:\n * - Plain value: null, string, number, boolean\n * - Buffer object\n * - Error object: plain Error OR a Boom object.\n * - Stream object\n * - any object or array\n * - a toolkit signal:\n * - a toolkit method response:\n * - a promise object that resolve to any of the above values\n * For more info please [See docs](https://github.com/hapijs/hapi/blob/master/API.md#lifecycle-methods)\n */\n type ReturnValue = ReturnValueTypes | (Promise>);\n type ReturnValueTypes =\n (null | string | number | boolean) |\n (Buffer) |\n (Error | Boom) |\n (stream.Stream) |\n (object | object[]) |\n symbol |\n Auth<\n MergeRefs['AuthUser'],\n MergeRefs['AuthApp'],\n MergeRefs['AuthCredentialsExtra'],\n MergeRefs['AuthArtifactsExtra']\n > |\n ShotResponseObject;\n\n /**\n * Various configuration options allows defining how errors are handled. For example, when invalid payload is received or malformed cookie, instead of returning an error, the framework can be\n * configured to perform another action. When supported the failAction option supports the following values:\n * * 'error' - return the error object as the response.\n * * 'log' - report the error but continue processing the request.\n * * 'ignore' - take no action and continue processing the request.\n * * a lifecycle method with the signature async function(request, h, err) where:\n * * * request - the request object.\n * * * h - the response toolkit.\n * * * err - the error object.\n * [See docs](https://github.com/hapijs/hapi/blob/master/API.md#-failaction-configuration)\n */\n type FailAction = 'error' | 'log' | 'ignore' | Method;\n}\n" }, { "path": "lib/validation.js", "content": "'use strict';\n\nconst Boom = require('@hapi/boom');\nconst Hoek = require('@hapi/hoek');\nconst Validate = require('@hapi/validate');\n\n\nconst internals = {};\n\n\nexports.validator = function (validator) {\n\n Hoek.assert(validator, 'Missing validator');\n Hoek.assert(typeof validator.compile === 'function', 'Invalid validator compile method');\n\n return validator;\n};\n\n\nexports.compile = function (rule, validator, realm, core) {\n\n validator = validator ?? internals.validator(realm, core);\n\n // false - nothing allowed\n\n if (rule === false) {\n return Validate.object({}).allow(null);\n }\n\n // Custom function\n\n if (typeof rule === 'function') {\n return rule;\n }\n\n // null, undefined, true - anything allowed\n\n if (!rule || // false tested above\n rule === true) {\n\n return null;\n }\n\n // {...} - ... allowed\n\n if (typeof rule.validate === 'function') {\n return rule;\n }\n\n Hoek.assert(validator, 'Cannot set uncompiled validation rules without configuring a validator');\n return validator.compile(rule);\n};\n\n\ninternals.validator = function (realm, core) {\n\n while (realm) {\n if (realm.validator) {\n return realm.validator;\n }\n\n realm = realm.parent;\n }\n\n return core.validator;\n};\n\n\nexports.headers = function (request) {\n\n return internals.input('headers', request);\n};\n\n\nexports.params = function (request) {\n\n return internals.input('params', request);\n};\n\n\nexports.payload = function (request) {\n\n if (request.method === 'get' ||\n request.method === 'head') { // When route.method is '*'\n\n return;\n }\n\n return internals.input('payload', request);\n};\n\n\nexports.query = function (request) {\n\n return internals.input('query', request);\n};\n\n\nexports.state = function (request) {\n\n return internals.input('state', request);\n};\n\n\ninternals.input = async function (source, request) {\n\n const localOptions = {\n context: {\n headers: request.headers,\n params: request.params,\n query: request.query,\n payload: request.payload,\n state: request.state,\n auth: request.auth,\n app: {\n route: request.route.settings.app,\n request: request.app\n }\n }\n };\n\n delete localOptions.context[source];\n Hoek.merge(localOptions, request.route.settings.validate.options);\n\n try {\n const schema = request.route.settings.validate[source];\n const bind = request.route.settings.bind;\n\n var value = await (typeof schema !== 'function' ? internals.validate(request[source], schema, localOptions) : schema.call(bind, request[source], localOptions));\n return;\n }\n catch (err) {\n var validationError = err;\n }\n finally {\n request.orig[source] = request[source];\n if (value !== undefined) {\n request[source] = value;\n }\n }\n\n if (request.route.settings.validate.failAction === 'ignore') {\n return;\n }\n\n // Prepare error\n\n const defaultError = validationError.isBoom ? validationError : Boom.badRequest(`Invalid request ${source} input`);\n const detailedError = Boom.boomify(validationError, { statusCode: 400, override: false, data: { defaultError } });\n detailedError.output.payload.validation = { source, keys: [] };\n if (validationError.details) {\n for (const details of validationError.details) {\n const path = details.path;\n detailedError.output.payload.validation.keys.push(Hoek.escapeHtml(path.join('.')));\n }\n }\n\n if (request.route.settings.validate.errorFields) {\n for (const field in request.route.settings.validate.errorFields) {\n detailedError.output.payload[field] = request.route.settings.validate.errorFields[field];\n }\n }\n\n return request._core.toolkit.failAction(request, request.route.settings.validate.failAction, defaultError, { details: detailedError, tags: ['validation', 'error', source] });\n};\n\n\nexports.response = async function (request) {\n\n if (request.route.settings.response.sample) {\n const currentSample = Math.ceil(Math.random() * 100);\n if (currentSample > request.route.settings.response.sample) {\n return;\n }\n }\n\n const response = request.response;\n const statusCode = response.isBoom ? response.output.statusCode : response.statusCode;\n\n const statusSchema = request.route.settings.response.status[statusCode];\n if (statusCode >= 400 &&\n !statusSchema) {\n\n return; // Do not validate errors by default\n }\n\n const schema = statusSchema !== undefined ? statusSchema : request.route.settings.response.schema;\n if (schema === null) {\n return; // No rules\n }\n\n if (!response.isBoom &&\n request.response.variety !== 'plain') {\n\n throw Boom.badImplementation('Cannot validate non-object response');\n }\n\n const localOptions = {\n context: {\n headers: request.headers,\n params: request.params,\n query: request.query,\n payload: request.payload,\n state: request.state,\n auth: request.auth,\n app: {\n route: request.route.settings.app,\n request: request.app\n }\n }\n };\n\n const source = response.isBoom ? response.output.payload : response.source;\n Hoek.merge(localOptions, request.route.settings.response.options);\n\n try {\n let value;\n\n if (typeof schema !== 'function') {\n value = await internals.validate(source, schema, localOptions);\n }\n else {\n value = await schema(source, localOptions);\n }\n\n if (value !== undefined &&\n request.route.settings.response.modify) {\n\n if (response.isBoom) {\n response.output.payload = value;\n }\n else {\n response.source = value;\n }\n }\n }\n catch (err) {\n return request._core.toolkit.failAction(request, request.route.settings.response.failAction, err, { tags: ['validation', 'response', 'error'] });\n }\n};\n\n\ninternals.validate = function (value, schema, options) {\n\n if (typeof schema.validateAsync === 'function') {\n return schema.validateAsync(value, options);\n }\n\n return schema.validate(value, options);\n};\n" }, { "path": "package.json", "content": "{\n \"name\": \"@hapi/hapi\",\n \"description\": \"HTTP Server framework\",\n \"homepage\": \"https://hapi.dev\",\n \"version\": \"21.4.7\",\n \"repository\": \"git://github.com/hapijs/hapi\",\n \"main\": \"lib/index.js\",\n \"types\": \"lib/index.d.ts\",\n \"engines\": {\n \"node\": \">=14.15.0\"\n },\n \"files\": [\n \"lib\"\n ],\n \"keywords\": [\n \"framework\",\n \"http\",\n \"api\",\n \"web\"\n ],\n \"eslintConfig\": {\n \"extends\": [\n \"plugin:@hapi/module\"\n ]\n },\n \"dependencies\": {\n \"@hapi/accept\": \"^6.0.3\",\n \"@hapi/ammo\": \"^6.0.1\",\n \"@hapi/boom\": \"^10.0.1\",\n \"@hapi/bounce\": \"^3.0.2\",\n \"@hapi/call\": \"^9.0.1\",\n \"@hapi/catbox\": \"^12.1.1\",\n \"@hapi/catbox-memory\": \"^6.0.2\",\n \"@hapi/heavy\": \"^8.0.1\",\n \"@hapi/hoek\": \"^11.0.7\",\n \"@hapi/mimos\": \"^7.0.1\",\n \"@hapi/podium\": \"^5.0.2\",\n \"@hapi/shot\": \"^6.0.2\",\n \"@hapi/somever\": \"^4.1.1\",\n \"@hapi/statehood\": \"^8.2.1\",\n \"@hapi/subtext\": \"^8.1.1\",\n \"@hapi/teamwork\": \"^6.0.1\",\n \"@hapi/topo\": \"^6.0.2\",\n \"@hapi/validate\": \"^2.0.1\"\n },\n \"devDependencies\": {\n \"@hapi/code\": \"^9.0.3\",\n \"@hapi/eslint-plugin\": \"^6.0.0\",\n \"@hapi/inert\": \"^7.1.0\",\n \"@hapi/joi-legacy-test\": \"npm:@hapi/joi@^15.0.0\",\n \"@hapi/lab\": \"^25.3.2\",\n \"@hapi/vision\": \"^7.0.3\",\n \"@hapi/wreck\": \"^18.1.0\",\n \"@types/node\": \"^18.19.130\",\n \"handlebars\": \"^4.7.8\",\n \"joi\": \"^17.13.3\",\n \"legacy-readable-stream\": \"npm:readable-stream@^1.0.34\",\n \"typescript\": \"^5.9.3\"\n },\n \"scripts\": {\n \"test\": \"lab -a @hapi/code -t 100 -L -m 5000 -Y\",\n \"test-tap\": \"lab -a @hapi/code -r tap -o tests.tap -m 5000\",\n \"test-cov-html\": \"lab -a @hapi/code -r html -o coverage.html -m 5000\"\n },\n \"license\": \"BSD-3-Clause\"\n}\n" }, { "path": "test/.hidden", "content": "Ssssh!\n" }, { "path": "test/auth.js", "content": "'use strict';\n\nconst Path = require('path');\n\nconst Boom = require('@hapi/boom');\nconst Code = require('@hapi/code');\nconst Handlebars = require('handlebars');\nconst Hapi = require('..');\nconst Hoek = require('@hapi/hoek');\nconst Lab = require('@hapi/lab');\nconst Vision = require('@hapi/vision');\n\n\nconst internals = {};\n\n\nconst { describe, it } = exports.lab = Lab.script();\nconst expect = Code.expect;\n\n\ndescribe('authentication', () => {\n\n it('requires and authenticates a request', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { user: 'steve' } } });\n server.auth.default('default');\n server.route({ method: 'GET', path: '/', handler: (request) => request.auth });\n\n const res1 = await server.inject('/');\n expect(res1.statusCode).to.equal(401);\n\n const res2 = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res2.statusCode).to.equal(200);\n expect(res2.result).to.equal({\n isAuthenticated: true,\n isAuthorized: false,\n isInjected: false,\n credentials: { user: 'steve' },\n artifacts: undefined,\n strategy: 'default',\n mode: 'required',\n error: null\n }, { symbols: false });\n });\n\n it('disables authentication on a route', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n server.auth.default('default');\n server.route({ method: 'POST', path: '/', options: { auth: false, handler: (request) => request.auth.isAuthenticated } });\n\n const res1 = await server.inject({ url: '/', method: 'POST' });\n expect(res1.statusCode).to.equal(200);\n expect(res1.result).to.be.false();\n\n const res2 = await server.inject({ url: '/', method: 'POST', headers: { authorization: 'Custom steve' } });\n expect(res2.statusCode).to.equal(200);\n expect(res2.result).to.be.false();\n });\n\n it('defaults cache to private if request authenticated', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n server.auth.default('default');\n server.route({ method: 'GET', path: '/', handler: (request, h) => h.response('ok').ttl(1000) });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(200);\n expect(res.headers['cache-control']).to.equal('max-age=1, must-revalidate, private');\n });\n\n it('authenticates a request against another route', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: ['one'] } } });\n server.auth.default('default');\n\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => {\n\n const credentials = request.auth.credentials;\n\n const access = {\n two: request.server.lookup('two').auth.access(request),\n three1: request.server.lookup('three').auth.access(request),\n four1: request.server.lookup('four').auth.access(request),\n five1: request.server.lookup('five').auth.access(request)\n };\n\n request.auth.credentials = null;\n access.three2 = request.server.lookup('three').auth.access(request);\n access.four2 = request.server.lookup('four').auth.access(request);\n access.five2 = request.server.lookup('five').auth.access(request);\n request.auth.credentials = credentials;\n\n return access;\n },\n auth: {\n scope: 'one'\n }\n }\n });\n\n server.route({ method: 'GET', path: '/two', options: { id: 'two', handler: () => null, auth: { scope: 'two' } } });\n server.route({ method: 'GET', path: '/three', options: { id: 'three', handler: () => null, auth: { scope: 'one' } } });\n server.route({ method: 'GET', path: '/four', options: { id: 'four', handler: () => null, auth: false } });\n server.route({ method: 'GET', path: '/five', options: { id: 'five', handler: () => null, auth: { mode: 'required' } } });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal({\n two: false,\n three1: true,\n three2: false,\n four1: true,\n four2: true,\n five1: true,\n five2: true\n });\n });\n\n describe('strategy()', () => {\n\n it('errors when strategy authenticate function throws', async () => {\n\n const server = Hapi.server({ debug: false });\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom');\n server.auth.default('default');\n server.route({ method: 'GET', path: '/', handler: (request) => request.auth.credentials.user });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(500);\n });\n\n it('throws when strategy missing scheme', () => {\n\n const server = Hapi.server();\n expect(() => {\n\n server.auth.strategy('none');\n }).to.throw('Authentication strategy none missing scheme');\n });\n\n it('adds a route to server', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} }, route: true });\n server.auth.default('default');\n\n const res1 = await server.inject('/');\n expect(res1.statusCode).to.equal(401);\n\n const res2 = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res2.statusCode).to.equal(204);\n });\n\n it('uses views', async () => {\n\n const implementation = function (server, options) {\n\n server.views({\n engines: { 'html': Handlebars },\n relativeTo: Path.join(__dirname, '/templates/plugin')\n });\n\n server.route({\n method: 'GET',\n path: '/view',\n handler: (request, h) => h.view('test', { message: 'steve' }),\n options: { auth: false }\n });\n\n return {\n authenticate: (request, h) => h.view('test', { message: 'xyz' }).takeover()\n };\n };\n\n const server = Hapi.server();\n await server.register(Vision);\n\n server.views({\n engines: { 'html': Handlebars },\n relativeTo: Path.join(__dirname, '/no/such/directory')\n });\n\n server.auth.scheme('custom', implementation);\n server.auth.strategy('default', 'custom');\n server.auth.default('default');\n\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n const res1 = await server.inject('/view');\n expect(res1.result).to.equal('

steve

');\n\n const res2 = await server.inject('/');\n expect(res2.statusCode).to.equal(200);\n expect(res2.result).to.equal('

xyz

');\n });\n\n it('exposes an api', () => {\n\n const implementation = function (server, options) {\n\n return {\n api: {\n x: 5\n },\n authenticate: (request, h) => h.continue(null, {})\n };\n };\n\n const server = Hapi.server();\n server.auth.scheme('custom', implementation);\n server.auth.strategy('xyz', 'custom');\n server.auth.default('xyz');\n\n expect(server.auth.api.xyz.x).to.equal(5);\n });\n\n it('has its own realm', async () => {\n\n const implementation = function (server) {\n\n return {\n authenticate: (_, h) => h.authenticated({ credentials: server.realm })\n };\n };\n\n const server = Hapi.server();\n\n server.auth.scheme('custom', implementation);\n server.auth.strategy('root', 'custom');\n\n let pluginA;\n\n await server.register({\n name: 'plugin-a',\n register(srv) {\n\n pluginA = srv;\n\n srv.auth.strategy('a', 'custom');\n }\n });\n\n const handler = (request) => request.auth.credentials;\n server.route({ method: 'GET', path: '/a', handler, options: { auth: 'a' } });\n server.route({ method: 'GET', path: '/root', handler, options: { auth: 'root' } });\n\n const { result: realm1 } = await server.inject('/a');\n expect(realm1.plugin).to.be.undefined();\n expect(realm1).to.not.shallow.equal(server.realm);\n expect(realm1.parent).to.shallow.equal(pluginA.realm);\n\n const { result: realm2 } = await server.inject('/root');\n expect(realm2.plugin).to.be.undefined();\n expect(realm2).to.not.shallow.equal(server.realm);\n expect(realm2.parent).to.shallow.equal(server.realm);\n });\n });\n\n describe('default()', () => {\n\n it('sets default', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n\n server.auth.default('default');\n expect(server.auth.settings.default).to.equal({ strategies: ['default'], mode: 'required' });\n\n server.route({ method: 'GET', path: '/', handler: (request) => request.auth.credentials.user });\n\n const res1 = await server.inject('/');\n expect(res1.statusCode).to.equal(401);\n\n const res2 = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res2.statusCode).to.equal(204);\n });\n\n it('sets default with object', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n\n server.auth.default({ strategy: 'default' });\n expect(server.auth.settings.default).to.equal({ strategies: ['default'], mode: 'required' });\n\n server.route({ method: 'GET', path: '/', handler: (request) => request.auth.credentials.user });\n\n const res1 = await server.inject('/');\n expect(res1.statusCode).to.equal(401);\n\n const res2 = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res2.statusCode).to.equal(204);\n });\n\n it('throws when setting default twice', () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n expect(() => {\n\n server.auth.default('default');\n server.auth.default('default');\n }).to.throw('Cannot set default strategy more than once');\n });\n\n it('throws when setting default without strategy', () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n expect(() => {\n\n server.auth.default({ mode: 'required' });\n }).to.throw('Missing authentication strategy: default strategy');\n });\n\n it('matches dynamic scope', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { user: 'steve', scope: 'one-test-admin-x-steve' } } });\n server.auth.default({ strategy: 'default', scope: 'one-{params.id}-{params.role}-{payload.x}-{credentials.user}' });\n server.route({\n method: 'POST',\n path: '/{id}/{role}',\n handler: (request) => request.auth.credentials.user\n });\n\n const res = await server.inject({ method: 'POST', url: '/test/admin', headers: { authorization: 'Custom steve' }, payload: { x: 'x' } });\n expect(res.statusCode).to.equal(200);\n });\n });\n\n describe('_setupRoute()', () => {\n\n it('throws when route refers to nonexistent strategy', () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('a', 'custom', { users: { steve: {} } });\n server.auth.strategy('b', 'custom', { users: { steve: {} } });\n\n expect(() => {\n\n server.route({\n path: '/',\n method: 'GET',\n options: {\n auth: {\n strategy: 'c'\n },\n handler: () => 'ok'\n }\n });\n }).to.throw('Unknown authentication strategy c in /');\n });\n });\n\n describe('lookup', () => {\n\n it('returns the route auth config', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n server.auth.default('default');\n server.route({ method: 'GET', path: '/', handler: (request) => request.server.auth.lookup(request.route) });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal({\n strategies: ['default'],\n mode: 'required'\n });\n });\n });\n\n describe('authenticate()', () => {\n\n it('setups route with optional authentication', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => !!request.auth.credentials,\n auth: {\n mode: 'optional'\n }\n }\n });\n\n const res1 = await server.inject('/');\n expect(res1.statusCode).to.equal(200);\n expect(res1.payload).to.equal('false');\n\n const res2 = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res2.statusCode).to.equal(200);\n expect(res2.payload).to.equal('true');\n });\n\n it('exposes mode', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n handler: (request) => request.auth.mode\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('required');\n });\n\n it('authenticates using multiple strategies', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('first', 'custom', { users: { steve: 'skip' } });\n server.auth.strategy('second', 'custom', { users: { steve: {} } });\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.strategy,\n auth: {\n strategies: ['first', 'second']\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('second');\n });\n\n it('authenticates using credentials object', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { user: 'steve' } } });\n server.auth.default('default');\n\n const doubleHandler = async (request) => {\n\n const options = { url: '/2', auth: { credentials: request.auth.credentials, strategy: 'default' } };\n const res = await server.inject(options);\n return res.result;\n };\n\n server.route({ method: 'GET', path: '/1', handler: doubleHandler });\n server.route({ method: 'GET', path: '/2', handler: (request) => request.auth.credentials.user });\n\n const res = await server.inject({ url: '/1', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('steve');\n });\n\n it('authenticates using credentials object (with artifacts)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { user: 'steve' } } });\n server.auth.default('default');\n\n const doubleHandler = async (request) => {\n\n const options = { url: '/2', auth: { credentials: request.auth.credentials, artifacts: '!', strategy: 'default' } };\n const res = await server.inject(options);\n return res.result;\n };\n\n const handler = (request) => {\n\n return request.auth.credentials.user + request.auth.artifacts;\n };\n\n server.route({ method: 'GET', path: '/1', handler: doubleHandler });\n server.route({ method: 'GET', path: '/2', handler });\n\n const res = await server.inject({ url: '/1', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('steve!');\n });\n\n it('authenticates a request with custom auth settings', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n strategy: 'default'\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('authenticates a request with auth strategy name config', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: 'default'\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('tries to authenticate a request', async () => {\n\n const handler = (request) => {\n\n return { status: request.auth.isAuthenticated, error: request.auth.error };\n };\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n server.auth.default({ strategy: 'default', mode: 'try' });\n\n server.route({ method: 'GET', path: '/', handler });\n\n const res1 = await server.inject('/');\n expect(res1.statusCode).to.equal(200);\n expect(res1.result.status).to.equal(false);\n expect(res1.result.error.message).to.equal('Missing authentication');\n\n const res2 = await server.inject({ url: '/', headers: { authorization: 'Custom john' } });\n expect(res2.statusCode).to.equal(200);\n expect(res2.result.status).to.equal(false);\n expect(res2.result.error.message).to.equal('Missing credentials');\n\n const res3 = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res3.statusCode).to.equal(200);\n expect(res3.result.status).to.equal(true);\n expect(res3.result.error).to.not.exist();\n });\n\n it('errors on invalid authenticate callback missing both error and credentials', async () => {\n\n const server = Hapi.server({ debug: false });\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n server.auth.default('default');\n server.route({ method: 'GET', path: '/', handler: (request) => request.auth.credentials.user });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom' } });\n expect(res.statusCode).to.equal(500);\n });\n\n it('logs error', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n server.auth.default('default');\n server.route({ method: 'GET', path: '/', handler: (request) => request.auth.credentials.user });\n\n let logged = false;\n server.events.on({ name: 'request', channels: 'internal' }, (request, event, tags) => {\n\n if (tags.auth) {\n logged = true;\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom john' } });\n expect(res.statusCode).to.equal(401);\n expect(logged).to.be.true();\n });\n\n it('returns a non Error error response', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { message: 'in a bottle' } });\n server.auth.default('default');\n server.route({ method: 'GET', path: '/', handler: (request) => request.auth.credentials.user });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom message' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('in a bottle');\n });\n\n it('passes non Error error response when set to try ', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { message: 'in a bottle' } });\n server.auth.default({ strategy: 'default', mode: 'try' });\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom message' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('in a bottle');\n });\n\n it('matches scope (array to single)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: ['one'] } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: 'one'\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('matches scope (array to array)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: ['one', 'two'] } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: ['one', 'three']\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('matches scope (single to array)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: 'one' } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: ['one', 'three']\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('matches scope (single to single)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: 'one' } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: 'one'\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('matches dynamic scope (single to single)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: 'one-test' } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/{id}',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: 'one-{params.id}'\n }\n }\n });\n\n const res = await server.inject({ url: '/test', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('matches multiple required dynamic scopes', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: ['test', 'one-test'] } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/{id}',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: ['+one-{params.id}', '+{params.id}']\n }\n }\n });\n\n const res = await server.inject({ url: '/test', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('matches multiple required dynamic scopes (mixed types)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: ['test', 'one-test'] } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/{id}',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: ['+one-{params.id}', '{params.id}']\n }\n }\n });\n\n const res = await server.inject({ url: '/test', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('matches dynamic scope with multiple parts (single to single)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: 'one-test-admin' } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/{id}/{role}',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: 'one-{params.id}-{params.role}'\n }\n }\n });\n\n const res = await server.inject({ url: '/test/admin', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('does not match broken dynamic scope (single to single)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: 'one-test' } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/{id}',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: 'one-params.id}'\n }\n }\n });\n\n server.ext('onPreResponse', (request, h) => {\n\n expect(request.response.data).to.contain(['got', 'need']);\n return h.continue;\n });\n\n const res = await server.inject({ url: '/test', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(403);\n expect(res.result.message).to.equal('Insufficient scope');\n });\n\n it('does not match scope (single to single)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: 'one' } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: 'onex'\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(403);\n expect(res.result.message).to.equal('Insufficient scope');\n });\n\n it('matches modified scope', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: 'two' } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: 'one'\n }\n }\n });\n\n server.ext('onCredentials', (request, h) => {\n\n request.auth.credentials.scope = 'one';\n return h.continue;\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('errors on missing scope', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: ['a'] } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: 'b'\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(403);\n expect(res.result.message).to.equal('Insufficient scope');\n });\n\n it('errors on missing scope property', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: 'b'\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(403);\n expect(res.result.message).to.equal('Insufficient scope');\n });\n\n it('validates required scope', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', {\n users: {\n steve: { scope: ['a', 'b'] },\n john: { scope: ['a', 'b', 'c'] }\n }\n });\n\n server.auth.default('default');\n\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: ['+c', 'b']\n }\n }\n });\n\n const res1 = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res1.statusCode).to.equal(403);\n expect(res1.result.message).to.equal('Insufficient scope');\n\n const res2 = await server.inject({ url: '/', headers: { authorization: 'Custom john' } });\n expect(res2.statusCode).to.equal(204);\n });\n\n it('validates forbidden scope', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', {\n users: {\n steve: { scope: ['a', 'b'] },\n john: { scope: ['b', 'c'] }\n }\n });\n\n server.auth.default('default');\n\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: ['!a', 'b']\n }\n }\n });\n\n const res1 = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res1.statusCode).to.equal(403);\n expect(res1.result.message).to.equal('Insufficient scope');\n\n const res2 = await server.inject({ url: '/', headers: { authorization: 'Custom john' } });\n expect(res2.statusCode).to.equal(204);\n });\n\n it('validates complex scope', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', {\n users: {\n steve: { scope: ['a', 'b', 'c'] },\n john: { scope: ['b', 'c'] },\n mary: { scope: ['b', 'd'] },\n lucy: { scope: 'b' },\n larry: { scope: ['c', 'd'] }\n }\n });\n\n server.auth.default('default');\n\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: ['!a', '+b', 'c', 'd']\n }\n }\n });\n\n const res1 = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res1.statusCode).to.equal(403);\n expect(res1.result.message).to.equal('Insufficient scope');\n\n const res2 = await server.inject({ url: '/', headers: { authorization: 'Custom john' } });\n expect(res2.statusCode).to.equal(204);\n\n const res3 = await server.inject({ url: '/', headers: { authorization: 'Custom mary' } });\n expect(res3.statusCode).to.equal(204);\n\n const res4 = await server.inject({ url: '/', headers: { authorization: 'Custom lucy' } });\n expect(res4.statusCode).to.equal(403);\n expect(res4.result.message).to.equal('Insufficient scope');\n\n const res5 = await server.inject({ url: '/', headers: { authorization: 'Custom larry' } });\n expect(res5.statusCode).to.equal(403);\n expect(res5.result.message).to.equal('Insufficient scope');\n });\n\n it('errors on missing scope using arrays', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: ['a', 'b'] } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: ['c', 'd']\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(403);\n expect(res.result.message).to.equal('Insufficient scope');\n });\n\n it('uses default scope when no scope override is set', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('a', 'custom', { users: { steve: { scope: ['two'] } } });\n server.auth.default({\n strategy: 'a',\n access: {\n scope: 'one'\n }\n });\n\n server.route({\n path: '/',\n method: 'GET',\n options: {\n auth: {\n mode: 'required'\n },\n handler: () => 'ok'\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(403);\n expect(res.result.message).to.equal('Insufficient scope');\n });\n\n it('ignores default scope when override set to null', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n server.auth.default({\n strategy: 'default',\n scope: 'one'\n });\n\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n scope: false\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('matches scope (access single)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: ['one'] } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth,\n auth: {\n access: {\n scope: 'one'\n }\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal({\n isAuthenticated: true,\n isAuthorized: true,\n isInjected: false,\n credentials: { scope: ['one'], user: null },\n artifacts: undefined,\n strategy: 'default',\n mode: 'required',\n error: null\n }, { symbols: false });\n });\n\n it('matches scope (access array)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: ['one'] } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n access: [\n { scope: 'other' },\n { scope: 'one' }\n ]\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('errors on matching scope (access array)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: ['one'] } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n access: [\n { scope: 'two' },\n { scope: 'three' },\n { entity: 'user', scope: 'one' },\n { entity: 'app', scope: 'four' }\n ]\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(403);\n expect(res.result.message).to.equal('Insufficient scope');\n });\n\n it('matches any entity', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { user: 'steve' } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: () => null,\n auth: {\n entity: 'any'\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('matches user entity', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { user: 'steve' } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: () => null,\n auth: {\n entity: 'user'\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('errors on missing user entity', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { client: {} } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: () => null,\n auth: {\n entity: 'user'\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom client' } });\n expect(res.statusCode).to.equal(403);\n expect(res.result.message).to.equal('Application credentials cannot be used on a user endpoint');\n });\n\n it('matches app entity', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { client: {} } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: () => null,\n auth: {\n entity: 'app'\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom client' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('errors on missing app entity', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { user: 'steve' } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: () => null,\n auth: {\n entity: 'app'\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(403);\n expect(res.result.message).to.equal('User credentials cannot be used on an application endpoint');\n });\n\n it('logs error code when authenticate returns a non-error error', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('test', (srv, options) => {\n\n return {\n authenticate: (request, h) => h.response('Redirecting ...').redirect('/test').takeover()\n };\n });\n\n server.auth.strategy('test', 'test', {});\n server.auth.default('test');\n\n server.route({\n method: 'GET',\n path: '/',\n handler: () => 'test'\n });\n\n let logged = null;\n server.events.on({ name: 'request', channels: 'internal' }, (request, event, tags) => {\n\n if (tags.unauthenticated) {\n logged = event;\n }\n });\n\n await server.inject('/');\n expect(logged.data).to.equal({ statusCode: 302 });\n });\n\n it('passes the options.artifacts object, even with an auth filter', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: {} } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth.artifacts,\n auth: 'default'\n }\n });\n\n const options = {\n url: '/',\n headers: { authorization: 'Custom steve' },\n auth: {\n credentials: { foo: 'bar' },\n artifacts: { bar: 'baz' },\n strategy: 'default'\n }\n };\n\n const res = await server.inject(options);\n expect(res.statusCode).to.equal(200);\n expect(res.result.bar).to.equal('baz');\n });\n\n it('errors on empty authenticate()', async () => {\n\n const scheme = () => {\n\n return { authenticate: (request, h) => h.authenticated() };\n };\n\n const server = Hapi.server({ debug: false });\n server.auth.scheme('custom', scheme);\n server.auth.strategy('default', 'custom');\n server.auth.default('default');\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n\n it('passes credentials on unauthenticated() in try mode', async () => {\n\n const scheme = () => {\n\n return { authenticate: (request, h) => h.unauthenticated(Boom.unauthorized(), { credentials: { user: 'steve' } }) };\n };\n\n const server = Hapi.server();\n server.ext('onPreResponse', (request, h) => {\n\n if (request.auth.credentials.user === 'steve') {\n return h.continue;\n }\n });\n\n server.auth.scheme('custom', scheme);\n server.auth.strategy('default', 'custom');\n server.auth.default({ strategy: 'default', mode: 'try' });\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n });\n\n it('passes strategy, credentials, artifacts, error on unauthenticated() in required mode', async () => {\n\n const scheme = () => {\n\n return { authenticate: (request, h) => h.unauthenticated(Boom.unauthorized(), { credentials: { user: 'steve' }, artifacts: '!' }) };\n };\n\n const server = Hapi.server();\n server.ext('onPreResponse', (request, h) => {\n\n if (request.auth.credentials.user === 'steve') {\n return h.continue;\n }\n });\n\n server.ext('onPreResponse', (request, h) => {\n\n expect(request.auth.credentials).to.equal({ user: 'steve' });\n expect(request.auth.artifacts).to.equal('!');\n expect(request.auth.strategy).to.equal('default');\n expect(request.auth.error.message).to.equal('Unauthorized');\n return h.continue;\n });\n\n server.auth.scheme('custom', scheme);\n server.auth.strategy('default', 'custom');\n server.auth.default('default', { mode: 'required' });\n\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(401);\n });\n });\n\n describe('verify()', () => {\n\n it('verifies an authenticated request', async () => {\n\n const implementation = (...args) => {\n\n const imp = internals.implementation(...args);\n imp.verify = async (auth) => {\n\n await Hoek.wait(1);\n if (auth.credentials.user !== 'steve') {\n throw Boom.unauthorized('Invalid');\n }\n };\n\n return imp;\n };\n\n const server = Hapi.server();\n server.auth.scheme('custom', implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { user: 'steve' }, john: { user: 'john' } } });\n\n server.route({\n method: 'GET',\n path: '/',\n options: {\n auth: {\n mode: 'try',\n strategy: 'default'\n },\n handler: async (request) => {\n\n if (request.auth.error &&\n request.auth.error.message === 'Missing authentication') {\n\n request.auth.error = null;\n }\n\n return await server.auth.verify(request) || 'ok';\n }\n }\n });\n\n const res1 = await server.inject('/');\n expect(res1.result).to.equal('ok');\n\n const res2 = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res2.result).to.equal('ok');\n\n const res3 = await server.inject({ url: '/', headers: { authorization: 'Custom unknown' } });\n expect(res3.result.message).to.equal('Missing credentials');\n\n const res4 = await server.inject({ url: '/', auth: { credentials: {}, strategy: 'default' } });\n expect(res4.result.message).to.equal('Invalid');\n\n const res5 = await server.inject({ url: '/', auth: { credentials: { user: 'steve' }, strategy: 'default' } });\n expect(res5.result).to.equal('ok');\n\n const res6 = await server.inject({ url: '/', headers: { authorization: 'Custom john' } });\n expect(res6.result.message).to.equal('Invalid');\n });\n\n it('skips when verify unsupported', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { user: 'steve' } } });\n\n server.route({\n method: 'GET',\n path: '/',\n options: {\n auth: {\n mode: 'try',\n strategy: 'default'\n },\n handler: async (request) => {\n\n return await server.auth.verify(request) || 'ok';\n }\n }\n });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.result).to.equal('ok');\n });\n });\n\n describe('access()', () => {\n\n it('skips access when unauthenticated and mode is not required', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { scope: ['one'] } } });\n server.auth.default('default');\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.auth,\n auth: {\n mode: 'optional',\n access: {\n scope: 'one'\n }\n }\n }\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.result.isAuthenticated).to.be.false();\n expect(res.result.isAuthorized).to.be.false();\n });\n });\n\n describe('payload()', () => {\n\n it('authenticates request payload', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { validPayload: { payload: null } } });\n server.auth.default('default');\n server.route({\n method: 'POST',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n payload: 'required'\n }\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/', headers: { authorization: 'Custom validPayload' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('skips when scheme does not support it', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { validPayload: { payload: null } }, payload: false });\n server.auth.default('default');\n server.route({\n method: 'POST',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/', headers: { authorization: 'Custom validPayload' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('authenticates request payload (required scheme)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { validPayload: { payload: null } }, options: { payload: true } });\n server.auth.default('default');\n server.route({\n method: 'POST',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {}\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/', headers: { authorization: 'Custom validPayload' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('authenticates request payload (required scheme and required route)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { validPayload: { payload: null } }, options: { payload: true } });\n server.auth.default('default');\n server.route({\n method: 'POST',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n payload: true\n }\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/', headers: { authorization: 'Custom validPayload' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('throws when scheme requires payload authentication and route conflicts', () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { validPayload: { payload: null } }, options: { payload: true } });\n server.auth.default('default');\n expect(() => {\n\n server.route({\n method: 'POST',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n payload: 'optional'\n }\n }\n });\n }).to.throw('Cannot set authentication payload to optional when a strategy requires payload validation in /');\n });\n\n it('throws when strategy does not support payload authentication', () => {\n\n const server = Hapi.server();\n const implementation = function () {\n\n return { authenticate: internals.implementation().authenticate };\n };\n\n server.auth.scheme('custom', implementation);\n server.auth.strategy('default', 'custom', {});\n server.auth.default('default');\n expect(() => {\n\n server.route({\n method: 'POST',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n payload: 'required'\n }\n }\n });\n }).to.throw('Payload validation can only be required when all strategies support it in /');\n });\n\n it('throws when no strategy supports optional payload authentication', () => {\n\n const server = Hapi.server();\n const implementation = function () {\n\n return { authenticate: internals.implementation().authenticate };\n };\n\n server.auth.scheme('custom', implementation);\n server.auth.strategy('default', 'custom', {});\n server.auth.default('default');\n expect(() => {\n\n server.route({\n method: 'POST',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n payload: 'optional'\n }\n }\n });\n }).to.throw('Payload authentication requires at least one strategy with payload support in /');\n });\n\n it('allows one strategy to supports optional payload authentication while another does not', async () => {\n\n const server = Hapi.server();\n const implementation = function (...args) {\n\n return { authenticate: internals.implementation(...args).authenticate };\n };\n\n server.auth.scheme('custom1', implementation);\n server.auth.scheme('custom2', internals.implementation, { users: {} });\n server.auth.strategy('default1', 'custom1', { users: { steve: { user: 'steve' } } });\n server.auth.strategy('default2', 'custom2', {});\n\n server.route({\n method: 'POST',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n strategies: ['default1', 'default2'],\n payload: 'optional'\n }\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(200);\n });\n\n it('skips request payload by default', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { skip: {} } });\n server.auth.default('default');\n server.route({\n method: 'POST',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/', headers: { authorization: 'Custom skip' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('skips request payload when unauthenticated', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { skip: {} } });\n server.auth.default('default');\n server.route({\n method: 'POST',\n path: '/',\n options: {\n handler: () => null,\n auth: {\n mode: 'try',\n payload: 'required'\n }\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/' });\n expect(res.statusCode).to.equal(204);\n });\n\n it('skips optional payload', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { optionalPayload: { payload: Boom.unauthorized(null, 'Custom') } } });\n server.auth.default('default');\n server.route({\n method: 'POST',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n payload: 'optional'\n }\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/', headers: { authorization: 'Custom optionalPayload' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('skips required payload authentication when disabled on injection', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom');\n server.auth.default('default');\n server.route({\n method: 'POST',\n path: '/',\n options: {\n handler: (request) => null,\n auth: {\n mode: 'try',\n payload: true\n }\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/', auth: { credentials: { payload: Boom.internal('payload error') }, payload: false, strategy: 'default' } });\n expect(res.statusCode).to.equal(204);\n });\n\n it('errors on missing payload when required', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { optionalPayload: { payload: Boom.unauthorized(null, 'Custom') } } });\n server.auth.default('default');\n server.route({\n method: 'POST',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n payload: 'required'\n }\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/', headers: { authorization: 'Custom optionalPayload' } });\n expect(res.statusCode).to.equal(401);\n });\n\n it('errors on invalid payload auth when required', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { optionalPayload: { payload: Boom.unauthorized() } } });\n server.auth.default('default');\n server.route({\n method: 'POST',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n payload: 'required'\n }\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/', headers: { authorization: 'Custom optionalPayload' } });\n expect(res.statusCode).to.equal(401);\n });\n\n it('errors on invalid request payload (non error)', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { invalidPayload: { payload: 'Payload is invalid' } } });\n server.auth.default('default');\n server.route({\n method: 'POST',\n path: '/',\n options: {\n handler: (request) => request.auth.credentials.user,\n auth: {\n payload: 'required'\n }\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/', headers: { authorization: 'Custom invalidPayload' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('Payload is invalid');\n });\n });\n\n describe('response()', () => {\n\n it('fails on response error', async () => {\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { response: Boom.internal() } } });\n server.auth.default('default');\n server.route({ method: 'GET', path: '/', handler: (request) => request.auth.credentials.user });\n\n const res = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res.statusCode).to.equal(500);\n });\n });\n\n describe('test()', () => {\n\n it('tests a request', async () => {\n\n const handler = async (request) => {\n\n try {\n const { credentials, artifacts } = await request.server.auth.test('default', request);\n return { status: true, user: credentials.name, artifacts };\n }\n catch (err) {\n return { status: false };\n }\n };\n\n const server = Hapi.server();\n server.auth.scheme('custom', internals.implementation);\n server.auth.strategy('default', 'custom', { users: { steve: { name: 'steve' }, skip: 'skip' }, artifacts: {} });\n server.route({ method: 'GET', path: '/', handler });\n\n const res1 = await server.inject('/');\n expect(res1.statusCode).to.equal(200);\n expect(res1.result.status).to.be.false();\n\n const res2 = await server.inject({ url: '/', headers: { authorization: 'Custom steve' } });\n expect(res2.statusCode).to.equal(200);\n expect(res2.result.status).to.be.true();\n expect(res2.result.user).to.equal('steve');\n expect(res2.result.artifacts).to.equal({});\n\n const res3 = await server.inject({ url: '/', headers: { authorization: 'Custom skip' } });\n expect(res3.statusCode).to.equal(200);\n expect(res3.result.status).to.be.false();\n });\n });\n});\n\n\ninternals.implementation = function (server, options) {\n\n const settings = Hoek.clone(options);\n\n if (settings &&\n settings.route) {\n\n server.route({ method: 'GET', path: '/', handler: (request) => (request.auth.credentials.user || null) });\n }\n\n const scheme = {\n authenticate: (request, h) => {\n\n const req = request.raw.req;\n const authorization = req.headers.authorization;\n if (!authorization) {\n return Boom.unauthorized(null, 'Custom');\n }\n\n const parts = authorization.split(/\\s+/);\n if (parts.length !== 2) {\n return h.continue; // Error without error or credentials\n }\n\n const username = parts[1];\n const credentials = settings.users[username];\n\n if (!credentials) {\n throw Boom.unauthorized('Missing credentials', 'Custom');\n }\n\n if (credentials === 'skip') {\n return h.unauthenticated(Boom.unauthorized(null, 'Custom'));\n }\n\n if (typeof credentials === 'string') {\n return h.response(credentials).takeover();\n }\n\n credentials.user = credentials.user || null;\n return h.authenticated({ credentials, artifacts: settings.artifacts });\n },\n response: (request, h) => {\n\n if (request.auth.credentials.response) {\n throw request.auth.credentials.response;\n }\n\n return h.continue;\n }\n };\n\n if (!settings ||\n settings.payload !== false) {\n\n scheme.payload = (request, h) => {\n\n const result = request.auth.credentials.payload;\n if (!result) {\n return h.continue;\n }\n\n if (result.isBoom) {\n throw result;\n }\n\n return h.response(request.auth.credentials.payload).takeover();\n };\n }\n\n if (settings &&\n settings.options) {\n\n scheme.options = settings.options;\n }\n\n return scheme;\n};\n" }, { "path": "test/common.js", "content": "'use strict';\n\nconst ChildProcess = require('child_process');\nconst Http = require('http');\nconst Net = require('net');\n\nconst internals = {};\n\ninternals.hasLsof = () => {\n\n try {\n ChildProcess.execSync(`lsof -p ${process.pid}`, { stdio: 'ignore' });\n }\n catch (err) {\n return false;\n }\n\n return true;\n};\n\ninternals.hasIPv6 = () => {\n\n const server = Http.createServer().listen();\n const { address } = server.address();\n server.close();\n\n return Net.isIPv6(address);\n};\n\nexports.hasLsof = internals.hasLsof();\n\nexports.hasIPv6 = internals.hasIPv6();\n" }, { "path": "test/core.js", "content": "'use strict';\n\nconst ChildProcess = require('child_process');\nconst Events = require('events');\nconst Fs = require('fs');\nconst Http = require('http');\nconst Https = require('https');\nconst Net = require('net');\nconst Os = require('os');\nconst Path = require('path');\nconst Stream = require('stream');\nconst TLS = require('tls');\n\nconst Boom = require('@hapi/boom');\nconst { Engine: CatboxMemory } = require('@hapi/catbox-memory');\nconst Code = require('@hapi/code');\nconst Handlebars = require('handlebars');\nconst Hapi = require('..');\nconst Hoek = require('@hapi/hoek');\nconst Inert = require('@hapi/inert');\nconst Lab = require('@hapi/lab');\nconst Teamwork = require('@hapi/teamwork');\nconst Vision = require('@hapi/vision');\nconst Wreck = require('@hapi/wreck');\n\nconst Common = require('./common');\n\n\nconst internals = {};\n\n\nconst { describe, it } = exports.lab = Lab.script();\nconst expect = Code.expect;\n\n\ndescribe('Core', () => {\n\n it('sets app settings defaults', () => {\n\n const server = Hapi.server();\n expect(server.settings.app).to.equal({});\n });\n\n it('sets app settings', () => {\n\n const server = Hapi.server({ app: { message: 'test defaults' } });\n expect(server.settings.app.message).to.equal('test defaults');\n });\n\n it('overrides mime settings', () => {\n\n const options = {\n mime: {\n override: {\n 'node/module': {\n source: 'steve',\n compressible: false,\n extensions: ['node', 'module', 'npm'],\n type: 'node/module'\n }\n }\n }\n };\n\n const server = Hapi.server(options);\n expect(server.mime.path('file.npm').type).to.equal('node/module');\n expect(server.mime.path('file.npm').source).to.equal('steve');\n });\n\n it('allows null port and host', () => {\n\n expect(() => {\n\n Hapi.server({ host: null, port: null });\n }).to.not.throw();\n });\n\n it('does not throw when given a default authentication strategy', () => {\n\n expect(() => {\n\n Hapi.server({ routes: { auth: 'test' } });\n }).not.to.throw();\n });\n\n it('throws when disabling autoListen and providing a port', () => {\n\n expect(() => {\n\n Hapi.server({ port: 80, autoListen: false });\n }).to.throw('Cannot specify port when autoListen is false');\n });\n\n it('throws when disabling autoListen and providing special host', () => {\n\n expect(() => {\n\n Hapi.server({ port: '/a/b/hapi-server.socket', autoListen: false });\n }).to.throw('Cannot specify port when autoListen is false');\n });\n\n it('defaults address to 0.0.0.0 or :: when no host is provided', async (flags) => {\n\n const server = Hapi.server();\n await server.start();\n flags.onCleanup = () => server.stop();\n\n const expectedBoundAddress = Common.hasIPv6 ? '::' : '0.0.0.0';\n\n expect(server.info.address).to.equal(expectedBoundAddress);\n });\n\n it('is accessible on localhost when using default host', async (flags) => {\n // With hapi v20 this would fail on ipv6 machines on node v18+ due to DNS resolution changes in node (see nodejs/node#40537).\n // To address this in hapi v21 we bind to :: if available, otherwise the former default of 0.0.0.0.\n\n const server = Hapi.server();\n server.route({ method: 'get', path: '/', handler: () => 'ok' });\n\n await server.start();\n flags.onCleanup = () => server.stop();\n\n const req = Http.get(`http://localhost:${server.info.port}`);\n const [res] = await Events.once(req, 'response');\n\n let result = '';\n for await (const chunk of res) {\n result += chunk.toString();\n }\n\n expect(result).to.equal('ok');\n });\n\n it('uses address when present instead of host', async (flags) => {\n\n const server = Hapi.server({ host: 'no.such.domain.hapi', address: 'localhost' });\n await server.start();\n flags.onCleanup = () => server.stop();\n\n expect(server.info.host).to.equal('no.such.domain.hapi');\n expect(server.info.address).to.match(/^127\\.0\\.0\\.1|::1$/); // ::1 on node v18 with ipv6 support\n });\n\n it('uses uri when present instead of host and port', async (flags) => {\n\n const server = Hapi.server({ host: 'no.such.domain.hapi', address: 'localhost', uri: 'http://uri.example.com:8080' });\n expect(server.info.uri).to.equal('http://uri.example.com:8080');\n await server.start();\n flags.onCleanup = () => server.stop();\n\n expect(server.info.host).to.equal('no.such.domain.hapi');\n expect(server.info.address).to.match(/^127\\.0\\.0\\.1|::1$/); // ::1 on node v18 with ipv6 support\n expect(server.info.uri).to.equal('http://uri.example.com:8080');\n });\n\n it('throws on uri ending with /', () => {\n\n expect(() => {\n\n Hapi.server({ uri: 'http://uri.example.com:8080/' });\n }).to.throw(/Invalid server options/);\n });\n\n it('creates a server listening on a unix domain socket', { skip: process.platform === 'win32' }, async () => {\n\n const port = Path.join(__dirname, 'hapi-server.socket');\n\n if (Fs.existsSync(port)) {\n Fs.unlinkSync(port);\n }\n\n const server = Hapi.server({ port });\n\n expect(server.type).to.equal('socket');\n\n await server.start();\n const absSocketPath = Path.resolve(port);\n expect(server.info.port).to.equal(absSocketPath);\n await server.stop();\n\n if (Fs.existsSync(port)) {\n Fs.unlinkSync(port);\n }\n });\n\n it('creates a server listening on a windows named pipe', async () => {\n\n const port = '\\\\\\\\.\\\\pipe\\\\6653e55f-26ec-4268-a4f2-882f4089315c';\n const server = Hapi.server({ port });\n\n expect(server.type).to.equal('socket');\n\n await server.start();\n expect(server.info.port).to.equal(port);\n await server.stop();\n });\n\n it('creates an https server when passed tls options', () => {\n\n const tlsOptions = {\n key: '-----BEGIN RSA PRIVATE KEY-----\\nMIIEpAIBAAKCAQEA0UqyXDCqWDKpoNQQK/fdr0OkG4gW6DUafxdufH9GmkX/zoKz\\ng/SFLrPipzSGINKWtyMvo7mPjXqqVgE10LDI3VFV8IR6fnART+AF8CW5HMBPGt/s\\nfQW4W4puvBHkBxWSW1EvbecgNEIS9hTGvHXkFzm4xJ2e9DHp2xoVAjREC73B7JbF\\nhc5ZGGchKw+CFmAiNysU0DmBgQcac0eg2pWoT+YGmTeQj6sRXO67n2xy/hA1DuN6\\nA4WBK3wM3O4BnTG0dNbWUEbe7yAbV5gEyq57GhJIeYxRvveVDaX90LoAqM4cUH06\\n6rciON0UbDHV2LP/JaH5jzBjUyCnKLLo5snlbwIDAQABAoIBAQDJm7YC3pJJUcxb\\nc8x8PlHbUkJUjxzZ5MW4Zb71yLkfRYzsxrTcyQA+g+QzA4KtPY8XrZpnkgm51M8e\\n+B16AcIMiBxMC6HgCF503i16LyyJiKrrDYfGy2rTK6AOJQHO3TXWJ3eT3BAGpxuS\\n12K2Cq6EvQLCy79iJm7Ks+5G6EggMZPfCVdEhffRm2Epl4T7LpIAqWiUDcDfS05n\\nNNfAGxxvALPn+D+kzcSF6hpmCVrFVTf9ouhvnr+0DpIIVPwSK/REAF3Ux5SQvFuL\\njPmh3bGwfRtcC5d21QNrHdoBVSN2UBLmbHUpBUcOBI8FyivAWJhRfKnhTvXMFG8L\\nwaXB51IZAoGBAP/E3uz6zCyN7l2j09wmbyNOi1AKvr1WSmuBJveITouwblnRSdvc\\nsYm4YYE0Vb94AG4n7JIfZLKtTN0xvnCo8tYjrdwMJyGfEfMGCQQ9MpOBXAkVVZvP\\ne2k4zHNNsfvSc38UNSt7K0HkVuH5BkRBQeskcsyMeu0qK4wQwdtiCoBDAoGBANF7\\nFMppYxSW4ir7Jvkh0P8bP/Z7AtaSmkX7iMmUYT+gMFB5EKqFTQjNQgSJxS/uHVDE\\nSC5co8WGHnRk7YH2Pp+Ty1fHfXNWyoOOzNEWvg6CFeMHW2o+/qZd4Z5Fep6qCLaa\\nFvzWWC2S5YslEaaP8DQ74aAX4o+/TECrxi0z2lllAoGAdRB6qCSyRsI/k4Rkd6Lv\\nw00z3lLMsoRIU6QtXaZ5rN335Awyrfr5F3vYxPZbOOOH7uM/GDJeOJmxUJxv+cia\\nPQDflpPJZU4VPRJKFjKcb38JzO6C3Gm+po5kpXGuQQA19LgfDeO2DNaiHZOJFrx3\\nm1R3Zr/1k491lwokcHETNVkCgYBPLjrZl6Q/8BhlLrG4kbOx+dbfj/euq5NsyHsX\\n1uI7bo1Una5TBjfsD8nYdUr3pwWltcui2pl83Ak+7bdo3G8nWnIOJ/WfVzsNJzj7\\n/6CvUzR6sBk5u739nJbfgFutBZBtlSkDQPHrqA7j3Ysibl3ZIJlULjMRKrnj6Ans\\npCDwkQKBgQCM7gu3p7veYwCZaxqDMz5/GGFUB1My7sK0hcT7/oH61yw3O8pOekee\\nuctI1R3NOudn1cs5TAy/aypgLDYTUGQTiBRILeMiZnOrvQQB9cEf7TFgDoRNCcDs\\nV/ZWiegVB/WY7H0BkCekuq5bHwjgtJTpvHGqQ9YD7RhE8RSYOhdQ/Q==\\n-----END RSA PRIVATE KEY-----\\n',\n cert: '-----BEGIN CERTIFICATE-----\\nMIIDBjCCAe4CCQDvLNml6smHlTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJV\\nUzETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\\ncyBQdHkgTHRkMB4XDTE0MDEyNTIxMjIxOFoXDTE1MDEyNTIxMjIxOFowRTELMAkG\\nA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0\\nIFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\\nANFKslwwqlgyqaDUECv33a9DpBuIFug1Gn8Xbnx/RppF/86Cs4P0hS6z4qc0hiDS\\nlrcjL6O5j416qlYBNdCwyN1RVfCEen5wEU/gBfAluRzATxrf7H0FuFuKbrwR5AcV\\nkltRL23nIDRCEvYUxrx15Bc5uMSdnvQx6dsaFQI0RAu9weyWxYXOWRhnISsPghZg\\nIjcrFNA5gYEHGnNHoNqVqE/mBpk3kI+rEVzuu59scv4QNQ7jegOFgSt8DNzuAZ0x\\ntHTW1lBG3u8gG1eYBMquexoSSHmMUb73lQ2l/dC6AKjOHFB9Ouq3IjjdFGwx1diz\\n/yWh+Y8wY1Mgpyiy6ObJ5W8CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAoSc6Skb4\\ng1e0ZqPKXBV2qbx7hlqIyYpubCl1rDiEdVzqYYZEwmst36fJRRrVaFuAM/1DYAmT\\nWMhU+yTfA+vCS4tql9b9zUhPw/IDHpBDWyR01spoZFBF/hE1MGNpCSXXsAbmCiVf\\naxrIgR2DNketbDxkQx671KwF1+1JOMo9ffXp+OhuRo5NaGIxhTsZ+f/MA4y084Aj\\nDI39av50sTRTWWShlN+J7PtdQVA5SZD97oYbeUeL7gI18kAJww9eUdmT0nEjcwKs\\nxsQT1fyKbo7AlZBY4KSlUMuGnn0VnAsB9b+LxtXlDfnjyM8bVQx1uAfRo0DO8p/5\\n3J5DTjAU55deBQ==\\n-----END CERTIFICATE-----\\n'\n };\n\n const server = Hapi.server({ tls: tlsOptions });\n expect(server.listener instanceof Https.Server).to.equal(true);\n });\n\n it('uses a provided listener', async () => {\n\n const listener = Http.createServer();\n const server = Hapi.server({ listener });\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n await server.start();\n const { payload } = await Wreck.get('http://localhost:' + server.info.port + '/');\n expect(payload.toString()).to.equal('ok');\n await server.stop();\n });\n\n it('uses a provided listener (TLS)', async () => {\n\n const listener = Http.createServer();\n const server = Hapi.server({ listener, tls: true });\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n await server.start();\n expect(server.info.protocol).to.equal('https');\n await server.stop();\n });\n\n it('uses a provided listener with manual listen', async () => {\n\n const listener = Http.createServer();\n const server = Hapi.server({ listener, autoListen: false });\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n const listen = () => {\n\n return new Promise((resolve) => listener.listen(0, 'localhost', resolve));\n };\n\n await listen();\n await server.start();\n const { payload } = await Wreck.get('http://localhost:' + server.info.port + '/');\n expect(payload.toString()).to.equal('ok');\n await server.stop();\n });\n\n it('sets info.uri with default localhost when no hostname', () => {\n\n const orig = Os.hostname;\n Os.hostname = function () {\n\n Os.hostname = orig;\n return '';\n };\n\n const server = Hapi.server({ port: 80 });\n expect(server.info.uri).to.equal('http://localhost:80');\n });\n\n it('sets info.uri without port when 0', () => {\n\n const server = Hapi.server({ host: 'example.com' });\n expect(server.info.uri).to.equal('http://example.com');\n });\n\n it('closes connection on socket timeout', async () => {\n\n const server = Hapi.server({ routes: { timeout: { socket: 50 }, payload: { timeout: 45 } } });\n server.route({\n method: 'GET', path: '/', options: {\n handler: async (request) => {\n\n await Hoek.wait(70);\n return 'too late';\n }\n }\n });\n\n await server.start();\n try {\n await Wreck.request('GET', 'http://localhost:' + server.info.port + '/');\n }\n catch (err) {\n expect(err.message).to.equal('Client request error: socket hang up');\n }\n\n await server.stop();\n });\n\n it('disables node socket timeout', async () => {\n\n const server = Hapi.server({ routes: { timeout: { socket: false } } });\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n await server.start();\n\n let timeout;\n const orig = Net.Socket.prototype.setTimeout;\n Net.Socket.prototype.setTimeout = function (...args) {\n\n timeout = 'gotcha';\n Net.Socket.prototype.setTimeout = orig;\n return orig.apply(this, args);\n };\n\n const res = await Wreck.request('GET', 'http://localhost:' + server.info.port + '/');\n await Wreck.read(res);\n expect(timeout).to.equal('gotcha');\n await server.stop();\n });\n\n it('throws on invalid config', () => {\n\n expect(() => {\n\n Hapi.server({ something: false });\n }).to.throw(/Invalid server options/);\n });\n\n it('combines configuration from server and defaults (cors)', () => {\n\n const server = Hapi.server({ routes: { cors: { origin: ['example.com'] } } });\n expect(server.settings.routes.cors.origin).to.equal(['example.com']);\n });\n\n it('combines configuration from server and defaults (security)', () => {\n\n const server = Hapi.server({ routes: { security: { hsts: 2, xss: false } } });\n expect(server.settings.routes.security.hsts).to.equal(2);\n expect(server.settings.routes.security.xss).to.be.false();\n expect(server.settings.routes.security.xframe).to.equal('deny');\n expect(server.settings.routes.security.referrer).to.equal(false);\n });\n\n describe('_debug()', () => {\n\n it('outputs 500 on ext exception', async () => {\n\n const server = Hapi.server();\n\n const ext = async (request) => {\n\n await Hoek.wait(0);\n const not = null;\n not.here;\n };\n\n server.ext('onPreHandler', ext);\n server.route({ method: 'GET', path: '/', handler: () => null });\n const log = server.events.once({ name: 'request', channels: 'error' });\n\n const orig = console.error;\n console.error = function (...args) {\n\n console.error = orig;\n expect(args[0]).to.equal('Debug:');\n expect(args[1]).to.equal('internal, implementation, error');\n };\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n\n const [, event] = await log;\n expect(event.error.message).to.include(['Cannot read prop', 'null', 'here']);\n });\n });\n\n describe('_createCache()', () => {\n\n it('provisions cache using engine instance', async () => {\n\n // Config provision\n\n const engine = new CatboxMemory();\n const server = Hapi.server({ cache: { engine, name: 'test1' } });\n expect(server._core.caches.get('test1').client.connection).to.shallow.equal(engine);\n\n // Active provision\n\n await server.cache.provision({ engine, name: 'test2' });\n expect(server._core.caches.get('test2').client.connection).to.shallow.equal(engine);\n\n // Active provision but indirect constructor\n\n const Provider = function (options) {\n\n this.settings = options;\n };\n\n const ref = {};\n await server.cache.provision({ provider: { constructor: Provider, options: { ref } }, name: 'test3' });\n expect(server._core.caches.get('test3').client.connection.settings.ref).to.shallow.equal(ref);\n });\n });\n\n describe('start()', () => {\n\n it('starts and stops', async () => {\n\n const server = Hapi.server();\n\n let started = 0;\n let stopped = 0;\n\n server.events.on('start', () => {\n\n ++started;\n });\n\n server.events.on('stop', () => {\n\n ++stopped;\n });\n\n await server.start();\n expect(server._core.started).to.equal(true);\n\n await server.stop();\n expect(server._core.started).to.equal(false);\n expect(started).to.equal(1);\n expect(stopped).to.equal(1);\n });\n\n it('initializes, starts, and stops', async () => {\n\n const server = Hapi.server();\n\n let started = 0;\n let stopped = 0;\n\n server.events.on('start', () => {\n\n ++started;\n });\n\n server.events.on('stop', () => {\n\n ++stopped;\n });\n\n await server.initialize();\n await server.start();\n expect(server._core.started).to.equal(true);\n\n await server.stop();\n expect(server._core.started).to.equal(false);\n expect(started).to.equal(1);\n expect(stopped).to.equal(1);\n });\n\n it('does not re-initialize the server', async () => {\n\n const server = Hapi.server();\n await server.initialize();\n await server.initialize();\n });\n\n it('returns connection start error', async () => {\n\n const server1 = Hapi.server();\n await server1.start();\n const port = server1.info.port;\n\n const server2 = Hapi.server({ port });\n await expect(server2.start()).to.reject(/EADDRINUSE/);\n\n await server1.stop();\n });\n\n it('returns onPostStart error', async () => {\n\n const server = Hapi.server();\n\n const postStart = function (srv) {\n\n throw new Error('boom');\n };\n\n server.ext('onPostStart', postStart);\n\n await expect(server.start()).to.reject('boom');\n await server.stop();\n expect(server.info.started).to.equal(0);\n });\n\n it('errors on bad cache start', async () => {\n\n const cache = {\n engine: {\n start: function () {\n\n throw new Error('oops');\n },\n stop: function () { }\n }\n };\n\n const server = Hapi.server({ cache });\n await expect(server.start()).to.reject('oops');\n });\n\n it('fails to start server when registration incomplete', async () => {\n\n const plugin = {\n name: 'plugin',\n register: Hoek.ignore\n };\n\n const server = Hapi.server();\n server.register(plugin);\n await expect(server.start()).to.reject('Cannot start server before plugins finished registration');\n });\n\n it('fails to initialize server when not stopped', async () => {\n\n const plugin = function () { };\n plugin.attributes = { name: 'plugin' };\n\n const server = Hapi.server();\n await server.start();\n await expect(server.initialize()).to.reject('Cannot initialize server while it is in started phase');\n await server.stop();\n });\n\n it('fails to start server when starting', async () => {\n\n const plugin = function () { };\n plugin.attributes = { name: 'plugin' };\n\n const server = Hapi.server();\n const starting = server.start();\n await expect(server.start()).to.reject('Cannot start server while it is in initializing phase');\n await starting;\n await server.stop();\n });\n });\n\n describe('stop()', () => {\n\n it('stops the cache', async () => {\n\n const server = Hapi.server();\n const cache = server.cache({ segment: 'test', expiresIn: 1000 });\n await server.initialize();\n\n await cache.set('a', 'going in', 0);\n const value = await cache.get('a');\n expect(value).to.equal('going in');\n await server.stop();\n await expect(cache.get('a')).to.reject();\n });\n\n it('returns an extension error (onPreStop)', async () => {\n\n const server = Hapi.server();\n const preStop = function (srv) {\n\n throw new Error('failed cleanup');\n };\n\n server.ext('onPreStop', preStop);\n\n await server.start();\n await expect(server.stop()).to.reject('failed cleanup');\n });\n\n it('returns an extension error (onPostStop)', async () => {\n\n const server = Hapi.server();\n\n const postStop = function (srv) {\n\n throw new Error('failed cleanup');\n };\n\n server.ext('onPostStop', postStop);\n\n await server.start();\n await expect(server.stop()).to.reject('failed cleanup');\n });\n\n it('returns an extension timeout (onPreStop)', async () => {\n\n const server = Hapi.server();\n const preStop = function (srv) {\n\n return Hoek.block();\n };\n\n server.ext('onPreStop', preStop, { timeout: 100 });\n\n await server.start();\n await expect(server.stop()).to.reject('onPreStop timed out');\n });\n\n it('errors when stopping a stopping server', async () => {\n\n const server = Hapi.server();\n\n const stopping = server.stop();\n await expect(server.stop()).to.reject('Cannot stop server while in stopping phase');\n await stopping;\n });\n\n it('errors on bad cache stop', async () => {\n\n const cache = {\n engine: {\n start: function () { },\n stop: function () {\n\n throw new Error('oops');\n }\n }\n };\n\n const server = Hapi.server({ cache });\n await server.start();\n await expect(server.stop()).to.reject('oops');\n });\n });\n\n describe('_init()', () => {\n\n it('clears connections on close (HTTP)', async () => {\n\n const server = Hapi.server();\n\n let count = 0;\n server.route({\n method: 'GET',\n path: '/',\n handler: (request, h) => {\n\n ++count;\n return h.abandon;\n }\n });\n\n await server.start();\n const promise = Wreck.request('GET', `http://localhost:${server.info.port}/`, { rejectUnauthorized: false });\n\n await Hoek.wait(50);\n const count1 = await internals.countConnections(server);\n expect(count1).to.equal(1);\n expect(server._core.sockets.size).to.equal(1);\n expect(count).to.equal(1);\n\n promise.req.destroy();\n await expect(promise).to.reject();\n\n await Hoek.wait(50);\n const count2 = await internals.countConnections(server);\n expect(count2).to.equal(0);\n expect(server._core.sockets.size).to.equal(0);\n expect(count).to.equal(1);\n await server.stop();\n });\n\n it('clears connections on close (HTTPS)', async () => {\n\n const tlsOptions = {\n key: '-----BEGIN RSA PRIVATE KEY-----\\nMIIEpAIBAAKCAQEA0UqyXDCqWDKpoNQQK/fdr0OkG4gW6DUafxdufH9GmkX/zoKz\\ng/SFLrPipzSGINKWtyMvo7mPjXqqVgE10LDI3VFV8IR6fnART+AF8CW5HMBPGt/s\\nfQW4W4puvBHkBxWSW1EvbecgNEIS9hTGvHXkFzm4xJ2e9DHp2xoVAjREC73B7JbF\\nhc5ZGGchKw+CFmAiNysU0DmBgQcac0eg2pWoT+YGmTeQj6sRXO67n2xy/hA1DuN6\\nA4WBK3wM3O4BnTG0dNbWUEbe7yAbV5gEyq57GhJIeYxRvveVDaX90LoAqM4cUH06\\n6rciON0UbDHV2LP/JaH5jzBjUyCnKLLo5snlbwIDAQABAoIBAQDJm7YC3pJJUcxb\\nc8x8PlHbUkJUjxzZ5MW4Zb71yLkfRYzsxrTcyQA+g+QzA4KtPY8XrZpnkgm51M8e\\n+B16AcIMiBxMC6HgCF503i16LyyJiKrrDYfGy2rTK6AOJQHO3TXWJ3eT3BAGpxuS\\n12K2Cq6EvQLCy79iJm7Ks+5G6EggMZPfCVdEhffRm2Epl4T7LpIAqWiUDcDfS05n\\nNNfAGxxvALPn+D+kzcSF6hpmCVrFVTf9ouhvnr+0DpIIVPwSK/REAF3Ux5SQvFuL\\njPmh3bGwfRtcC5d21QNrHdoBVSN2UBLmbHUpBUcOBI8FyivAWJhRfKnhTvXMFG8L\\nwaXB51IZAoGBAP/E3uz6zCyN7l2j09wmbyNOi1AKvr1WSmuBJveITouwblnRSdvc\\nsYm4YYE0Vb94AG4n7JIfZLKtTN0xvnCo8tYjrdwMJyGfEfMGCQQ9MpOBXAkVVZvP\\ne2k4zHNNsfvSc38UNSt7K0HkVuH5BkRBQeskcsyMeu0qK4wQwdtiCoBDAoGBANF7\\nFMppYxSW4ir7Jvkh0P8bP/Z7AtaSmkX7iMmUYT+gMFB5EKqFTQjNQgSJxS/uHVDE\\nSC5co8WGHnRk7YH2Pp+Ty1fHfXNWyoOOzNEWvg6CFeMHW2o+/qZd4Z5Fep6qCLaa\\nFvzWWC2S5YslEaaP8DQ74aAX4o+/TECrxi0z2lllAoGAdRB6qCSyRsI/k4Rkd6Lv\\nw00z3lLMsoRIU6QtXaZ5rN335Awyrfr5F3vYxPZbOOOH7uM/GDJeOJmxUJxv+cia\\nPQDflpPJZU4VPRJKFjKcb38JzO6C3Gm+po5kpXGuQQA19LgfDeO2DNaiHZOJFrx3\\nm1R3Zr/1k491lwokcHETNVkCgYBPLjrZl6Q/8BhlLrG4kbOx+dbfj/euq5NsyHsX\\n1uI7bo1Una5TBjfsD8nYdUr3pwWltcui2pl83Ak+7bdo3G8nWnIOJ/WfVzsNJzj7\\n/6CvUzR6sBk5u739nJbfgFutBZBtlSkDQPHrqA7j3Ysibl3ZIJlULjMRKrnj6Ans\\npCDwkQKBgQCM7gu3p7veYwCZaxqDMz5/GGFUB1My7sK0hcT7/oH61yw3O8pOekee\\nuctI1R3NOudn1cs5TAy/aypgLDYTUGQTiBRILeMiZnOrvQQB9cEf7TFgDoRNCcDs\\nV/ZWiegVB/WY7H0BkCekuq5bHwjgtJTpvHGqQ9YD7RhE8RSYOhdQ/Q==\\n-----END RSA PRIVATE KEY-----\\n',\n cert: '-----BEGIN CERTIFICATE-----\\nMIIDBjCCAe4CCQDvLNml6smHlTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJV\\nUzETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\\ncyBQdHkgTHRkMB4XDTE0MDEyNTIxMjIxOFoXDTE1MDEyNTIxMjIxOFowRTELMAkG\\nA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0\\nIFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\\nANFKslwwqlgyqaDUECv33a9DpBuIFug1Gn8Xbnx/RppF/86Cs4P0hS6z4qc0hiDS\\nlrcjL6O5j416qlYBNdCwyN1RVfCEen5wEU/gBfAluRzATxrf7H0FuFuKbrwR5AcV\\nkltRL23nIDRCEvYUxrx15Bc5uMSdnvQx6dsaFQI0RAu9weyWxYXOWRhnISsPghZg\\nIjcrFNA5gYEHGnNHoNqVqE/mBpk3kI+rEVzuu59scv4QNQ7jegOFgSt8DNzuAZ0x\\ntHTW1lBG3u8gG1eYBMquexoSSHmMUb73lQ2l/dC6AKjOHFB9Ouq3IjjdFGwx1diz\\n/yWh+Y8wY1Mgpyiy6ObJ5W8CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAoSc6Skb4\\ng1e0ZqPKXBV2qbx7hlqIyYpubCl1rDiEdVzqYYZEwmst36fJRRrVaFuAM/1DYAmT\\nWMhU+yTfA+vCS4tql9b9zUhPw/IDHpBDWyR01spoZFBF/hE1MGNpCSXXsAbmCiVf\\naxrIgR2DNketbDxkQx671KwF1+1JOMo9ffXp+OhuRo5NaGIxhTsZ+f/MA4y084Aj\\nDI39av50sTRTWWShlN+J7PtdQVA5SZD97oYbeUeL7gI18kAJww9eUdmT0nEjcwKs\\nxsQT1fyKbo7AlZBY4KSlUMuGnn0VnAsB9b+LxtXlDfnjyM8bVQx1uAfRo0DO8p/5\\n3J5DTjAU55deBQ==\\n-----END CERTIFICATE-----\\n'\n };\n\n const server = Hapi.server({ tls: tlsOptions });\n\n let count = 0;\n server.route({\n method: 'GET',\n path: '/',\n handler: (request, h) => {\n\n ++count;\n return h.abandon;\n }\n });\n\n await server.start();\n const promise = Wreck.request('GET', `https://localhost:${server.info.port}/`, { rejectUnauthorized: false });\n\n await Hoek.wait(100);\n const count1 = await internals.countConnections(server);\n expect(count1).to.equal(1);\n expect(server._core.sockets.size).to.equal(1);\n expect(count).to.equal(1);\n\n promise.req.destroy();\n await expect(promise).to.reject();\n\n await Hoek.wait(50);\n const count2 = await internals.countConnections(server);\n expect(count2).to.equal(0);\n expect(server._core.sockets.size).to.equal(0);\n expect(count).to.equal(1);\n await server.stop();\n });\n });\n\n describe('_start()', () => {\n\n it('starts connection', async () => {\n\n const server = Hapi.server();\n await server.start();\n let expectedBoundAddress = '0.0.0.0';\n if (Net.isIPv6(server.listener.address().address)) {\n expectedBoundAddress = '::';\n }\n\n expect(server.info.host).to.equal(Os.hostname());\n expect(server.info.address).to.equal(expectedBoundAddress);\n expect(server.info.port).to.be.a.number().and.above(1);\n await server.stop();\n });\n\n it('starts connection (tls)', async () => {\n\n const tlsOptions = {\n key: '-----BEGIN RSA PRIVATE KEY-----\\nMIIEpAIBAAKCAQEA0UqyXDCqWDKpoNQQK/fdr0OkG4gW6DUafxdufH9GmkX/zoKz\\ng/SFLrPipzSGINKWtyMvo7mPjXqqVgE10LDI3VFV8IR6fnART+AF8CW5HMBPGt/s\\nfQW4W4puvBHkBxWSW1EvbecgNEIS9hTGvHXkFzm4xJ2e9DHp2xoVAjREC73B7JbF\\nhc5ZGGchKw+CFmAiNysU0DmBgQcac0eg2pWoT+YGmTeQj6sRXO67n2xy/hA1DuN6\\nA4WBK3wM3O4BnTG0dNbWUEbe7yAbV5gEyq57GhJIeYxRvveVDaX90LoAqM4cUH06\\n6rciON0UbDHV2LP/JaH5jzBjUyCnKLLo5snlbwIDAQABAoIBAQDJm7YC3pJJUcxb\\nc8x8PlHbUkJUjxzZ5MW4Zb71yLkfRYzsxrTcyQA+g+QzA4KtPY8XrZpnkgm51M8e\\n+B16AcIMiBxMC6HgCF503i16LyyJiKrrDYfGy2rTK6AOJQHO3TXWJ3eT3BAGpxuS\\n12K2Cq6EvQLCy79iJm7Ks+5G6EggMZPfCVdEhffRm2Epl4T7LpIAqWiUDcDfS05n\\nNNfAGxxvALPn+D+kzcSF6hpmCVrFVTf9ouhvnr+0DpIIVPwSK/REAF3Ux5SQvFuL\\njPmh3bGwfRtcC5d21QNrHdoBVSN2UBLmbHUpBUcOBI8FyivAWJhRfKnhTvXMFG8L\\nwaXB51IZAoGBAP/E3uz6zCyN7l2j09wmbyNOi1AKvr1WSmuBJveITouwblnRSdvc\\nsYm4YYE0Vb94AG4n7JIfZLKtTN0xvnCo8tYjrdwMJyGfEfMGCQQ9MpOBXAkVVZvP\\ne2k4zHNNsfvSc38UNSt7K0HkVuH5BkRBQeskcsyMeu0qK4wQwdtiCoBDAoGBANF7\\nFMppYxSW4ir7Jvkh0P8bP/Z7AtaSmkX7iMmUYT+gMFB5EKqFTQjNQgSJxS/uHVDE\\nSC5co8WGHnRk7YH2Pp+Ty1fHfXNWyoOOzNEWvg6CFeMHW2o+/qZd4Z5Fep6qCLaa\\nFvzWWC2S5YslEaaP8DQ74aAX4o+/TECrxi0z2lllAoGAdRB6qCSyRsI/k4Rkd6Lv\\nw00z3lLMsoRIU6QtXaZ5rN335Awyrfr5F3vYxPZbOOOH7uM/GDJeOJmxUJxv+cia\\nPQDflpPJZU4VPRJKFjKcb38JzO6C3Gm+po5kpXGuQQA19LgfDeO2DNaiHZOJFrx3\\nm1R3Zr/1k491lwokcHETNVkCgYBPLjrZl6Q/8BhlLrG4kbOx+dbfj/euq5NsyHsX\\n1uI7bo1Una5TBjfsD8nYdUr3pwWltcui2pl83Ak+7bdo3G8nWnIOJ/WfVzsNJzj7\\n/6CvUzR6sBk5u739nJbfgFutBZBtlSkDQPHrqA7j3Ysibl3ZIJlULjMRKrnj6Ans\\npCDwkQKBgQCM7gu3p7veYwCZaxqDMz5/GGFUB1My7sK0hcT7/oH61yw3O8pOekee\\nuctI1R3NOudn1cs5TAy/aypgLDYTUGQTiBRILeMiZnOrvQQB9cEf7TFgDoRNCcDs\\nV/ZWiegVB/WY7H0BkCekuq5bHwjgtJTpvHGqQ9YD7RhE8RSYOhdQ/Q==\\n-----END RSA PRIVATE KEY-----\\n',\n cert: '-----BEGIN CERTIFICATE-----\\nMIIDBjCCAe4CCQDvLNml6smHlTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJV\\nUzETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\\ncyBQdHkgTHRkMB4XDTE0MDEyNTIxMjIxOFoXDTE1MDEyNTIxMjIxOFowRTELMAkG\\nA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0\\nIFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\\nANFKslwwqlgyqaDUECv33a9DpBuIFug1Gn8Xbnx/RppF/86Cs4P0hS6z4qc0hiDS\\nlrcjL6O5j416qlYBNdCwyN1RVfCEen5wEU/gBfAluRzATxrf7H0FuFuKbrwR5AcV\\nkltRL23nIDRCEvYUxrx15Bc5uMSdnvQx6dsaFQI0RAu9weyWxYXOWRhnISsPghZg\\nIjcrFNA5gYEHGnNHoNqVqE/mBpk3kI+rEVzuu59scv4QNQ7jegOFgSt8DNzuAZ0x\\ntHTW1lBG3u8gG1eYBMquexoSSHmMUb73lQ2l/dC6AKjOHFB9Ouq3IjjdFGwx1diz\\n/yWh+Y8wY1Mgpyiy6ObJ5W8CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAoSc6Skb4\\ng1e0ZqPKXBV2qbx7hlqIyYpubCl1rDiEdVzqYYZEwmst36fJRRrVaFuAM/1DYAmT\\nWMhU+yTfA+vCS4tql9b9zUhPw/IDHpBDWyR01spoZFBF/hE1MGNpCSXXsAbmCiVf\\naxrIgR2DNketbDxkQx671KwF1+1JOMo9ffXp+OhuRo5NaGIxhTsZ+f/MA4y084Aj\\nDI39av50sTRTWWShlN+J7PtdQVA5SZD97oYbeUeL7gI18kAJww9eUdmT0nEjcwKs\\nxsQT1fyKbo7AlZBY4KSlUMuGnn0VnAsB9b+LxtXlDfnjyM8bVQx1uAfRo0DO8p/5\\n3J5DTjAU55deBQ==\\n-----END CERTIFICATE-----\\n'\n };\n\n const server = Hapi.server({ host: '0.0.0.0', port: 0, tls: tlsOptions });\n await server.start();\n expect(server.info.host).to.equal('0.0.0.0');\n expect(server.info.port).to.not.equal(0);\n await server.stop();\n });\n\n it('sets info with defaults when missing hostname and address', () => {\n\n const hostname = Os.hostname;\n Os.hostname = function () {\n\n Os.hostname = hostname;\n return '';\n };\n\n const server = Hapi.server({ port: '8000' });\n expect(server.info.host).to.equal('localhost');\n expect(server.info.uri).to.equal('http://localhost:8000');\n });\n\n it('ignored repeated calls', async () => {\n\n const server = Hapi.server();\n await server.start();\n await server.start();\n await server.stop();\n });\n });\n\n describe('_stop()', () => {\n\n it('waits to stop until all connections are closed (HTTP)', async () => {\n\n const server = Hapi.server();\n await server.start();\n\n const socket1 = await internals.socket(server);\n const socket2 = await internals.socket(server);\n\n await Hoek.wait(50);\n const count1 = await internals.countConnections(server);\n expect(count1).to.equal(2);\n expect(server._core.sockets.size).to.equal(2);\n\n const stop = server.stop();\n socket1.end();\n socket2.end();\n\n await stop;\n await Hoek.wait(10);\n\n const count2 = await internals.countConnections(server);\n expect(count2).to.equal(0);\n expect(server._core.sockets.size).to.equal(0);\n });\n\n it('waits to stop until all connections are closed (HTTPS)', async () => {\n\n const tlsOptions = {\n key: '-----BEGIN RSA PRIVATE KEY-----\\nMIIEpAIBAAKCAQEA0UqyXDCqWDKpoNQQK/fdr0OkG4gW6DUafxdufH9GmkX/zoKz\\ng/SFLrPipzSGINKWtyMvo7mPjXqqVgE10LDI3VFV8IR6fnART+AF8CW5HMBPGt/s\\nfQW4W4puvBHkBxWSW1EvbecgNEIS9hTGvHXkFzm4xJ2e9DHp2xoVAjREC73B7JbF\\nhc5ZGGchKw+CFmAiNysU0DmBgQcac0eg2pWoT+YGmTeQj6sRXO67n2xy/hA1DuN6\\nA4WBK3wM3O4BnTG0dNbWUEbe7yAbV5gEyq57GhJIeYxRvveVDaX90LoAqM4cUH06\\n6rciON0UbDHV2LP/JaH5jzBjUyCnKLLo5snlbwIDAQABAoIBAQDJm7YC3pJJUcxb\\nc8x8PlHbUkJUjxzZ5MW4Zb71yLkfRYzsxrTcyQA+g+QzA4KtPY8XrZpnkgm51M8e\\n+B16AcIMiBxMC6HgCF503i16LyyJiKrrDYfGy2rTK6AOJQHO3TXWJ3eT3BAGpxuS\\n12K2Cq6EvQLCy79iJm7Ks+5G6EggMZPfCVdEhffRm2Epl4T7LpIAqWiUDcDfS05n\\nNNfAGxxvALPn+D+kzcSF6hpmCVrFVTf9ouhvnr+0DpIIVPwSK/REAF3Ux5SQvFuL\\njPmh3bGwfRtcC5d21QNrHdoBVSN2UBLmbHUpBUcOBI8FyivAWJhRfKnhTvXMFG8L\\nwaXB51IZAoGBAP/E3uz6zCyN7l2j09wmbyNOi1AKvr1WSmuBJveITouwblnRSdvc\\nsYm4YYE0Vb94AG4n7JIfZLKtTN0xvnCo8tYjrdwMJyGfEfMGCQQ9MpOBXAkVVZvP\\ne2k4zHNNsfvSc38UNSt7K0HkVuH5BkRBQeskcsyMeu0qK4wQwdtiCoBDAoGBANF7\\nFMppYxSW4ir7Jvkh0P8bP/Z7AtaSmkX7iMmUYT+gMFB5EKqFTQjNQgSJxS/uHVDE\\nSC5co8WGHnRk7YH2Pp+Ty1fHfXNWyoOOzNEWvg6CFeMHW2o+/qZd4Z5Fep6qCLaa\\nFvzWWC2S5YslEaaP8DQ74aAX4o+/TECrxi0z2lllAoGAdRB6qCSyRsI/k4Rkd6Lv\\nw00z3lLMsoRIU6QtXaZ5rN335Awyrfr5F3vYxPZbOOOH7uM/GDJeOJmxUJxv+cia\\nPQDflpPJZU4VPRJKFjKcb38JzO6C3Gm+po5kpXGuQQA19LgfDeO2DNaiHZOJFrx3\\nm1R3Zr/1k491lwokcHETNVkCgYBPLjrZl6Q/8BhlLrG4kbOx+dbfj/euq5NsyHsX\\n1uI7bo1Una5TBjfsD8nYdUr3pwWltcui2pl83Ak+7bdo3G8nWnIOJ/WfVzsNJzj7\\n/6CvUzR6sBk5u739nJbfgFutBZBtlSkDQPHrqA7j3Ysibl3ZIJlULjMRKrnj6Ans\\npCDwkQKBgQCM7gu3p7veYwCZaxqDMz5/GGFUB1My7sK0hcT7/oH61yw3O8pOekee\\nuctI1R3NOudn1cs5TAy/aypgLDYTUGQTiBRILeMiZnOrvQQB9cEf7TFgDoRNCcDs\\nV/ZWiegVB/WY7H0BkCekuq5bHwjgtJTpvHGqQ9YD7RhE8RSYOhdQ/Q==\\n-----END RSA PRIVATE KEY-----\\n',\n cert: '-----BEGIN CERTIFICATE-----\\nMIIDBjCCAe4CCQDvLNml6smHlTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJV\\nUzETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\\ncyBQdHkgTHRkMB4XDTE0MDEyNTIxMjIxOFoXDTE1MDEyNTIxMjIxOFowRTELMAkG\\nA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0\\nIFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\\nANFKslwwqlgyqaDUECv33a9DpBuIFug1Gn8Xbnx/RppF/86Cs4P0hS6z4qc0hiDS\\nlrcjL6O5j416qlYBNdCwyN1RVfCEen5wEU/gBfAluRzATxrf7H0FuFuKbrwR5AcV\\nkltRL23nIDRCEvYUxrx15Bc5uMSdnvQx6dsaFQI0RAu9weyWxYXOWRhnISsPghZg\\nIjcrFNA5gYEHGnNHoNqVqE/mBpk3kI+rEVzuu59scv4QNQ7jegOFgSt8DNzuAZ0x\\ntHTW1lBG3u8gG1eYBMquexoSSHmMUb73lQ2l/dC6AKjOHFB9Ouq3IjjdFGwx1diz\\n/yWh+Y8wY1Mgpyiy6ObJ5W8CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAoSc6Skb4\\ng1e0ZqPKXBV2qbx7hlqIyYpubCl1rDiEdVzqYYZEwmst36fJRRrVaFuAM/1DYAmT\\nWMhU+yTfA+vCS4tql9b9zUhPw/IDHpBDWyR01spoZFBF/hE1MGNpCSXXsAbmCiVf\\naxrIgR2DNketbDxkQx671KwF1+1JOMo9ffXp+OhuRo5NaGIxhTsZ+f/MA4y084Aj\\nDI39av50sTRTWWShlN+J7PtdQVA5SZD97oYbeUeL7gI18kAJww9eUdmT0nEjcwKs\\nxsQT1fyKbo7AlZBY4KSlUMuGnn0VnAsB9b+LxtXlDfnjyM8bVQx1uAfRo0DO8p/5\\n3J5DTjAU55deBQ==\\n-----END CERTIFICATE-----\\n'\n };\n\n const server = Hapi.server({ tls: tlsOptions });\n await server.start();\n\n const socket1 = await internals.socket(server, 'tls');\n const socket2 = await internals.socket(server, 'tls');\n\n await Hoek.wait(50);\n const count1 = await internals.countConnections(server);\n expect(count1).to.equal(2);\n expect(server._core.sockets.size).to.equal(2);\n\n const stop = server.stop();\n socket1.end();\n socket2.end();\n\n await stop;\n await Hoek.wait(10);\n\n const count2 = await internals.countConnections(server);\n expect(count2).to.equal(0);\n expect(server._core.sockets.size).to.equal(0);\n });\n\n it('immediately destroys unhandled connections', async () => {\n\n const server = Hapi.server();\n await server.start();\n\n await internals.socket(server);\n await internals.socket(server);\n\n await Hoek.wait(50);\n const count1 = await internals.countConnections(server);\n expect(count1).to.equal(2);\n\n const timer = new Hoek.Bench();\n await server.stop({ timeout: 100 });\n expect(timer.elapsed()).to.be.at.most(110);\n });\n\n it('waits to destroy handled connections until after the timeout', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request, h) => h.abandon });\n await server.start();\n\n const socket = await internals.socket(server);\n socket.write('GET / HTTP/1.0\\r\\nHost: test\\r\\n\\r\\n');\n await Hoek.wait(10);\n\n const count1 = await internals.countConnections(server);\n expect(count1).to.equal(1);\n\n const timer = new Hoek.Bench();\n await server.stop({ timeout: 20 });\n expect(timer.elapsed()).to.be.at.least(19);\n });\n\n it('waits to destroy connections if they close by themselves', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request, h) => h.abandon });\n await server.start();\n\n const socket = await internals.socket(server);\n socket.write('GET / HTTP/1.0\\r\\nHost: test\\r\\n\\r\\n');\n await Hoek.wait(10);\n\n const count1 = await internals.countConnections(server);\n expect(count1).to.equal(1);\n\n setTimeout(() => socket.end(), 100);\n\n const timer = new Hoek.Bench();\n await server.stop({ timeout: 400 });\n expect(timer.elapsed()).to.be.below(300);\n });\n\n it('immediately destroys idle keep-alive connections', { retry: true }, async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n await server.start();\n\n const socket = await internals.socket(server);\n socket.write('GET / HTTP/1.1\\r\\nHost: test\\r\\nConnection: Keep-Alive\\r\\n\\r\\n\\r\\n');\n await new Promise((resolve) => socket.on('data', resolve));\n\n const count = await internals.countConnections(server);\n expect(count).to.equal(1);\n\n const timer = new Hoek.Bench();\n await server.stop({ timeout: 20 });\n expect(timer.elapsed()).to.be.at.most(20);\n });\n\n it('waits to stop until connections close by themselves when cleanStop is disabled', async () => {\n\n const server = Hapi.server({ operations: { cleanStop: false } });\n server.route({ method: 'GET', path: '/', handler: (request, h) => h.abandon });\n await server.start();\n\n const socket = await internals.socket(server);\n socket.write('GET / HTTP/1.0\\r\\nHost: test\\r\\n\\r\\n');\n await Hoek.wait(10);\n\n const count1 = await internals.countConnections(server);\n expect(count1).to.equal(1);\n\n setTimeout(() => socket.end(), 100);\n\n const stop = server.stop();\n\n await Hoek.wait(50);\n\n const count2 = await internals.countConnections(server);\n expect(count2).to.equal(1);\n\n await Hoek.wait(200);\n\n const count3 = await internals.countConnections(server);\n expect(count3).to.equal(0);\n\n await stop;\n });\n\n it('refuses to handle new incoming requests on persistent connections', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n await server.start();\n\n const agent = new Http.Agent({ keepAlive: true, maxSockets: 1 });\n const first = Wreck.get('http://localhost:' + server.info.port + '/', { agent });\n const second = Wreck.get('http://localhost:' + server.info.port + '/', { agent });\n\n const { res, payload } = await first;\n const stop = server.stop();\n\n const err = await expect(second).to.reject(Error);\n await stop;\n await Hoek.wait(10);\n\n expect(res.headers.connection).to.equal('keep-alive');\n expect(payload.toString()).to.equal('ok');\n expect(err.code).to.equal('ECONNRESET');\n expect(server._core.started).to.equal(false);\n });\n\n it('allows incoming requests during the stopping phase', async () => {\n\n const team = new Teamwork.Team();\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n server.ext('onPreStop', () => team.work);\n\n await server.start();\n const stop = server.stop();\n const { res, payload } = await Wreck.get(`http://localhost:${server.info.port}`);\n\n team.attend(); // Allow server to finalize stop\n await stop;\n\n expect(res.headers.connection).to.equal('close');\n expect(payload.toString()).to.equal('ok');\n expect(server._core.started).to.equal(false);\n });\n\n it('finishes in-progress requests and ends connection', async () => {\n\n let stop;\n const handler = async (request) => {\n\n stop = server.stop({ timeout: 200 });\n await Hoek.wait(0);\n return 'ok';\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n await server.start();\n\n const agent = new Http.Agent({ keepAlive: true, maxSockets: 1 });\n\n const first = Wreck.get('http://localhost:' + server.info.port + '/', { agent });\n const second = Wreck.get('http://localhost:' + server.info.port + '/404', { agent });\n\n const { res, payload } = await first;\n expect(res.headers.connection).to.equal('close');\n expect(payload.toString()).to.equal('ok');\n\n await expect(second).to.reject();\n await expect(stop).to.not.reject();\n });\n\n it('does not close longpoll HTTPS requests before response (if within timeout)', async () => {\n\n const tlsOptions = {\n key: '-----BEGIN RSA PRIVATE KEY-----\\nMIIEpAIBAAKCAQEA0UqyXDCqWDKpoNQQK/fdr0OkG4gW6DUafxdufH9GmkX/zoKz\\ng/SFLrPipzSGINKWtyMvo7mPjXqqVgE10LDI3VFV8IR6fnART+AF8CW5HMBPGt/s\\nfQW4W4puvBHkBxWSW1EvbecgNEIS9hTGvHXkFzm4xJ2e9DHp2xoVAjREC73B7JbF\\nhc5ZGGchKw+CFmAiNysU0DmBgQcac0eg2pWoT+YGmTeQj6sRXO67n2xy/hA1DuN6\\nA4WBK3wM3O4BnTG0dNbWUEbe7yAbV5gEyq57GhJIeYxRvveVDaX90LoAqM4cUH06\\n6rciON0UbDHV2LP/JaH5jzBjUyCnKLLo5snlbwIDAQABAoIBAQDJm7YC3pJJUcxb\\nc8x8PlHbUkJUjxzZ5MW4Zb71yLkfRYzsxrTcyQA+g+QzA4KtPY8XrZpnkgm51M8e\\n+B16AcIMiBxMC6HgCF503i16LyyJiKrrDYfGy2rTK6AOJQHO3TXWJ3eT3BAGpxuS\\n12K2Cq6EvQLCy79iJm7Ks+5G6EggMZPfCVdEhffRm2Epl4T7LpIAqWiUDcDfS05n\\nNNfAGxxvALPn+D+kzcSF6hpmCVrFVTf9ouhvnr+0DpIIVPwSK/REAF3Ux5SQvFuL\\njPmh3bGwfRtcC5d21QNrHdoBVSN2UBLmbHUpBUcOBI8FyivAWJhRfKnhTvXMFG8L\\nwaXB51IZAoGBAP/E3uz6zCyN7l2j09wmbyNOi1AKvr1WSmuBJveITouwblnRSdvc\\nsYm4YYE0Vb94AG4n7JIfZLKtTN0xvnCo8tYjrdwMJyGfEfMGCQQ9MpOBXAkVVZvP\\ne2k4zHNNsfvSc38UNSt7K0HkVuH5BkRBQeskcsyMeu0qK4wQwdtiCoBDAoGBANF7\\nFMppYxSW4ir7Jvkh0P8bP/Z7AtaSmkX7iMmUYT+gMFB5EKqFTQjNQgSJxS/uHVDE\\nSC5co8WGHnRk7YH2Pp+Ty1fHfXNWyoOOzNEWvg6CFeMHW2o+/qZd4Z5Fep6qCLaa\\nFvzWWC2S5YslEaaP8DQ74aAX4o+/TECrxi0z2lllAoGAdRB6qCSyRsI/k4Rkd6Lv\\nw00z3lLMsoRIU6QtXaZ5rN335Awyrfr5F3vYxPZbOOOH7uM/GDJeOJmxUJxv+cia\\nPQDflpPJZU4VPRJKFjKcb38JzO6C3Gm+po5kpXGuQQA19LgfDeO2DNaiHZOJFrx3\\nm1R3Zr/1k491lwokcHETNVkCgYBPLjrZl6Q/8BhlLrG4kbOx+dbfj/euq5NsyHsX\\n1uI7bo1Una5TBjfsD8nYdUr3pwWltcui2pl83Ak+7bdo3G8nWnIOJ/WfVzsNJzj7\\n/6CvUzR6sBk5u739nJbfgFutBZBtlSkDQPHrqA7j3Ysibl3ZIJlULjMRKrnj6Ans\\npCDwkQKBgQCM7gu3p7veYwCZaxqDMz5/GGFUB1My7sK0hcT7/oH61yw3O8pOekee\\nuctI1R3NOudn1cs5TAy/aypgLDYTUGQTiBRILeMiZnOrvQQB9cEf7TFgDoRNCcDs\\nV/ZWiegVB/WY7H0BkCekuq5bHwjgtJTpvHGqQ9YD7RhE8RSYOhdQ/Q==\\n-----END RSA PRIVATE KEY-----\\n',\n cert: '-----BEGIN CERTIFICATE-----\\nMIIDBjCCAe4CCQDvLNml6smHlTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJV\\nUzETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\\ncyBQdHkgTHRkMB4XDTE0MDEyNTIxMjIxOFoXDTE1MDEyNTIxMjIxOFowRTELMAkG\\nA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0\\nIFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\\nANFKslwwqlgyqaDUECv33a9DpBuIFug1Gn8Xbnx/RppF/86Cs4P0hS6z4qc0hiDS\\nlrcjL6O5j416qlYBNdCwyN1RVfCEen5wEU/gBfAluRzATxrf7H0FuFuKbrwR5AcV\\nkltRL23nIDRCEvYUxrx15Bc5uMSdnvQx6dsaFQI0RAu9weyWxYXOWRhnISsPghZg\\nIjcrFNA5gYEHGnNHoNqVqE/mBpk3kI+rEVzuu59scv4QNQ7jegOFgSt8DNzuAZ0x\\ntHTW1lBG3u8gG1eYBMquexoSSHmMUb73lQ2l/dC6AKjOHFB9Ouq3IjjdFGwx1diz\\n/yWh+Y8wY1Mgpyiy6ObJ5W8CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAoSc6Skb4\\ng1e0ZqPKXBV2qbx7hlqIyYpubCl1rDiEdVzqYYZEwmst36fJRRrVaFuAM/1DYAmT\\nWMhU+yTfA+vCS4tql9b9zUhPw/IDHpBDWyR01spoZFBF/hE1MGNpCSXXsAbmCiVf\\naxrIgR2DNketbDxkQx671KwF1+1JOMo9ffXp+OhuRo5NaGIxhTsZ+f/MA4y084Aj\\nDI39av50sTRTWWShlN+J7PtdQVA5SZD97oYbeUeL7gI18kAJww9eUdmT0nEjcwKs\\nxsQT1fyKbo7AlZBY4KSlUMuGnn0VnAsB9b+LxtXlDfnjyM8bVQx1uAfRo0DO8p/5\\n3J5DTjAU55deBQ==\\n-----END CERTIFICATE-----\\n'\n };\n\n const server = Hapi.server({ tls: tlsOptions });\n\n let stop;\n const handler = async (request) => {\n\n stop = server.stop({ timeout: 200 });\n await Hoek.wait(150);\n return 'ok';\n };\n\n server.route({ method: 'GET', path: '/', handler });\n await server.start();\n\n const agent = new Https.Agent({ keepAlive: true, maxSockets: 1, rejectUnauthorized: false });\n const { res, payload } = await Wreck.get('https://localhost:' + server.info.port + '/', { agent });\n expect(res.headers.connection).to.equal('close');\n expect(payload.toString()).to.equal('ok');\n\n await stop;\n });\n\n it('removes connection event listeners after it stops', async () => {\n\n const server = Hapi.server();\n const initial = server.listener.listeners('connection').length;\n await server.start();\n\n expect(server.listener.listeners('connection').length).to.be.greaterThan(initial);\n\n await server.stop();\n await server.start();\n await server.stop();\n\n expect(server.listener.listeners('connection').length).to.equal(initial);\n });\n\n it('ignores repeated calls', async () => {\n\n const server = Hapi.server();\n await server.stop();\n await server.stop();\n });\n\n it('emits a closing event before the server\\'s listener close event is emitted', async () => {\n\n const server = Hapi.server();\n const events = [];\n\n server.events.on('closing', () => events.push('closing'));\n server.events.on('stop', () => events.push('stop'));\n server._core.listener.on('close', () => events.push('close'));\n\n await server.start();\n await server.stop();\n\n expect(events).to.equal(['closing', 'close', 'stop']);\n });\n\n it('emits a closing event before the close event when there is an active request being processed', async () => {\n\n const server = Hapi.server();\n const events = [];\n\n let stop;\n const handler = async () => {\n\n stop = server.stop({ timeout: 200 });\n await Hoek.wait(0);\n return 'ok';\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n server.events.on('closing', () => events.push('closing'));\n server.events.on('stop', () => events.push('stop'));\n server._core.listener.on('close', () => events.push('close'));\n\n await server.start();\n\n const agent = new Http.Agent({ keepAlive: true, maxSockets: 1 });\n\n // ongoing active request\n const first = Wreck.get('http://localhost:' + server.info.port + '/', { agent });\n // denied incoming request\n const second = Wreck.get('http://localhost:' + server.info.port + '/', { agent });\n\n const { res, payload } = await first;\n expect(res.headers.connection).to.equal('close');\n expect(payload.toString()).to.equal('ok');\n\n await expect(second).to.reject();\n await expect(stop).to.not.reject();\n\n expect(events).to.equal(['closing', 'close', 'stop']);\n });\n });\n\n describe('_dispatch()', () => {\n\n it('rejects request due to high rss load', async () => {\n\n const server = Hapi.server({ load: { sampleInterval: 5, maxRssBytes: 1 } });\n\n let buffer;\n const handler = (request) => {\n\n buffer = buffer || Buffer.alloc(2048);\n return 'ok';\n };\n\n const log = server.events.once('log');\n\n server.route({ method: 'GET', path: '/', handler });\n await server.start();\n\n const res1 = await server.inject('/');\n expect(res1.statusCode).to.equal(200);\n\n await Hoek.wait(10);\n const res2 = await server.inject('/');\n expect(res2.statusCode).to.equal(503);\n\n const [event, tags] = await log;\n expect(event.channel).to.equal('internal');\n expect(event.data.rss > 10000).to.equal(true);\n expect(tags.load).to.be.true();\n\n await server.stop();\n });\n\n it('doesn\\'t setup listeners for cleanStop when socket is missing', async () => {\n\n const server = Hapi.server();\n\n server.route({\n method: 'get',\n path: '/',\n handler: (request) => request.raw.res.listenerCount('finish')\n });\n\n const { result: normalFinishCount } = await server.inject('/');\n\n const { _dispatch } = server._core;\n\n server._core._dispatch = (opts) => {\n\n const fn = _dispatch.call(server._core, opts);\n\n return (req, res) => {\n\n req.socket = null;\n\n fn(req, res);\n };\n };\n\n const { result: missingSocketFinishCount } = await server.inject('/');\n\n expect(missingSocketFinishCount).to.be.lessThan(normalFinishCount);\n });\n });\n\n describe('inject()', () => {\n\n it('keeps the options.credentials object untouched', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n const options = {\n url: '/',\n auth: {\n credentials: { foo: 'bar' },\n strategy: 'test'\n }\n };\n\n const res = await server.inject(options);\n expect(res.statusCode).to.equal(204);\n expect(options.auth.credentials).to.exist();\n });\n\n it('sets credentials (with host header)', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n const options = {\n url: '/',\n auth: {\n credentials: { foo: 'bar' },\n strategy: 'test'\n },\n headers: {\n host: 'something'\n }\n };\n\n const res = await server.inject(options);\n expect(res.statusCode).to.equal(204);\n expect(options.auth.credentials).to.exist();\n });\n\n it('sets credentials (with authority)', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => request.headers.host });\n\n const options = {\n url: '/',\n authority: 'something',\n auth: {\n credentials: { foo: 'bar' },\n strategy: 'test'\n }\n };\n\n const res = await server.inject(options);\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('something');\n expect(options.auth.credentials).to.exist();\n });\n\n it('sets authority', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => request.headers.host });\n\n const options = {\n url: '/',\n authority: 'something'\n };\n\n const res = await server.inject(options);\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('something');\n });\n\n it('passes the options.artifacts object', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => request.auth.artifacts });\n\n const options = {\n url: '/',\n auth: {\n credentials: { foo: 'bar' },\n artifacts: { bar: 'baz' },\n strategy: 'test'\n }\n };\n\n const res = await server.inject(options);\n expect(res.statusCode).to.equal(200);\n expect(res.result.bar).to.equal('baz');\n expect(options.auth.artifacts).to.exist();\n });\n\n it('sets `request.auth.isInjected = true` when `auth` option is defined', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => request.auth.isInjected });\n\n const options = {\n url: '/',\n auth: {\n credentials: { foo: 'bar' },\n strategy: 'test'\n }\n };\n\n const res = await server.inject(options);\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.be.true();\n });\n\n it('sets `request.isInjected = true` for requests created via `server.inject`', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => request.isInjected });\n\n const options = {\n url: '/'\n };\n\n const res = await server.inject(options);\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.be.true();\n });\n\n it('`request.isInjected` access is read-only', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => {\n\n const illegalAssignment = () => {\n\n request.isInjected = false;\n };\n\n expect(illegalAssignment).to.throw('Cannot set property isInjected of [object Object] which has only a getter');\n\n return request.isInjected;\n } });\n\n const options = {\n url: '/'\n };\n\n const res = await server.inject(options);\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.be.true();\n });\n\n it('sets `request.isInjected = false` for normal request', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => request.isInjected });\n\n await server.start();\n\n const { payload } = await Wreck.get(`http://localhost:${server.info.port}/`);\n expect(payload.toString()).to.equal('false');\n\n await server.stop();\n });\n\n it('sets app settings', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => request.app.x });\n\n const options = {\n url: '/',\n authority: 'x', // For coverage\n app: {\n x: 123\n }\n };\n\n const res = await server.inject(options);\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal(123);\n });\n\n it('sets plugins settings', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => request.plugins.x.y });\n\n const options = {\n url: '/',\n authority: 'x', // For coverage\n plugins: {\n x: {\n y: 123\n }\n }\n };\n\n const res = await server.inject(options);\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal(123);\n });\n\n it('returns the request object', async () => {\n\n const handler = (request) => {\n\n request.app.key = 'value';\n return null;\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n expect(res.request.app.key).to.equal('value');\n });\n\n it('returns the request object for POST', async () => {\n\n const payload = { foo: true };\n const handler = (request) => {\n\n return request.payload;\n };\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', handler });\n\n const res = await server.inject({ method: 'POST', url: '/', payload });\n expect(res.statusCode).to.equal(200);\n expect(JSON.parse(res.payload)).to.equal(payload);\n });\n\n it('returns the request string for POST', async () => {\n\n const payload = JSON.stringify({ foo: true });\n const handler = (request) => {\n\n return request.payload;\n };\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', handler });\n\n const res = await server.inject({ method: 'POST', url: '/', payload });\n expect(res.statusCode).to.equal(200);\n expect(res.payload).to.equal(payload);\n });\n\n it('returns the request stream for POST', async () => {\n\n const param = { foo: true };\n const payload = new Stream.Readable();\n payload.push(JSON.stringify(param));\n payload.push(null);\n\n const handler = (request) => {\n\n return request.payload;\n };\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', handler });\n\n const res = await server.inject({ method: 'POST', url: '/', payload });\n expect(res.statusCode).to.equal(200);\n expect(JSON.parse(res.payload)).to.equal(param);\n });\n\n it('can set a client remoteAddress', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => request.info.remoteAddress });\n\n const res = await server.inject({ url: '/', remoteAddress: '1.2.3.4' });\n expect(res.statusCode).to.equal(200);\n expect(res.payload).to.equal('1.2.3.4');\n });\n\n it('sets a default remoteAddress of 127.0.0.1', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => request.info.remoteAddress });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.payload).to.equal('127.0.0.1');\n });\n\n it('sets correct host header', async () => {\n\n const server = Hapi.server({ host: 'example.com', port: 2080 });\n server.route({\n method: 'GET',\n path: '/',\n handler: (request) => request.headers.host\n });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('example.com:2080');\n });\n });\n\n describe('table()', () => {\n\n it('returns an array of the current routes', () => {\n\n const server = Hapi.server();\n\n server.route({ path: '/test/', method: 'get', handler: () => null });\n server.route({ path: '/test/{p}/end', method: 'get', handler: () => null });\n\n const routes = server.table();\n expect(routes.length).to.equal(2);\n expect(routes[0].path).to.equal('/test/');\n });\n\n it('combines global and vhost routes', () => {\n\n const server = Hapi.server();\n\n server.route({ path: '/test/', method: 'get', handler: () => null });\n server.route({ path: '/test/', vhost: 'one.example.com', method: 'get', handler: () => null });\n server.route({ path: '/test/', vhost: 'two.example.com', method: 'get', handler: () => null });\n server.route({ path: '/test/{p}/end', method: 'get', handler: () => null });\n\n const routes = server.table();\n expect(routes.length).to.equal(4);\n });\n\n it('combines global and vhost routes and filters based on host', () => {\n\n const server = Hapi.server();\n\n server.route({ path: '/test/', method: 'get', handler: () => null });\n server.route({ path: '/test/', vhost: 'one.example.com', method: 'get', handler: () => null });\n server.route({ path: '/test/', vhost: 'two.example.com', method: 'get', handler: () => null });\n server.route({ path: '/test/{p}/end', method: 'get', handler: () => null });\n\n const routes = server.table('one.example.com');\n expect(routes.length).to.equal(3);\n });\n\n it('accepts a list of hosts', () => {\n\n const server = Hapi.server();\n\n server.route({ path: '/test/', method: 'get', handler: () => null });\n server.route({ path: '/test/', vhost: 'one.example.com', method: 'get', handler: () => null });\n server.route({ path: '/test/', vhost: 'two.example.com', method: 'get', handler: () => null });\n server.route({ path: '/test/{p}/end', method: 'get', handler: () => null });\n\n const routes = server.table(['one.example.com', 'two.example.com']);\n expect(routes.length).to.equal(4);\n });\n\n it('ignores unknown host', () => {\n\n const server = Hapi.server();\n\n server.route({ path: '/test/', method: 'get', handler: () => null });\n server.route({ path: '/test/', vhost: 'one.example.com', method: 'get', handler: () => null });\n server.route({ path: '/test/', vhost: 'two.example.com', method: 'get', handler: () => null });\n server.route({ path: '/test/{p}/end', method: 'get', handler: () => null });\n\n const routes = server.table('three.example.com');\n expect(routes.length).to.equal(2);\n });\n });\n\n describe('ext()', () => {\n\n it('supports adding an array of methods', async () => {\n\n const server = Hapi.server();\n server.ext('onPreHandler', [\n (request, h) => {\n\n request.app.x = '1';\n return h.continue;\n },\n (request, h) => {\n\n request.app.x += '2';\n return h.continue;\n }\n ]);\n\n server.route({ method: 'GET', path: '/', handler: (request) => request.app.x });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('12');\n });\n\n it('sets bind via options', async () => {\n\n const server = Hapi.server();\n const preHandler = function (request, h) {\n\n request.app.x = this.y;\n return h.continue;\n };\n\n server.ext('onPreHandler', preHandler, { bind: { y: 42 } });\n\n server.route({ method: 'GET', path: '/', handler: (request) => request.app.x });\n\n const res = await server.inject('/');\n expect(res.result).to.equal(42);\n });\n\n it('uses server views for ext added via server', async () => {\n\n const server = Hapi.server();\n await server.register(Vision);\n\n server.views({\n engines: { html: Handlebars },\n path: __dirname + '/templates'\n });\n\n const preHandler = (request, h) => {\n\n return h.view('test').takeover();\n };\n\n server.ext('onPreHandler', preHandler);\n\n const test = {\n name: 'test',\n\n register: function (plugin, options) {\n\n plugin.views({\n engines: { html: Handlebars },\n path: './no_such_directory_found'\n });\n\n plugin.route({ path: '/view', method: 'GET', handler: () => null });\n }\n };\n\n await server.register(test);\n const res = await server.inject('/view');\n expect(res.statusCode).to.equal(200);\n });\n\n it('supports toolkit decorators on empty result', async () => {\n\n const server = Hapi.server();\n const onRequest = (request, h) => {\n\n return h.response().redirect('/elsewhere').takeover();\n };\n\n server.ext('onRequest', onRequest);\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(302);\n expect(res.headers.location).to.equal('/elsewhere');\n });\n\n it('supports direct toolkit decorators', async () => {\n\n const server = Hapi.server();\n const onRequest = (request, h) => {\n\n return h.redirect('/elsewhere').takeover();\n };\n\n server.ext('onRequest', onRequest);\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(302);\n expect(res.headers.location).to.equal('/elsewhere');\n });\n\n it('skips extensions once takeover is called', async () => {\n\n const server = Hapi.server();\n\n const preResponse1 = (request, h) => {\n\n return h.response(1).takeover();\n };\n\n server.ext('onPreResponse', preResponse1);\n\n let called = false;\n const preResponse2 = (request) => {\n\n called = true;\n return 2;\n };\n\n server.ext('onPreResponse', preResponse2);\n\n server.route({ method: 'GET', path: '/', handler: () => 0 });\n\n const res = await server.inject({ method: 'GET', url: '/' });\n expect(res.result).to.equal(1);\n expect(called).to.be.false();\n });\n\n it('executes all extensions with return values', async () => {\n\n const server = Hapi.server();\n server.ext('onPreResponse', () => 1);\n\n let called = false;\n const preResponse2 = (request) => {\n\n called = true;\n return 2;\n };\n\n server.ext('onPreResponse', preResponse2);\n server.route({ method: 'GET', path: '/', handler: () => 0 });\n\n const res = await server.inject({ method: 'GET', url: '/' });\n expect(res.result).to.equal(2);\n expect(called).to.be.true();\n });\n\n describe('onRequest', () => {\n\n it('replies with custom response', async () => {\n\n const server = Hapi.server();\n const onRequest = (request) => {\n\n throw Boom.badRequest('boom');\n };\n\n server.ext('onRequest', onRequest);\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(400);\n expect(res.result.message).to.equal('boom');\n });\n\n it('replies with a view', async () => {\n\n const server = Hapi.server();\n await server.register(Vision);\n\n server.views({\n engines: { 'html': Handlebars },\n path: __dirname + '/templates'\n });\n\n const onRequest = (request, h) => {\n\n return h.view('test', { message: 'hola!' }).takeover();\n };\n\n server.ext('onRequest', onRequest);\n\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n const res = await server.inject('/');\n expect(res.result).to.match(/
\\r?\\n

hola!<\\/h1>\\r?\\n<\\/div>\\r?\\n/);\n });\n });\n\n describe('onPreResponse', () => {\n\n it('replies with custom response', async () => {\n\n const server = Hapi.server();\n\n const preRequest = (request, h) => {\n\n if (typeof request.response.source === 'string') {\n throw Boom.badRequest('boom');\n }\n\n return h.continue;\n };\n\n server.ext('onPreResponse', preRequest);\n\n server.route({\n method: 'GET',\n path: '/text',\n handler: () => 'ok'\n });\n\n server.route({\n method: 'GET',\n path: '/obj',\n handler: () => ({ status: 'ok' })\n });\n\n const res1 = await server.inject({ method: 'GET', url: '/text' });\n expect(res1.result.message).to.equal('boom');\n\n const res2 = await server.inject({ method: 'GET', url: '/obj' });\n expect(res2.result.status).to.equal('ok');\n });\n\n it('intercepts 404 responses', async () => {\n\n const server = Hapi.server();\n\n const preResponse = (request, h) => {\n\n return h.response(request.response.output.statusCode).takeover();\n };\n\n server.ext('onPreResponse', preResponse);\n\n const res = await server.inject({ method: 'GET', url: '/missing' });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal(404);\n });\n\n it('intercepts 404 when using directory handler and file is missing', async () => {\n\n const server = Hapi.server();\n await server.register(Inert);\n\n const preResponse = (request) => {\n\n const response = request.response;\n return { isBoom: response.isBoom };\n };\n\n server.ext('onPreResponse', preResponse);\n\n server.route({ method: 'GET', path: '/{path*}', handler: { directory: { path: './somewhere', listing: false, index: true } } });\n\n const res = await server.inject('/missing');\n expect(res.statusCode).to.equal(200);\n expect(res.result.isBoom).to.equal(true);\n });\n\n it('intercepts 404 when using file handler and file is missing', async () => {\n\n const server = Hapi.server();\n await server.register(Inert);\n\n const preResponse = (request) => {\n\n const response = request.response;\n return { isBoom: response.isBoom };\n };\n\n server.ext('onPreResponse', preResponse);\n\n server.route({ method: 'GET', path: '/{path*}', handler: { file: './somewhere/something.txt' } });\n\n const res = await server.inject('/missing');\n expect(res.statusCode).to.equal(200);\n expect(res.result.isBoom).to.equal(true);\n });\n\n it('cleans unused file stream when response is overridden', { skip: !Common.hasLsof }, async () => {\n\n const server = Hapi.server();\n await server.register(Inert);\n\n const preResponse = (request) => {\n\n return { something: 'else' };\n };\n\n server.ext('onPreResponse', preResponse);\n\n server.route({ method: 'GET', path: '/{path*}', handler: { directory: { path: './' } } });\n\n const res = await server.inject('/package.json');\n expect(res.statusCode).to.equal(200);\n expect(res.result.something).to.equal('else');\n\n await new Promise((resolve) => {\n\n const cmd = ChildProcess.spawn('lsof', ['-p', process.pid]);\n let lsof = '';\n\n cmd.stdout.on('data', (buffer) => {\n\n lsof += buffer.toString();\n });\n\n cmd.stdout.on('end', () => {\n\n let count = 0;\n const lines = lsof.split('\\n');\n for (let i = 0; i < lines.length; ++i) {\n count += !!lines[i].match(/package.json/);\n }\n\n expect(count).to.equal(0);\n resolve();\n });\n\n cmd.stdin.end();\n });\n });\n\n it('executes multiple extensions', async () => {\n\n const server = Hapi.server();\n\n const preResponse1 = (request, h) => {\n\n request.response.source = request.response.source + '1';\n return h.continue;\n };\n\n server.ext('onPreResponse', preResponse1);\n\n const preResponse2 = (request, h) => {\n\n request.response.source = request.response.source + '2';\n return h.continue;\n };\n\n server.ext('onPreResponse', preResponse2);\n server.route({ method: 'GET', path: '/', handler: () => '0' });\n\n const res = await server.inject({ method: 'GET', url: '/' });\n expect(res.result).to.equal('012');\n });\n });\n });\n\n describe('route()', () => {\n\n it('emits route event', async () => {\n\n const server = Hapi.server();\n const log = server.events.once('route');\n\n server.route({\n method: 'GET',\n path: '/',\n handler: () => null\n });\n\n const [route] = await log;\n expect(route.path).to.equal('/');\n });\n\n it('overrides the default notFound handler', async () => {\n\n const server = Hapi.server();\n server.route({ method: '*', path: '/{p*}', handler: () => 'found' });\n const res = await server.inject({ method: 'GET', url: '/page' });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('found');\n });\n\n it('responds to HEAD requests for a GET route', async () => {\n\n const handler = (request, h) => {\n\n return h.response('ok').etag('test').code(205);\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n const res1 = await server.inject({ method: 'GET', url: '/' });\n\n expect(res1.statusCode).to.equal(205);\n expect(res1.headers['content-type']).to.equal('text/html; charset=utf-8');\n expect(res1.headers['content-length']).to.equal(2);\n expect(res1.headers.etag).to.equal('\"test\"');\n expect(res1.result).to.equal('ok');\n\n const res2 = await server.inject({ method: 'HEAD', url: '/' });\n expect(res2.statusCode).to.equal(res1.statusCode);\n expect(res2.headers['content-type']).to.equal(res1.headers['content-type']);\n expect(res2.headers['content-length']).to.equal(res1.headers['content-length']);\n expect(res2.headers.etag).to.equal(res1.headers.etag);\n expect(res2.result).to.not.exist();\n });\n\n it('returns 404 on HEAD requests for non-GET routes', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', handler: () => 'ok' });\n\n const res1 = await server.inject({ method: 'HEAD', url: '/' });\n expect(res1.statusCode).to.equal(404);\n expect(res1.result).to.not.exist();\n\n const res2 = await server.inject({ method: 'HEAD', url: '/not-there' });\n\n expect(res2.statusCode).to.equal(404);\n expect(res2.result).to.not.exist();\n });\n\n it('returns 500 on HEAD requests for failed responses', async () => {\n\n const preResponse = (request, h) => {\n\n request.response._processors.marshal = function (response, callback) {\n\n process.nextTick(callback, new Error('boom!'));\n };\n\n return h.continue;\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n server.ext('onPreResponse', preResponse);\n\n const res1 = await server.inject({ method: 'GET', url: '/' });\n expect(res1.statusCode).to.equal(500);\n expect(res1.result).to.exist();\n\n const res2 = await server.inject({ method: 'HEAD', url: '/' });\n expect(res2.statusCode).to.equal(res1.statusCode);\n expect(res2.headers['content-type']).to.equal(res1.headers['content-type']);\n expect(res2.headers['content-length']).to.equal(res1.headers['content-length']);\n expect(res2.result).to.not.exist();\n });\n\n it('allows methods array', async () => {\n\n const server = Hapi.server();\n const config = { method: ['GET', 'PUT', 'POST', 'DELETE'], path: '/', handler: (request) => request.route.method };\n server.route(config);\n expect(config.method).to.equal(['GET', 'PUT', 'POST', 'DELETE']); // Ensure config is cloned\n\n const res1 = await server.inject({ method: 'HEAD', url: '/' });\n expect(res1.statusCode).to.equal(200);\n\n const res2 = await server.inject({ method: 'GET', url: '/' });\n expect(res2.statusCode).to.equal(200);\n expect(res2.payload).to.equal('get');\n\n const res3 = await server.inject({ method: 'PUT', url: '/' });\n expect(res3.statusCode).to.equal(200);\n expect(res3.payload).to.equal('put');\n\n const res4 = await server.inject({ method: 'POST', url: '/' });\n expect(res4.statusCode).to.equal(200);\n expect(res4.payload).to.equal('post');\n\n const res5 = await server.inject({ method: 'DELETE', url: '/' });\n expect(res5.statusCode).to.equal(200);\n expect(res5.payload).to.equal('delete');\n });\n\n it('adds routes using single and array methods', () => {\n\n const server = Hapi.server();\n server.route([\n {\n method: 'GET',\n path: '/api/products',\n handler: () => null\n },\n {\n method: 'GET',\n path: '/api/products/{id}',\n handler: () => null\n },\n {\n method: 'POST',\n path: '/api/products',\n handler: () => null\n },\n {\n method: ['PUT', 'PATCH'],\n path: '/api/products/{id}',\n handler: () => null\n },\n {\n method: 'DELETE',\n path: '/api/products/{id}',\n handler: () => null\n }\n ]);\n\n const table = server.table();\n const paths = table.map((route) => {\n\n const obj = {\n method: route.method,\n path: route.path\n };\n return obj;\n });\n\n expect(table).to.have.length(6);\n expect(paths).to.only.include([\n { method: 'get', path: '/api/products' },\n { method: 'get', path: '/api/products/{id}' },\n { method: 'post', path: '/api/products' },\n { method: 'put', path: '/api/products/{id}' },\n { method: 'patch', path: '/api/products/{id}' },\n { method: 'delete', path: '/api/products/{id}' }\n ]);\n });\n\n it('throws on methods array with id', () => {\n\n const server = Hapi.server();\n\n expect(() => {\n\n server.route({\n method: ['GET', 'PUT', 'POST', 'DELETE'],\n path: '/',\n options: {\n id: 'abc',\n handler: (request) => request.route.method\n }\n });\n }).to.throw('Route id abc for path / conflicts with existing path /');\n });\n });\n\n describe('_defaultRoutes()', () => {\n\n it('returns 404 when making a request to a route that does not exist', async () => {\n\n const server = Hapi.server();\n const res = await server.inject({ method: 'GET', url: '/nope' });\n expect(res.statusCode).to.equal(404);\n });\n\n it('returns 400 on bad request', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/a/{p}', handler: () => null });\n const res = await server.inject('/a/%');\n expect(res.statusCode).to.equal(400);\n });\n });\n\n describe('load', () => {\n\n it('measures loop delay', async () => {\n\n const server = Hapi.server({ load: { sampleInterval: 4 } });\n\n const handler = (request) => {\n\n const start = Date.now();\n while (Date.now() - start < 5) { }\n return 'ok';\n };\n\n server.route({ method: 'GET', path: '/', handler });\n await server.start();\n\n await server.inject('/');\n expect(server.load.eventLoopDelay).to.be.below(7);\n\n await Hoek.wait(0);\n\n await server.inject('/');\n expect(server.load.eventLoopDelay).to.be.above(0);\n\n await Hoek.wait(0);\n\n await server.inject('/');\n expect(server.load.eventLoopDelay).to.be.above(0);\n expect(server.load.eventLoopUtilization).to.be.above(0);\n expect(server.load.heapUsed).to.be.above(1024 * 1024);\n expect(server.load.rss).to.be.above(1024 * 1024);\n await server.stop();\n });\n });\n});\n\n\ninternals.countConnections = function (server) {\n\n return new Promise((resolve, reject) => {\n\n server.listener.getConnections((err, count) => {\n\n return (err ? reject(err) : resolve(count));\n });\n });\n};\n\n\ninternals.socket = function (server, mode) {\n\n const socket = new Net.Socket();\n socket.on('error', Hoek.ignore);\n\n if (mode === 'tls') {\n socket.connect(server.info.port, '127.0.0.1');\n return new Promise((resolve) => TLS.connect({ socket, rejectUnauthorized: false }, () => resolve(socket)));\n }\n\n return new Promise((resolve) => socket.connect(server.info.port, '127.0.0.1', () => resolve(socket)));\n};\n" }, { "path": "test/cors.js", "content": "'use strict';\n\nconst Boom = require('@hapi/boom');\nconst Code = require('@hapi/code');\nconst Hapi = require('..');\nconst Lab = require('@hapi/lab');\n\n\nconst internals = {};\n\n\nconst { describe, it } = exports.lab = Lab.script();\nconst expect = Code.expect;\n\n\ndescribe('CORS', () => {\n\n it('returns 404 on OPTIONS when cors disabled', async () => {\n\n const server = Hapi.server({ routes: { cors: false } });\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n const res = await server.inject({ method: 'OPTIONS', url: '/', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res.statusCode).to.equal(404);\n });\n\n it('returns OPTIONS response', async () => {\n\n const handler = function () {\n\n throw Boom.badRequest();\n };\n\n const server = Hapi.server({ routes: { cors: true } });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject({ method: 'OPTIONS', url: '/', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res.headers['access-control-allow-origin']).to.equal('http://example.com/');\n });\n\n it('returns OPTIONS response (server config)', async () => {\n\n const handler = function () {\n\n throw Boom.badRequest();\n };\n\n const server = Hapi.server({ routes: { cors: true } });\n server.route({ method: 'GET', path: '/x', handler });\n\n const res = await server.inject({ method: 'OPTIONS', url: '/x', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res.headers['access-control-allow-origin']).to.equal('http://example.com/');\n });\n\n it('returns headers on single route', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/a', handler: () => 'ok', options: { cors: true } });\n server.route({ method: 'GET', path: '/b', handler: () => 'ok' });\n\n const res1 = await server.inject({ method: 'OPTIONS', url: '/a', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res1.statusCode).to.equal(200);\n expect(res1.result).to.be.null();\n expect(res1.headers['access-control-allow-origin']).to.equal('http://example.com/');\n\n const res2 = await server.inject({ method: 'OPTIONS', url: '/b', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res2.statusCode).to.equal(200);\n expect(res2.result.message).to.equal('CORS is disabled for this route');\n expect(res2.headers['access-control-allow-origin']).to.not.exist();\n });\n\n it('allows headers on multiple routes but not all', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/a', handler: () => 'ok', options: { cors: true } });\n server.route({ method: 'GET', path: '/b', handler: () => 'ok', options: { cors: true } });\n server.route({ method: 'GET', path: '/c', handler: () => 'ok' });\n\n const res1 = await server.inject({ method: 'OPTIONS', url: '/a', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res1.statusCode).to.equal(200);\n expect(res1.result).to.be.null();\n expect(res1.headers['access-control-allow-origin']).to.equal('http://example.com/');\n\n const res2 = await server.inject({ method: 'OPTIONS', url: '/b', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res2.statusCode).to.equal(200);\n expect(res2.result).to.be.null();\n expect(res2.headers['access-control-allow-origin']).to.equal('http://example.com/');\n\n const res3 = await server.inject({ method: 'OPTIONS', url: '/c', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res3.statusCode).to.equal(200);\n expect(res3.result.message).to.equal('CORS is disabled for this route');\n expect(res3.headers['access-control-allow-origin']).to.not.exist();\n });\n\n it('allows same headers on multiple routes with same path', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/a', handler: () => 'ok', options: { cors: true } });\n server.route({ method: 'POST', path: '/a', handler: () => 'ok', options: { cors: true } });\n\n const res = await server.inject({ method: 'OPTIONS', url: '/a', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.be.null();\n expect(res.headers['access-control-allow-origin']).to.equal('http://example.com/');\n });\n\n it('returns headers on single route (overrides defaults)', async () => {\n\n const server = Hapi.server({ routes: { cors: { origin: ['b'] } } });\n server.route({ method: 'GET', path: '/a', handler: () => 'ok', options: { cors: { origin: ['a'] } } });\n server.route({ method: 'GET', path: '/b', handler: () => 'ok' });\n\n const res1 = await server.inject({ method: 'OPTIONS', url: '/a', headers: { origin: 'a', 'access-control-request-method': 'GET' } });\n expect(res1.statusCode).to.equal(200);\n expect(res1.result).to.be.null();\n expect(res1.headers['access-control-allow-origin']).to.equal('a');\n\n const res2 = await server.inject({ method: 'OPTIONS', url: '/b', headers: { origin: 'b', 'access-control-request-method': 'GET' } });\n expect(res2.statusCode).to.equal(200);\n expect(res2.result).to.be.null();\n expect(res2.headers['access-control-allow-origin']).to.equal('b');\n });\n\n it('sets access-control-allow-credentials header', async () => {\n\n const server = Hapi.server({ routes: { cors: { credentials: true } } });\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n const res = await server.inject({ url: '/', headers: { origin: 'http://example.com/' } });\n expect(res.statusCode).to.equal(204);\n expect(res.result).to.equal(null);\n expect(res.headers['access-control-allow-credentials']).to.equal('true');\n });\n\n it('combines server defaults with route config', async () => {\n\n const server = Hapi.server({ routes: { cors: { origin: ['http://example.com/'] } } });\n server.route({ method: 'GET', path: '/', handler: () => null, options: { cors: { credentials: true } } });\n\n const res1 = await server.inject({ url: '/', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res1.statusCode).to.equal(204);\n expect(res1.result).to.equal(null);\n expect(res1.headers['access-control-allow-credentials']).to.equal('true');\n\n const res2 = await server.inject({ method: 'OPTIONS', url: '/', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res2.statusCode).to.equal(200);\n expect(res2.result).to.equal(null);\n expect(res2.headers['access-control-allow-credentials']).to.equal('true');\n\n const res3 = await server.inject({ url: '/', headers: { origin: 'http://example.org/', 'access-control-request-method': 'GET' } });\n expect(res3.statusCode).to.equal(204);\n expect(res3.result).to.equal(null);\n expect(res3.headers['access-control-allow-credentials']).to.not.exist();\n\n const res4 = await server.inject({ method: 'OPTIONS', url: '/', headers: { origin: 'http://example.org/', 'access-control-request-method': 'GET' } });\n expect(res4.statusCode).to.equal(200);\n expect(res4.result).to.equal({ message: 'CORS error: Origin not allowed' });\n expect(res4.headers['access-control-allow-credentials']).to.not.exist();\n expect(res4.headers['access-control-allow-origin']).to.not.exist();\n });\n\n it('handles request without origin header', async () => {\n\n const server = Hapi.server({ port: 8080, routes: { cors: { origin: ['http://*.domain.com'] } } });\n server.route({ method: 'GET', path: '/test', handler: () => null });\n\n const res1 = await server.inject('/');\n expect(res1.statusCode).to.equal(404);\n expect(res1.headers['access-control-allow-origin']).to.not.exist();\n\n const res2 = await server.inject('/test');\n expect(res2.statusCode).to.equal(204);\n expect(res2.headers['access-control-allow-origin']).to.not.exist();\n });\n\n it('handles missing routes', async () => {\n\n const server = Hapi.server({ port: 8080, routes: { cors: { origin: ['http://*.domain.com'] } } });\n\n const res1 = await server.inject('/');\n expect(res1.statusCode).to.equal(404);\n expect(res1.headers['access-control-allow-origin']).to.not.exist();\n\n const res2 = await server.inject({ url: '/', headers: { origin: 'http://example.domain.com' } });\n expect(res2.statusCode).to.equal(404);\n expect(res2.headers['access-control-allow-origin']).to.exist();\n });\n\n it('uses server defaults in onRequest', async () => {\n\n const server = Hapi.server({ port: 8080, routes: { cors: { origin: ['http://*.domain.com'] } } });\n\n server.ext('onRequest', (request, h) => {\n\n expect(request.info.cors).to.be.null(); // Do not set potentially incorrect information\n return h.response('skip').takeover();\n });\n\n const res1 = await server.inject({ url: '/', headers: { origin: 'http://example.domain.com' } });\n expect(res1.statusCode).to.equal(200);\n expect(res1.headers['access-control-allow-origin']).to.exist();\n\n const res2 = await server.inject({ url: '/', headers: { origin: 'http://example.domain.net' } });\n expect(res2.statusCode).to.equal(200);\n expect(res2.headers['access-control-allow-origin']).to.not.exist();\n });\n\n describe('headers()', () => {\n\n it('returns CORS origin (route level)', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: () => 'ok', options: { cors: true } });\n\n const res1 = await server.inject({ url: '/', headers: { origin: 'http://example.com/' } });\n expect(res1.statusCode).to.equal(200);\n expect(res1.result).to.exist();\n expect(res1.result).to.equal('ok');\n expect(res1.headers['access-control-allow-origin']).to.equal('http://example.com/');\n\n const res2 = await server.inject({ method: 'OPTIONS', url: '/', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res2.statusCode).to.equal(200);\n expect(res2.result).to.be.null();\n expect(res2.headers['access-control-allow-origin']).to.equal('http://example.com/');\n });\n\n it('returns CORS origin (GET)', async () => {\n\n const server = Hapi.server({ routes: { cors: { origin: ['http://x.example.com', 'http://www.example.com'] } } });\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n const res = await server.inject({ url: '/', headers: { origin: 'http://x.example.com' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.exist();\n expect(res.result).to.equal('ok');\n expect(res.headers['access-control-allow-origin']).to.equal('http://x.example.com');\n });\n\n it('returns CORS origin (OPTIONS)', async () => {\n\n const server = Hapi.server({ routes: { cors: { origin: ['http://test.example.com', 'http://www.example.com'] } } });\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n const res = await server.inject({ method: 'OPTIONS', url: '/', headers: { origin: 'http://test.example.com', 'access-control-request-method': 'GET' } });\n expect(res.statusCode).to.equal(200);\n expect(res.payload.length).to.equal(0);\n expect(res.headers['access-control-allow-origin']).to.equal('http://test.example.com');\n });\n\n it('merges CORS access-control-expose-headers header', async () => {\n\n const handler = (request, h) => {\n\n return h.response('ok').header('access-control-expose-headers', 'something');\n };\n\n const server = Hapi.server({ routes: { cors: { additionalExposedHeaders: ['xyz'] } } });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject({ url: '/', headers: { origin: 'http://example.com/' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.exist();\n expect(res.result).to.equal('ok');\n expect(res.headers['access-control-expose-headers']).to.equal('something,WWW-Authenticate,Server-Authorization,xyz');\n });\n\n it('returns no CORS headers when route CORS disabled', async () => {\n\n const server = Hapi.server({ routes: { cors: { origin: ['http://test.example.com', 'http://www.example.com'] } } });\n server.route({ method: 'GET', path: '/', handler: () => 'ok', options: { cors: false } });\n\n const res = await server.inject({ url: '/', headers: { origin: 'http://x.example.com' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.exist();\n expect(res.result).to.equal('ok');\n expect(res.headers['access-control-allow-origin']).to.not.exist();\n });\n\n it('returns matching CORS origin', async () => {\n\n const handler = (request, h) => {\n\n return h.response('Tada').header('vary', 'x-test');\n };\n\n const server = Hapi.server({ compression: { minBytes: 1 }, routes: { cors: { origin: ['http://test.example.com', 'http://www.example.com', 'http://*.a.com'] } } });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject({ url: '/', headers: { origin: 'http://www.example.com' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.exist();\n expect(res.result).to.equal('Tada');\n expect(res.headers['access-control-allow-origin']).to.equal('http://www.example.com');\n expect(res.headers.vary).to.equal('x-test,origin,accept-encoding');\n });\n\n it('returns origin header when matching against *', async () => {\n\n const handler = (request, h) => {\n\n return h.response('Tada').header('vary', 'x-test');\n };\n\n const server = Hapi.server({ compression: { minBytes: 1 }, routes: { cors: { origin: ['*'] } } });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject({ url: '/', headers: { origin: 'http://www.example.com' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.exist();\n expect(res.result).to.equal('Tada');\n expect(res.headers['access-control-allow-origin']).to.equal('http://www.example.com');\n expect(res.headers.vary).to.equal('x-test,origin,accept-encoding');\n });\n\n it('returns * origin header when matching against * and origin is ignored', async () => {\n\n const handler = (request, h) => {\n\n return h.response('Tada').header('vary', 'x-test');\n };\n\n const server = Hapi.server({ compression: { minBytes: 1 }, routes: { cors: { origin: 'ignore' } } });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject({ url: '/', headers: { origin: 'http://www.example.com' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.exist();\n expect(res.result).to.equal('Tada');\n expect(res.headers['access-control-allow-origin']).to.equal('*');\n expect(res.headers.vary).to.equal('x-test,accept-encoding');\n });\n\n it('returns matching CORS origin wildcard', async () => {\n\n const handler = (request, h) => {\n\n return h.response('Tada').header('vary', 'x-test');\n };\n\n const server = Hapi.server({ compression: { minBytes: 1 }, routes: { cors: { origin: ['http://test.example.com', 'http://www.example.com', 'http://*.a.com'] } } });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject({ url: '/', headers: { origin: 'http://www.a.com' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.exist();\n expect(res.result).to.equal('Tada');\n expect(res.headers['access-control-allow-origin']).to.equal('http://www.a.com');\n expect(res.headers.vary).to.equal('x-test,origin,accept-encoding');\n });\n\n it('returns matching CORS origin wildcard when more than one wildcard', async () => {\n\n const handler = (request, h) => {\n\n return h.response('Tada').header('vary', 'x-test', true);\n };\n\n const server = Hapi.server({ compression: { minBytes: 1 }, routes: { cors: { origin: ['http://test.example.com', 'http://www.example.com', 'http://*.b.com', 'http://*.a.com'] } } });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject({ url: '/', headers: { origin: 'http://www.a.com' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.exist();\n expect(res.result).to.equal('Tada');\n expect(res.headers['access-control-allow-origin']).to.equal('http://www.a.com');\n expect(res.headers.vary).to.equal('x-test,origin,accept-encoding');\n });\n\n it('does not set empty CORS expose headers', async () => {\n\n const server = Hapi.server({ routes: { cors: { exposedHeaders: [] } } });\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n const res1 = await server.inject({ url: '/', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res1.statusCode).to.equal(200);\n expect(res1.headers['access-control-allow-origin']).to.equal('http://example.com/');\n expect(res1.headers['access-control-expose-headers']).to.not.exist();\n\n const res2 = await server.inject({ method: 'OPTIONS', url: '/', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res2.statusCode).to.equal(200);\n expect(res2.headers['access-control-allow-origin']).to.equal('http://example.com/');\n expect(res2.headers['access-control-expose-headers']).to.not.exist();\n });\n });\n\n describe('options()', () => {\n\n it('ignores OPTIONS route', () => {\n\n const server = Hapi.server();\n server.route({\n method: 'OPTIONS',\n path: '/',\n handler: () => null\n });\n\n expect(server._core.router.special.options).to.not.exist();\n });\n });\n\n describe('handler()', () => {\n\n it('errors on missing origin header', async () => {\n\n const server = Hapi.server({ routes: { cors: true } });\n server.route({\n method: 'GET',\n path: '/',\n handler: () => null\n });\n\n const res = await server.inject({ method: 'OPTIONS', url: '/', headers: { 'access-control-request-method': 'GET' } });\n expect(res.statusCode).to.equal(404);\n expect(res.result.message).to.equal('CORS error: Missing Origin header');\n });\n\n it('errors on missing access-control-request-method header', async () => {\n\n const server = Hapi.server({ routes: { cors: true } });\n server.route({\n method: 'GET',\n path: '/',\n handler: () => null\n });\n\n const res = await server.inject({ method: 'OPTIONS', url: '/', headers: { origin: 'http://example.com/' } });\n expect(res.statusCode).to.equal(404);\n expect(res.result.message).to.equal('CORS error: Missing Access-Control-Request-Method header');\n });\n\n it('errors on missing route', async () => {\n\n const server = Hapi.server({ routes: { cors: true } });\n\n const res = await server.inject({ method: 'OPTIONS', url: '/', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res.statusCode).to.equal(404);\n });\n\n it('errors on mismatching origin header', async () => {\n\n const server = Hapi.server({ routes: { cors: { origin: ['a'] } } });\n server.route({\n method: 'GET',\n path: '/',\n handler: () => null\n });\n\n const res = await server.inject({ method: 'OPTIONS', url: '/', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result.message).to.equal('CORS error: Origin not allowed');\n });\n\n it('matches a wildcard origin if origin is ignored and present', async () => {\n\n const server = Hapi.server({ routes: { cors: { origin: 'ignore' } } });\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n const res = await server.inject({\n method: 'OPTIONS',\n url: '/',\n headers: {\n origin: 'http://test.example.com',\n 'access-control-request-method': 'GET',\n 'access-control-request-headers': 'Authorization'\n }\n });\n\n expect(res.statusCode).to.equal(200);\n expect(res.headers['access-control-allow-origin']).to.equal('*');\n\n });\n\n it('matches a wildcard origin if origin is ignored and missing', async () => {\n\n const server = Hapi.server({ routes: { cors: { origin: 'ignore' } } });\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n const res = await server.inject({\n method: 'OPTIONS',\n url: '/',\n headers: {\n 'access-control-request-method': 'GET',\n 'access-control-request-headers': 'Authorization'\n }\n });\n\n expect(res.statusCode).to.equal(200);\n expect(res.headers['access-control-allow-origin']).to.equal('*');\n });\n\n it('matches allowed headers', async () => {\n\n const server = Hapi.server({ routes: { cors: true } });\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n const res = await server.inject({\n method: 'OPTIONS',\n url: '/',\n headers: {\n origin: 'http://test.example.com',\n 'access-control-request-method': 'GET',\n 'access-control-request-headers': 'Authorization'\n }\n });\n\n expect(res.statusCode).to.equal(200);\n expect(res.headers['access-control-allow-headers']).to.equal('Accept,Authorization,Content-Type,If-None-Match');\n });\n\n it('matches allowed headers (case insensitive)', async () => {\n\n const server = Hapi.server({ routes: { cors: true } });\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n const res = await server.inject({\n method: 'OPTIONS',\n url: '/',\n headers: {\n origin: 'http://test.example.com',\n 'access-control-request-method': 'GET',\n 'access-control-request-headers': 'authorization'\n }\n });\n\n expect(res.statusCode).to.equal(200);\n expect(res.headers['access-control-allow-headers']).to.equal('Accept,Authorization,Content-Type,If-None-Match');\n });\n\n it('matches allowed headers (Origin explicit)', async () => {\n\n const server = Hapi.server({ routes: { cors: { additionalHeaders: ['Origin'] } } });\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n const res = await server.inject({\n method: 'OPTIONS',\n url: '/',\n headers: {\n origin: 'http://test.example.com',\n 'access-control-request-method': 'GET',\n 'access-control-request-headers': 'Origin'\n }\n });\n\n expect(res.statusCode).to.equal(200);\n expect(res.headers['access-control-allow-headers']).to.equal('Accept,Authorization,Content-Type,If-None-Match,Origin');\n expect(res.headers['access-control-expose-headers']).to.equal('WWW-Authenticate,Server-Authorization');\n });\n\n it('responds with configured preflight status code', async () => {\n\n const server = Hapi.server({ routes: { cors: { preflightStatusCode: 204 } } });\n server.route({ method: 'GET', path: '/204', handler: () => 'ok', options: { cors: true } });\n server.route({ method: 'GET', path: '/200', handler: () => 'ok', options: { cors: { preflightStatusCode: 200 } } });\n\n const res1 = await server.inject({\n method: 'OPTIONS',\n url: '/204',\n headers: {\n origin: 'http://test.example.com',\n 'access-control-request-method': 'GET'\n }\n });\n\n expect(res1.statusCode).to.equal(204);\n\n const res2 = await server.inject({\n method: 'OPTIONS',\n url: '/200',\n headers: {\n origin: 'http://test.example.com',\n 'access-control-request-method': 'GET'\n }\n });\n\n expect(res2.statusCode).to.equal(200);\n });\n\n it('matches allowed headers (Origin implicit)', async () => {\n\n const server = Hapi.server({ routes: { cors: true } });\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n const res = await server.inject({\n method: 'OPTIONS',\n url: '/',\n headers: {\n origin: 'http://test.example.com',\n 'access-control-request-method': 'GET',\n 'access-control-request-headers': 'Origin'\n }\n });\n\n expect(res.statusCode).to.equal(200);\n expect(res.headers['access-control-allow-headers']).to.equal('Accept,Authorization,Content-Type,If-None-Match');\n });\n\n it('errors on disallowed headers', async () => {\n\n const server = Hapi.server({ routes: { cors: true } });\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n const res = await server.inject({\n method: 'OPTIONS',\n url: '/',\n headers: {\n origin: 'http://test.example.com',\n 'access-control-request-method': 'GET',\n 'access-control-request-headers': 'X'\n }\n });\n\n expect(res.statusCode).to.equal(200);\n expect(res.result.message).to.equal('CORS error: Some headers are not allowed');\n });\n\n it('allows credentials', async () => {\n\n const server = Hapi.server({ routes: { cors: { credentials: true } } });\n server.route({\n method: 'GET',\n path: '/',\n handler: () => null\n });\n\n const res = await server.inject({ method: 'OPTIONS', url: '/', headers: { origin: 'http://example.com/', 'access-control-request-method': 'GET' } });\n expect(res.statusCode).to.equal(200);\n expect(res.headers['access-control-allow-credentials']).to.equal('true');\n });\n\n it('correctly finds route when using vhost setting', async () => {\n\n const server = Hapi.server({ routes: { cors: true } });\n server.route({\n method: 'POST',\n vhost: 'example.com',\n path: '/',\n handler: () => null\n });\n\n const res = await server.inject({ method: 'OPTIONS', url: 'http://example.com:4000/', headers: { origin: 'http://localhost', 'access-control-request-method': 'POST' } });\n expect(res.statusCode).to.equal(200);\n expect(res.headers['access-control-allow-methods']).to.equal('POST');\n });\n });\n\n describe('headers()', () => {\n\n it('skips CORS when missing origin header and wildcard does not ignore origin', async () => {\n\n const server = Hapi.server({ routes: { cors: { origin: ['*'] } } });\n server.route({\n method: 'GET',\n path: '/',\n handler: () => 'ok'\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.headers['access-control-allow-origin']).to.not.exist();\n });\n\n it('uses CORS when missing origin header and wildcard ignores origin', async () => {\n\n const server = Hapi.server({ routes: { cors: { origin: 'ignore' } } });\n server.route({\n method: 'GET',\n path: '/',\n handler: () => 'ok'\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.headers['access-control-allow-origin']).to.equal('*');\n });\n });\n});\n" }, { "path": "test/file/note.txt", "content": "Test" }, { "path": "test/handler.js", "content": "'use strict';\n\nconst Boom = require('@hapi/boom');\nconst Code = require('@hapi/code');\nconst Hapi = require('..');\nconst Hoek = require('@hapi/hoek');\nconst Lab = require('@hapi/lab');\n\n\nconst internals = {};\n\n\nconst { describe, it } = exports.lab = Lab.script();\nconst expect = Code.expect;\n\n\ndescribe('handler', () => {\n\n describe('execute()', () => {\n\n it('bypasses onPostHandler when handler calls takeover()', async () => {\n\n const server = Hapi.server();\n server.ext('onPostHandler', () => 'else');\n server.route({ method: 'GET', path: '/', handler: (request, h) => 'something' });\n server.route({ method: 'GET', path: '/takeover', handler: (request, h) => h.response('something').takeover() });\n\n const res1 = await server.inject('/');\n expect(res1.result).to.equal('else');\n\n const res2 = await server.inject('/takeover');\n expect(res2.result).to.equal('something');\n });\n\n it('returns 500 on handler exception (same tick)', async () => {\n\n const server = Hapi.server({ debug: false });\n\n const handler = (request) => {\n\n const a = null;\n a.b.c;\n };\n\n server.route({ method: 'GET', path: '/domain', handler });\n\n const res = await server.inject('/domain');\n expect(res.statusCode).to.equal(500);\n });\n\n it('returns 500 on handler exception (next tick await)', async () => {\n\n const handler = async (request) => {\n\n await Hoek.wait(0);\n const not = null;\n not.here;\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n const log = server.events.once({ name: 'request', channels: 'error' });\n\n const orig = console.error;\n console.error = function (...args) {\n\n console.error = orig;\n expect(args[0]).to.equal('Debug:');\n expect(args[1]).to.equal('internal, implementation, error');\n };\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n\n const [, event] = await log;\n expect(event.error.message).to.include(['Cannot read prop', 'null', 'here']);\n });\n });\n\n describe('handler()', () => {\n\n it('binds handler to route bind object', async () => {\n\n const item = { x: 123 };\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: function (request) {\n\n return this.x;\n },\n bind: item\n }\n });\n\n const res = await server.inject('/');\n expect(res.result).to.equal(item.x);\n });\n\n it('binds handler to route bind object (toolkit)', async () => {\n\n const item = { x: 123 };\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request, h) => h.context.x,\n bind: item\n }\n });\n\n const res = await server.inject('/');\n expect(res.result).to.equal(item.x);\n });\n\n it('returns 500 on ext method exception (same tick)', async () => {\n\n const server = Hapi.server({ debug: false });\n\n const onRequest = function () {\n\n const a = null;\n a.b.c;\n };\n\n server.ext('onRequest', onRequest);\n\n server.route({ method: 'GET', path: '/domain', handler: () => 'neven gonna happen' });\n\n const res = await server.inject('/domain');\n expect(res.statusCode).to.equal(500);\n });\n\n it('returns 500 on custom function error', async () => {\n\n const server = Hapi.server({ debug: false });\n\n const onPreHandler = function (request, h) {\n\n request.app.custom = () => {\n\n throw new Error('oops');\n };\n\n return h.continue;\n };\n\n server.ext('onPreHandler', onPreHandler);\n\n server.route({ method: 'GET', path: '/', handler: (request) => request.app.custom() });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n });\n\n describe('prerequisitesConfig()', () => {\n\n it('shows the complete prerequisite pipeline in the response', async () => {\n\n const pre1 = (request, h) => {\n\n return h.response('Hello').code(444);\n };\n\n const pre2 = (request) => {\n\n return request.pre.m1 + request.pre.m3 + request.pre.m4;\n };\n\n const pre3 = async (request) => {\n\n await Hoek.wait(0);\n return ' ';\n };\n\n const pre4 = () => 'World';\n\n const pre5 = (request) => {\n\n return request.pre.m2 + (request.pre.m0 === null ? '!' : 'x');\n };\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n options: {\n pre: [\n {\n method: (request, h) => h.continue,\n assign: 'm0'\n },\n [\n { method: pre1, assign: 'm1' },\n { method: pre3, assign: 'm3' },\n { method: pre4, assign: 'm4' }\n ],\n { method: pre2, assign: 'm2' },\n { method: pre5, assign: 'm5' }\n ],\n handler: (request) => request.pre.m5\n }\n });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('Hello World!');\n });\n\n it('allows a single prerequisite', async () => {\n\n const server = Hapi.server();\n\n server.route({\n method: 'GET',\n path: '/',\n options: {\n pre: [\n { method: () => 'Hello', assign: 'p' }\n ],\n handler: (request) => request.pre.p\n }\n });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('Hello');\n });\n\n it('allows an empty prerequisite array', async () => {\n\n const server = Hapi.server();\n\n server.route({\n method: 'GET',\n path: '/',\n options: {\n pre: [],\n handler: () => 'Hello'\n }\n });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('Hello');\n });\n\n it('takes over response', async () => {\n\n const pre1 = () => 'Hello';\n\n const pre2 = (request) => {\n\n return request.pre.m1 + request.pre.m3 + request.pre.m4;\n };\n\n const pre3 = async (request, h) => {\n\n await Hoek.wait(0);\n return h.response(' ').takeover();\n };\n\n const pre4 = () => 'World';\n\n const pre5 = (request) => {\n\n return request.pre.m2 + '!';\n };\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n options: {\n pre: [\n [\n { method: pre1, assign: 'm1' },\n { method: pre3, assign: 'm3' },\n { method: pre4, assign: 'm4' }\n ],\n { method: pre2, assign: 'm2' },\n { method: pre5, assign: 'm5' }\n ],\n handler: (request) => request.pre.m5\n }\n });\n\n const res = await server.inject('/');\n expect(res.result).to.equal(' ');\n });\n\n it('returns error if prerequisite returns error', async () => {\n\n const pre1 = () => 'Hello';\n\n const pre2 = function () {\n\n throw Boom.internal('boom');\n };\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n options: {\n pre: [\n [{ method: pre1, assign: 'm1' }],\n { method: pre2, assign: 'm2' }\n ],\n handler: (request) => request.pre.m1\n }\n });\n\n const res = await server.inject('/');\n expect(res.result.statusCode).to.equal(500);\n });\n\n it('passes wrapped object', async () => {\n\n const pre = (request, h) => {\n\n return h.response('Hello').code(444);\n };\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n options: {\n pre: [\n { method: pre, assign: 'p' }\n ],\n handler: (request) => request.preResponses.p\n }\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(444);\n });\n\n it('returns 500 if prerequisite throws', async () => {\n\n const pre1 = () => 'Hello';\n const pre2 = function () {\n\n const a = null;\n a.b.c = 0;\n };\n\n const server = Hapi.server({ debug: false });\n server.route({\n method: 'GET',\n path: '/',\n options: {\n pre: [\n [{ method: pre1, assign: 'm1' }],\n { method: pre2, assign: 'm2' }\n ],\n handler: (request) => request.pre.m1\n }\n });\n\n const res = await server.inject('/');\n expect(res.result.statusCode).to.equal(500);\n });\n\n it('sets pre failAction to error', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n options: {\n pre: [\n {\n method: () => {\n\n throw Boom.forbidden();\n },\n failAction: 'error'\n }\n ],\n handler: () => 'ok'\n }\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(403);\n });\n\n it('sets pre failAction to ignore', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n options: {\n pre: [\n {\n method: () => {\n\n throw Boom.forbidden();\n },\n failAction: 'ignore'\n }\n ],\n handler: () => 'ok'\n }\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n });\n\n it('sets pre failAction to log', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n options: {\n pre: [\n {\n assign: 'before',\n method: () => {\n\n throw Boom.forbidden();\n },\n failAction: 'log'\n }\n ],\n handler: (request) => {\n\n if (request.pre.before === request.preResponses.before &&\n request.pre.before instanceof Error) {\n\n return 'ok';\n }\n\n throw new Error();\n }\n }\n });\n\n let logged;\n server.events.on({ name: 'request', channels: 'internal' }, (request, event, tags) => {\n\n if (tags.pre &&\n tags.error) {\n\n logged = event;\n }\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(logged.error.assign).to.equal('before');\n });\n\n it('sets pre failAction to method', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n options: {\n pre: [\n {\n assign: 'value',\n method: () => {\n\n throw Boom.forbidden();\n },\n failAction: (request, h, err) => {\n\n expect(err.output.statusCode).to.equal(403);\n return 'failed';\n }\n }\n ],\n handler: (request) => (request.pre.value + '!')\n }\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('failed!');\n });\n\n it('sets pre failAction to method with takeover', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n options: {\n pre: [\n {\n assign: 'value',\n method: () => {\n\n throw Boom.forbidden();\n },\n failAction: (request, h, err) => {\n\n expect(err.output.statusCode).to.equal(403);\n return h.response('failed').takeover();\n }\n }\n ],\n handler: (request) => (request.pre.value + '!')\n }\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('failed');\n });\n\n it('binds pre to route bind object', async () => {\n\n const item = { x: 123 };\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n options: {\n pre: [{\n method: function (request) {\n\n return this.x;\n },\n assign: 'x'\n }],\n handler: (request) => request.pre.x,\n bind: item\n }\n });\n\n const res = await server.inject('/');\n expect(res.result).to.equal(item.x);\n });\n\n it('logs boom error instance as data if handler returns boom error', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: function () {\n\n throw Boom.forbidden();\n }\n }\n });\n\n const log = new Promise((resolve) => {\n\n server.events.on({ name: 'request', channels: 'internal' }, (request, event, tags) => {\n\n if (tags.handler &&\n tags.error) {\n\n resolve({ event, tags });\n }\n });\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(403);\n\n const { event } = await log;\n expect(event.error.isBoom).to.equal(true);\n expect(event.error.output.statusCode).to.equal(403);\n expect(event.error.message).to.equal('Forbidden');\n expect(event.error.stack).to.exist();\n });\n });\n\n describe('defaults()', () => {\n\n it('returns handler without defaults', async () => {\n\n const handler = function (route, options) {\n\n return (request) => request.route.settings.app;\n };\n\n const server = Hapi.server();\n server.decorate('handler', 'test', handler);\n server.route({ method: 'get', path: '/', handler: { test: 'value' } });\n const res = await server.inject('/');\n expect(res.result).to.equal({});\n });\n\n it('returns handler with object defaults', async () => {\n\n const handler = function (route, options) {\n\n return (request) => request.route.settings.app;\n };\n\n handler.defaults = {\n app: {\n x: 1\n }\n };\n\n const server = Hapi.server();\n server.decorate('handler', 'test', handler);\n server.route({ method: 'get', path: '/', handler: { test: 'value' } });\n const res = await server.inject('/');\n expect(res.result).to.equal({ x: 1 });\n });\n\n it('returns handler with function defaults', async () => {\n\n const handler = function (route, options) {\n\n return (request) => request.route.settings.app;\n };\n\n handler.defaults = function (method) {\n\n return {\n app: {\n x: method\n }\n };\n };\n\n const server = Hapi.server();\n server.decorate('handler', 'test', handler);\n server.route({ method: 'get', path: '/', handler: { test: 'value' } });\n const res = await server.inject('/');\n expect(res.result).to.equal({ x: 'get' });\n });\n\n it('throws on handler with invalid defaults', () => {\n\n const handler = function (route, options) {\n\n return (request) => request.route.settings.app;\n };\n\n handler.defaults = 'invalid';\n\n const server = Hapi.server();\n expect(() => {\n\n server.decorate('handler', 'test', handler);\n }).to.throw('Handler defaults property must be an object or function');\n });\n });\n});\n" }, { "path": "test/headers.js", "content": "'use strict';\n\nconst Boom = require('@hapi/boom');\nconst { Engine: CatboxMemory } = require('@hapi/catbox-memory');\nconst Code = require('@hapi/code');\nconst Hapi = require('..');\nconst Inert = require('@hapi/inert');\nconst Lab = require('@hapi/lab');\n\n\nconst internals = {};\n\n\nconst { describe, it } = exports.lab = Lab.script();\nconst expect = Code.expect;\n\n\ndescribe('Headers', () => {\n\n describe('cache()', () => {\n\n it('sets max-age value (method and route)', async () => {\n\n const server = Hapi.server();\n\n const method = function (id) {\n\n return {\n 'id': 'fa0dbda9b1b',\n 'name': 'John Doe'\n };\n };\n\n server.method('profile', method, { cache: { expiresIn: 120000, generateTimeout: 10 } });\n\n const profileHandler = (request) => {\n\n return server.methods.profile(0);\n };\n\n server.route({ method: 'GET', path: '/profile', options: { handler: profileHandler, cache: { expiresIn: 120000, privacy: 'private' } } });\n await server.start();\n\n const res = await server.inject('/profile');\n expect(res.headers['cache-control']).to.equal('max-age=120, must-revalidate, private');\n await server.stop();\n });\n\n it('sets max-age value (expiresAt)', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', options: { handler: () => null, cache: { expiresAt: '10:00' } } });\n await server.start();\n\n const res = await server.inject('/');\n expect(res.headers['cache-control']).to.match(/^max-age=\\d+, must-revalidate$/);\n await server.stop();\n });\n\n it('returns no-cache on error', async () => {\n\n const handler = () => {\n\n throw Boom.badRequest();\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', options: { handler, cache: { expiresIn: 120000 } } });\n const res = await server.inject('/');\n expect(res.headers['cache-control']).to.equal('no-cache');\n });\n\n it('returns custom value on error', async () => {\n\n const handler = () => {\n\n throw Boom.badRequest();\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', options: { handler, cache: { otherwise: 'no-store' } } });\n const res = await server.inject('/');\n expect(res.headers['cache-control']).to.equal('no-store');\n });\n\n it('sets cache-control on error with status override', async () => {\n\n const handler = () => {\n\n throw Boom.badRequest();\n };\n\n const server = Hapi.server({ routes: { cache: { statuses: [200, 400] } } });\n server.route({ method: 'GET', path: '/', options: { handler, cache: { expiresIn: 120000 } } });\n const res = await server.inject('/');\n expect(res.headers['cache-control']).to.equal('max-age=120, must-revalidate');\n });\n\n it('does not return max-age value when route is not cached', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/item2', options: { handler: () => ({ 'id': '55cf687663', 'name': 'Active Items' }) } });\n const res = await server.inject('/item2');\n expect(res.headers['cache-control']).to.not.equal('max-age=120, must-revalidate');\n });\n\n it('caches using non default cache', async () => {\n\n const server = Hapi.server({ cache: { name: 'primary', provider: CatboxMemory } });\n const defaults = server.cache({ segment: 'a', expiresIn: 2000, getDecoratedValue: true });\n const primary = server.cache({ segment: 'a', expiresIn: 2000, getDecoratedValue: true, cache: 'primary' });\n\n await server.start();\n\n await defaults.set('b', 1);\n await primary.set('b', 2);\n const { value: value1 } = await defaults.get('b');\n expect(value1).to.equal(1);\n\n const { cached: cached2 } = await primary.get('b');\n expect(cached2.item).to.equal(2);\n\n await server.stop();\n });\n\n it('leaves existing cache-control header', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request, h) => h.response('text').code(400).header('cache-control', 'some value') });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(400);\n expect(res.headers['cache-control']).to.equal('some value');\n });\n\n it('sets cache-control header from ttl without policy', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request, h) => h.response('text').ttl(10000) });\n\n const res = await server.inject('/');\n expect(res.headers['cache-control']).to.equal('max-age=10, must-revalidate');\n });\n\n it('sets cache-control header from ttl with disabled policy', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', options: { cache: false, handler: (request, h) => h.response('text').ttl(10000) } });\n\n const res = await server.inject('/');\n expect(res.headers['cache-control']).to.equal('max-age=10, must-revalidate');\n });\n\n it('leaves existing cache-control header (ttl)', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request, h) => h.response('text').ttl(1000).header('cache-control', 'none') });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.headers['cache-control']).to.equal('none');\n });\n\n it('includes caching header with 304', async () => {\n\n const server = Hapi.server();\n await server.register(Inert);\n server.route({ method: 'GET', path: '/file', handler: { file: __dirname + '/../package.json' }, options: { cache: { expiresIn: 60000 } } });\n\n const res1 = await server.inject('/file');\n const res2 = await server.inject({ url: '/file', headers: { 'if-modified-since': res1.headers['last-modified'] } });\n expect(res2.statusCode).to.equal(304);\n expect(res2.headers['cache-control']).to.equal('max-age=60, must-revalidate');\n });\n\n it('forbids caching on 304 if 200 is not included', async () => {\n\n const server = Hapi.server({ routes: { cache: { statuses: [400] } } });\n await server.register(Inert);\n server.route({ method: 'GET', path: '/file', handler: { file: __dirname + '/../package.json' }, options: { cache: { expiresIn: 60000 } } });\n\n const res1 = await server.inject('/file');\n const res2 = await server.inject({ url: '/file', headers: { 'if-modified-since': res1.headers['last-modified'] } });\n expect(res2.statusCode).to.equal(304);\n expect(res2.headers['cache-control']).to.equal('no-cache');\n });\n });\n\n describe('security()', () => {\n\n it('does not set security headers by default', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['strict-transport-security']).to.not.exist();\n expect(res.headers['x-frame-options']).to.not.exist();\n expect(res.headers['x-xss-protection']).to.not.exist();\n expect(res.headers['x-download-options']).to.not.exist();\n expect(res.headers['x-content-type-options']).to.not.exist();\n });\n\n it('returns default security headers when security is true', async () => {\n\n const server = Hapi.server({ routes: { security: true } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['strict-transport-security']).to.equal('max-age=15768000');\n expect(res.headers['x-frame-options']).to.equal('DENY');\n expect(res.headers['x-xss-protection']).to.equal('0');\n expect(res.headers['x-download-options']).to.equal('noopen');\n expect(res.headers['x-content-type-options']).to.equal('nosniff');\n });\n\n it('does not set default security headers when the route sets security false', async () => {\n\n const server = Hapi.server({ routes: { security: true } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test', options: { security: false } });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['strict-transport-security']).to.not.exist();\n expect(res.headers['x-frame-options']).to.not.exist();\n expect(res.headers['x-xss-protection']).to.not.exist();\n expect(res.headers['x-download-options']).to.not.exist();\n expect(res.headers['x-content-type-options']).to.not.exist();\n });\n\n it('does not return hsts header when secuirty.hsts is false', async () => {\n\n const server = Hapi.server({ routes: { security: { hsts: false } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['strict-transport-security']).to.not.exist();\n expect(res.headers['x-frame-options']).to.equal('DENY');\n expect(res.headers['x-xss-protection']).to.equal('0');\n expect(res.headers['x-download-options']).to.equal('noopen');\n expect(res.headers['x-content-type-options']).to.equal('nosniff');\n });\n\n it('returns only default hsts header when security.hsts is true', async () => {\n\n const server = Hapi.server({ routes: { security: { hsts: true } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['strict-transport-security']).to.equal('max-age=15768000');\n });\n\n it('returns correct hsts header when security.hsts is a number', async () => {\n\n const server = Hapi.server({ routes: { security: { hsts: 123456789 } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['strict-transport-security']).to.equal('max-age=123456789');\n });\n\n it('returns correct hsts header when security.hsts is an object', async () => {\n\n const server = Hapi.server({ routes: { security: { hsts: { maxAge: 123456789, includeSubDomains: true } } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['strict-transport-security']).to.equal('max-age=123456789; includeSubDomains');\n });\n\n it('returns the correct hsts header when security.hsts is an object only sepcifying maxAge', async () => {\n\n const server = Hapi.server({ routes: { security: { hsts: { maxAge: 123456789 } } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['strict-transport-security']).to.equal('max-age=123456789');\n });\n\n it('returns correct hsts header when security.hsts is an object only specifying includeSubdomains', async () => {\n\n const server = Hapi.server({ routes: { security: { hsts: { includeSubdomains: true } } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['strict-transport-security']).to.equal('max-age=15768000; includeSubDomains');\n });\n\n it('returns correct hsts header when security.hsts is an object only specifying includeSubDomains', async () => {\n\n const server = Hapi.server({ routes: { security: { hsts: { includeSubDomains: true } } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['strict-transport-security']).to.equal('max-age=15768000; includeSubDomains');\n });\n\n it('returns correct hsts header when security.hsts is an object only specifying includeSubDomains and preload', async () => {\n\n const server = Hapi.server({ routes: { security: { hsts: { includeSubDomains: true, preload: true } } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['strict-transport-security']).to.equal('max-age=15768000; includeSubDomains; preload');\n });\n\n it('does not return the xframe header whe security.xframe is false', async () => {\n\n const server = Hapi.server({ routes: { security: { xframe: false } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['x-frame-options']).to.not.exist();\n expect(res.headers['strict-transport-security']).to.equal('max-age=15768000');\n expect(res.headers['x-xss-protection']).to.equal('0');\n expect(res.headers['x-download-options']).to.equal('noopen');\n expect(res.headers['x-content-type-options']).to.equal('nosniff');\n });\n\n it('returns only default xframe header when security.xframe is true', async () => {\n\n const server = Hapi.server({ routes: { security: { xframe: true } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['x-frame-options']).to.equal('DENY');\n });\n\n it('returns correct xframe header when security.xframe is a string', async () => {\n\n const server = Hapi.server({ routes: { security: { xframe: 'sameorigin' } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['x-frame-options']).to.equal('SAMEORIGIN');\n });\n\n it('returns correct xframe header when security.xframe is an object', async () => {\n\n const server = Hapi.server({ routes: { security: { xframe: { rule: 'allow-from', source: 'http://example.com' } } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['x-frame-options']).to.equal('ALLOW-FROM http://example.com');\n });\n\n it('returns correct xframe header when security.xframe is an object', async () => {\n\n const server = Hapi.server({ routes: { security: { xframe: { rule: 'deny' } } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['x-frame-options']).to.equal('DENY');\n });\n\n it('returns sameorigin xframe header when rule is allow-from but source is unspecified', async () => {\n\n const server = Hapi.server({ routes: { security: { xframe: { rule: 'allow-from' } } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['x-frame-options']).to.equal('SAMEORIGIN');\n });\n\n it('does not set x-download-options if noOpen is false', async () => {\n\n const server = Hapi.server({ routes: { security: { noOpen: false } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['x-download-options']).to.not.exist();\n });\n\n it('does not set x-content-type-options if noSniff is false', async () => {\n\n const server = Hapi.server({ routes: { security: { noSniff: false } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['x-content-type-options']).to.not.exist();\n });\n\n it('sets the x-xss-protection header when security.xss is enabled', async () => {\n\n const server = Hapi.server({ routes: { security: { xss: 'enabled' } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['x-xss-protection']).to.equal('1; mode=block');\n expect(res.headers['strict-transport-security']).to.equal('max-age=15768000');\n expect(res.headers['x-frame-options']).to.equal('DENY');\n expect(res.headers['x-download-options']).to.equal('noopen');\n expect(res.headers['x-content-type-options']).to.equal('nosniff');\n });\n\n it('sets the x-xss-protection header when security.xss is disabled', async () => {\n\n const server = Hapi.server({ routes: { security: { xss: 'disabled' } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['x-xss-protection']).to.equal('0');\n expect(res.headers['strict-transport-security']).to.equal('max-age=15768000');\n expect(res.headers['x-frame-options']).to.equal('DENY');\n expect(res.headers['x-download-options']).to.equal('noopen');\n expect(res.headers['x-content-type-options']).to.equal('nosniff');\n });\n\n it('does not set the x-xss-protection header when security.xss is false', async () => {\n\n const server = Hapi.server({ routes: { security: { xss: false } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['x-xss-protection']).to.not.exist();\n expect(res.headers['strict-transport-security']).to.equal('max-age=15768000');\n expect(res.headers['x-frame-options']).to.equal('DENY');\n expect(res.headers['x-download-options']).to.equal('noopen');\n expect(res.headers['x-content-type-options']).to.equal('nosniff');\n });\n\n it('does not return the referrer-policy header by default', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['referrer-policy']).to.not.exist();\n });\n\n it('does not return the referrer-policy header when security.referrer is false', async () => {\n\n const server = Hapi.server({ routes: { security: { referrer: false } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['referrer-policy']).to.not.exist();\n });\n\n it('does not allow security.referrer to be true', () => {\n\n let err;\n try {\n Hapi.server({ routes: { security: { referrer: true } } });\n }\n catch (ex) {\n err = ex;\n }\n\n expect(err).to.exist();\n });\n\n it('returns correct referrer-policy header when security.referrer is a string with a valid value', async () => {\n\n const server = Hapi.server({ routes: { security: { referrer: 'strict-origin-when-cross-origin' } } });\n server.route({ method: 'GET', path: '/', handler: () => 'Test' });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.exist();\n expect(res.result).to.equal('Test');\n expect(res.headers['referrer-policy']).to.equal('strict-origin-when-cross-origin');\n });\n });\n\n describe('content()', () => {\n\n it('does not modify content-type header when charset manually set', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request, h) => h.response('text').type('text/plain; charset=ISO-8859-1') });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.headers['content-type']).to.equal('text/plain; charset=ISO-8859-1');\n });\n\n it('does not modify content-type header when charset is unset', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request, h) => h.response('text').type('text/plain').charset() });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.headers['content-type']).to.equal('text/plain');\n });\n\n it('does not modify content-type header when charset is unset (default type)', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request, h) => h.response('text').charset() });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.headers['content-type']).to.equal('text/html');\n });\n\n it('does not set content-type by default on 204 response', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request, h) => h.response().code(204) });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n expect(res.headers['content-type']).to.equal(undefined);\n });\n });\n});\n" }, { "path": "test/index.js", "content": "'use strict';\n\nconst Code = require('@hapi/code');\nconst Hapi = require('..');\nconst Lab = require('@hapi/lab');\n\n\nconst internals = {};\n\n\nconst { describe, it } = exports.lab = Lab.script();\nconst expect = Code.expect;\n\n\ndescribe('Server', () => {\n\n it('supports new Server()', async () => {\n\n const server = new Hapi.Server();\n server.route({ method: 'GET', path: '/', handler: () => 'old school' });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('old school');\n });\n});\n" }, { "path": "test/methods.js", "content": "'use strict';\n\nconst Catbox = require('@hapi/catbox');\nconst { Engine: CatboxMemory } = require('@hapi/catbox-memory');\nconst Code = require('@hapi/code');\nconst Hapi = require('..');\nconst Hoek = require('@hapi/hoek');\nconst Lab = require('@hapi/lab');\n\n\nconst internals = {};\n\n\nconst { describe, it } = exports.lab = Lab.script();\nconst expect = Code.expect;\n\n\ndescribe('Methods', () => {\n\n it('registers a method', () => {\n\n const add = function (a, b) {\n\n return a + b;\n };\n\n const server = Hapi.server();\n server.method('add', add);\n\n const result = server.methods.add(1, 5);\n expect(result).to.equal(6);\n });\n\n it('registers a method (object)', () => {\n\n const add = function (a, b) {\n\n return a + b;\n };\n\n const server = Hapi.server();\n server.method({ name: 'add', method: add });\n\n const result = server.methods.add(1, 5);\n expect(result).to.equal(6);\n });\n\n it('registers a method with leading _', () => {\n\n const _add = function (a, b) {\n\n return a + b;\n };\n\n const server = Hapi.server();\n server.method('_add', _add);\n\n const result = server.methods._add(1, 5);\n expect(result).to.equal(6);\n });\n\n it('registers a method with leading $', () => {\n\n const $add = function (a, b) {\n\n return a + b;\n };\n\n const server = Hapi.server();\n server.method('$add', $add);\n\n const result = server.methods.$add(1, 5);\n expect(result).to.equal(6);\n });\n\n it('registers a method with _', () => {\n\n const _add = function (a, b) {\n\n return a + b;\n };\n\n const server = Hapi.server();\n server.method('add_._that', _add);\n\n const result = server.methods.add_._that(1, 5);\n expect(result).to.equal(6);\n });\n\n it('registers a method with $', () => {\n\n const $add = function (a, b) {\n\n return a + b;\n };\n\n const server = Hapi.server();\n server.method('add$.$that', $add);\n\n const result = server.methods.add$.$that(1, 5);\n expect(result).to.equal(6);\n });\n\n it('registers a method (promise)', async () => {\n\n const add = function (a, b) {\n\n return new Promise((resolve) => resolve(a + b));\n };\n\n const server = Hapi.server();\n server.method('add', add);\n\n const value = await server.methods.add(1, 5);\n expect(value).to.equal(6);\n });\n\n it('registers a method with nested name', () => {\n\n const add = function (a, b) {\n\n return a + b;\n };\n\n const server = Hapi.server();\n server.method('tools.add', add);\n\n const result = server.methods.tools.add(1, 5);\n expect(result).to.equal(6);\n });\n\n it('registers two methods with shared nested name', () => {\n\n const add = function (a, b) {\n\n return a + b;\n };\n\n const sub = function (a, b) {\n\n return a - b;\n };\n\n const server = Hapi.server();\n server.method('tools.add', add);\n server.method('tools.sub', sub);\n\n const result1 = server.methods.tools.add(1, 5);\n expect(result1).to.equal(6);\n const result2 = server.methods.tools.sub(1, 5);\n expect(result2).to.equal(-4);\n });\n\n it('throws when registering a method with nested name twice', () => {\n\n const server = Hapi.server();\n server.method('tools.add', Hoek.ignore);\n expect(() => {\n\n server.method('tools.add', Hoek.ignore);\n }).to.throw('Server method function name already exists: tools.add');\n });\n\n it('throws when registering a method with name nested through a function', () => {\n\n const server = Hapi.server();\n server.method('add', Hoek.ignore);\n expect(() => {\n\n server.method('add.another', Hoek.ignore);\n }).to.throw('Invalid segment another in reach path add.another');\n });\n\n it('calls non cached method multiple times', () => {\n\n let gen = 0;\n const method = function (id) {\n\n return { id, gen: gen++ };\n };\n\n const server = Hapi.server();\n server.method('test', method);\n\n const result1 = server.methods.test(1);\n expect(result1.gen).to.equal(0);\n\n const result2 = server.methods.test(1);\n expect(result2.gen).to.equal(1);\n });\n\n it('caches method value', async () => {\n\n let gen = 0;\n const method = function (id) {\n\n return { id, gen: gen++ };\n };\n\n const server = Hapi.server();\n server.method('test', method, { cache: { expiresIn: 1000, generateTimeout: 10 } });\n\n await server.initialize();\n\n const result1 = await server.methods.test(1);\n expect(result1.gen).to.equal(0);\n\n const result2 = await server.methods.test(1);\n expect(result2.gen).to.equal(0);\n });\n\n it('emits a cache policy event on cached methods with default cache provision', async () => {\n\n const method = function (id) {\n\n return { id };\n };\n\n const server = Hapi.server();\n const cachePolicyEvent = server.events.once('cachePolicy');\n\n server.method('test', method, { cache: { expiresIn: 1000, generateTimeout: 10 } });\n\n const [policy, cacheName, segment] = await cachePolicyEvent;\n expect(policy).to.be.instanceOf(Catbox.Policy);\n expect(cacheName).to.equal(undefined);\n expect(segment).to.equal('#test');\n });\n\n it('emits a cache policy event on cached methods with named cache provision', async () => {\n\n const method = function (id) {\n\n return { id };\n };\n\n const server = Hapi.server();\n await server.cache.provision({ provider: CatboxMemory, name: 'named' });\n const cachePolicyEvent = server.events.once('cachePolicy');\n\n server.method('test', method, { cache: { cache: 'named', expiresIn: 1000, generateTimeout: 10 } });\n\n const [policy, cacheName, segment] = await cachePolicyEvent;\n expect(policy).to.be.instanceOf(Catbox.Policy);\n expect(cacheName).to.equal('named');\n expect(segment).to.equal('#test');\n });\n\n it('caches method value (async)', async () => {\n\n let gen = 0;\n const method = async function (id) {\n\n await Hoek.wait(1);\n return { id, gen: gen++ };\n };\n\n const server = Hapi.server();\n server.method('test', method, { cache: { expiresIn: 1000, generateTimeout: 10 } });\n\n await server.initialize();\n\n const result1 = await server.methods.test(1);\n expect(result1.gen).to.equal(0);\n\n const result2 = await server.methods.test(1);\n expect(result2.gen).to.equal(0);\n });\n\n it('caches method value (promise)', async () => {\n\n let gen = 0;\n const method = function (id) {\n\n return new Promise((resolve, reject) => {\n\n if (id === 2) {\n return reject(new Error('boom'));\n }\n\n return resolve({ id, gen: gen++ });\n });\n };\n\n const server = Hapi.server();\n server.method('test', method, { cache: { expiresIn: 1000, generateTimeout: 10 } });\n\n await server.initialize();\n\n const result1 = await server.methods.test(1);\n expect(result1.gen).to.equal(0);\n\n const result2 = await server.methods.test(1);\n expect(result2.gen).to.equal(0);\n\n await expect(server.methods.test(2)).to.reject('boom');\n });\n\n it('caches method value (decorated)', async () => {\n\n let gen = 0;\n const method = function (id) {\n\n return { id, gen: gen++ };\n };\n\n const server = Hapi.server();\n server.method('test', method, { cache: { expiresIn: 1000, generateTimeout: 10, getDecoratedValue: true } });\n\n await server.initialize();\n\n const { value: result1 } = await server.methods.test(1);\n expect(result1.gen).to.equal(0);\n\n const { value: result2 } = await server.methods.test(1);\n expect(result2.gen).to.equal(0);\n });\n\n it('reuses cached method value with custom key function', async () => {\n\n let gen = 0;\n const method = function (id) {\n\n return { id, gen: gen++ };\n };\n\n const server = Hapi.server();\n\n const generateKey = function (id) {\n\n return '' + (id + 1);\n };\n\n server.method('test', method, { cache: { expiresIn: 1000, generateTimeout: 10 }, generateKey });\n\n await server.initialize();\n\n const result1 = await server.methods.test(1);\n expect(result1.gen).to.equal(0);\n\n const result2 = await server.methods.test(1);\n expect(result2.gen).to.equal(0);\n });\n\n it('errors when custom key function return null', async () => {\n\n const method = function (id) {\n\n return { id };\n };\n\n const server = Hapi.server();\n\n const generateKey = function (id) {\n\n return null;\n };\n\n server.method('test', method, { cache: { expiresIn: 1000, generateTimeout: 10 }, generateKey });\n\n await server.initialize();\n await expect(server.methods.test(1)).to.reject('Invalid method key when invoking: test');\n });\n\n it('does not cache when custom key function returns a non-string', async () => {\n\n const method = function (id) {\n\n return { id };\n };\n\n const server = Hapi.server();\n\n const generateKey = function (id) {\n\n return 123;\n };\n\n server.method('test', method, { cache: { expiresIn: 1000, generateTimeout: 10 }, generateKey });\n\n await server.initialize();\n await expect(server.methods.test(1)).to.reject('Invalid method key when invoking: test');\n });\n\n it('does not cache value when ttl is 0', async () => {\n\n let gen = 0;\n const method = function (id, flags) {\n\n flags.ttl = 0;\n return { id, gen: gen++ };\n };\n\n const server = Hapi.server();\n server.method('test', method, { cache: { expiresIn: 1000, generateTimeout: 10 } });\n\n await server.initialize();\n\n const result1 = await server.methods.test(1);\n expect(result1.gen).to.equal(0);\n\n const result2 = await server.methods.test(1);\n expect(result2.gen).to.equal(1);\n });\n\n it('generates new value after cache drop', async () => {\n\n let gen = 0;\n const method = function (id) {\n\n return { id, gen: gen++ };\n };\n\n const server = Hapi.server();\n server.method('dropTest', method, { cache: { expiresIn: 1000, generateTimeout: 10 } });\n\n await server.initialize();\n\n const result1 = await server.methods.dropTest(2);\n expect(result1.gen).to.equal(0);\n await server.methods.dropTest.cache.drop(2);\n const result2 = await server.methods.dropTest(2);\n expect(result2.gen).to.equal(1);\n });\n\n it('errors on invalid drop key', async () => {\n\n let gen = 0;\n const method = function (id) {\n\n return { id, gen: gen++ };\n };\n\n const server = Hapi.server();\n server.method('dropErrTest', method, { cache: { expiresIn: 1000, generateTimeout: 10 } });\n\n await server.initialize();\n\n const invalid = () => { };\n await expect(server.methods.dropErrTest.cache.drop(invalid)).to.reject();\n });\n\n it('reports cache stats for each method', async () => {\n\n const method = function (id) {\n\n return { id };\n };\n\n const server = Hapi.server();\n server.method('test', method, { cache: { generateTimeout: 10 } });\n server.method('test2', method, { cache: { generateTimeout: 10 } });\n\n await server.initialize();\n\n server.methods.test(1);\n expect(server.methods.test.cache.stats.gets).to.equal(1);\n expect(server.methods.test2.cache.stats.gets).to.equal(0);\n });\n\n it('throws an error when name is not a string', () => {\n\n expect(() => {\n\n const server = Hapi.server();\n server.method(0, () => { });\n }).to.throw('name must be a string');\n });\n\n it('throws an error when name is invalid', () => {\n\n expect(() => {\n\n const server = Hapi.server();\n server.method('0', () => { });\n }).to.throw('Invalid name: 0');\n\n expect(() => {\n\n const server = Hapi.server();\n server.method('a..', () => { });\n }).to.throw('Invalid name: a..');\n\n expect(() => {\n\n const server = Hapi.server();\n server.method('a.0', () => { });\n }).to.throw('Invalid name: a.0');\n\n expect(() => {\n\n const server = Hapi.server();\n server.method('.a', () => { });\n }).to.throw('Invalid name: .a');\n });\n\n it('throws an error when method is not a function', () => {\n\n expect(() => {\n\n const server = Hapi.server();\n server.method('user', 'function');\n }).to.throw('method must be a function');\n });\n\n it('throws an error when options is not an object', () => {\n\n expect(() => {\n\n const server = Hapi.server();\n server.method('user', () => { }, 'options');\n }).to.throw(/Invalid method options \\(user\\)/);\n });\n\n it('throws an error when options.generateKey is not a function', () => {\n\n expect(() => {\n\n const server = Hapi.server();\n server.method('user', () => { }, { generateKey: 'function' });\n }).to.throw(/Invalid method options \\(user\\)/);\n });\n\n it('throws an error when options.cache is not valid', () => {\n\n expect(() => {\n\n const server = Hapi.server({ cache: CatboxMemory });\n server.method('user', () => { }, { cache: { x: 'y', generateTimeout: 10 } });\n }).to.throw(/Invalid cache policy configuration/);\n });\n\n it('throws an error when generateTimeout is not present', () => {\n\n const server = Hapi.server();\n expect(() => {\n\n server.method('test', () => { }, { cache: {} });\n }).to.throw('Method caching requires a timeout value in generateTimeout: test');\n });\n\n it('allows generateTimeout to be false', () => {\n\n const server = Hapi.server();\n expect(() => {\n\n server.method('test', () => { }, { cache: { generateTimeout: false } });\n }).to.not.throw();\n });\n\n it('returns timeout when method taking too long using the cache', async () => {\n\n const server = Hapi.server({ cache: CatboxMemory });\n\n let gen = 0;\n const method = async function (id) {\n\n await Hoek.wait(50);\n return { id, gen: ++gen };\n };\n\n server.method('user', method, { cache: { expiresIn: 2000, generateTimeout: 30 } });\n\n await server.initialize();\n\n const id = Math.random();\n const err = await expect(server.methods.user(id)).to.reject();\n expect(err.output.statusCode).to.equal(503);\n\n await Hoek.wait(30);\n\n const result2 = await server.methods.user(id);\n expect(result2.id).to.equal(id);\n expect(result2.gen).to.equal(1);\n });\n\n it('supports empty key method', async () => {\n\n const server = Hapi.server({ cache: CatboxMemory });\n\n let gen = 0;\n const terms = 'I agree to give my house';\n const method = function () {\n\n return { gen: gen++, terms };\n };\n\n server.method('tos', method, { cache: { expiresIn: 2000, generateTimeout: 10 } });\n\n await server.initialize();\n\n const result1 = await server.methods.tos();\n expect(result1.terms).to.equal(terms);\n expect(result1.gen).to.equal(0);\n\n const result2 = await server.methods.tos();\n expect(result2.terms).to.equal(terms);\n expect(result2.gen).to.equal(0);\n });\n\n it('returns valid results when calling a method (with different keys) using the cache', async () => {\n\n const server = Hapi.server({ cache: CatboxMemory });\n let gen = 0;\n const method = function (id) {\n\n return { id, gen: ++gen };\n };\n\n server.method('user', method, { cache: { expiresIn: 2000, generateTimeout: 10 } });\n await server.initialize();\n\n const id1 = Math.random();\n const result1 = await server.methods.user(id1);\n expect(result1.id).to.equal(id1);\n expect(result1.gen).to.equal(1);\n\n const id2 = Math.random();\n const result2 = await server.methods.user(id2);\n expect(result2.id).to.equal(id2);\n expect(result2.gen).to.equal(2);\n });\n\n it('errors when key generation fails', async () => {\n\n const server = Hapi.server({ cache: CatboxMemory });\n\n const method = function (id) {\n\n return { id };\n };\n\n server.method([{ name: 'user', method, options: { cache: { expiresIn: 2000, generateTimeout: 10 } } }]);\n\n await server.initialize();\n\n const result1 = await server.methods.user(1);\n expect(result1.id).to.equal(1);\n\n const invalid = function () { };\n await expect(server.methods.user(invalid)).to.reject('Invalid method key when invoking: user');\n });\n\n it('sets method bind without cache', () => {\n\n const method = function (id) {\n\n return { id, gen: this.gen++ };\n };\n\n const server = Hapi.server();\n server.method('test', method, { bind: { gen: 7 } });\n\n const result1 = server.methods.test(1);\n expect(result1.gen).to.equal(7);\n\n const result2 = server.methods.test(1);\n expect(result2.gen).to.equal(8);\n });\n\n it('sets method bind with cache', async () => {\n\n const method = function (id) {\n\n return { id, gen: this.gen++ };\n };\n\n const server = Hapi.server();\n server.method('test', method, { bind: { gen: 7 }, cache: { expiresIn: 1000, generateTimeout: 10 } });\n\n await server.initialize();\n\n const result1 = await server.methods.test(1);\n expect(result1.gen).to.equal(7);\n\n const result2 = await server.methods.test(1);\n expect(result2.gen).to.equal(7);\n });\n\n it('shallow copies bind config', async () => {\n\n const bind = { gen: 7 };\n const method = function (id) {\n\n return { id, gen: this.gen++, bound: this === bind };\n };\n\n const server = Hapi.server();\n server.method('test', method, { bind, cache: { expiresIn: 1000, generateTimeout: 10 } });\n\n await server.initialize();\n\n const result1 = await server.methods.test(1);\n expect(result1.gen).to.equal(7);\n expect(result1.bound).to.equal(true);\n\n const result2 = await server.methods.test(1);\n expect(result2.gen).to.equal(7);\n });\n\n describe('_add()', () => {\n\n it('handles sync method', () => {\n\n const add = function (a, b) {\n\n return a + b;\n };\n\n const server = Hapi.server();\n server.method('add', add);\n const result = server.methods.add(1, 5);\n expect(result).to.equal(6);\n });\n\n it('handles sync method (direct error)', () => {\n\n const add = function (a, b) {\n\n return new Error('boom');\n };\n\n const server = Hapi.server();\n server.method('add', add);\n const result = server.methods.add(1, 5);\n expect(result).to.be.instanceof(Error);\n expect(result.message).to.equal('boom');\n });\n\n it('handles sync method (direct throw)', () => {\n\n const add = function (a, b) {\n\n throw new Error('boom');\n };\n\n const server = Hapi.server();\n server.method('add', add);\n expect(() => {\n\n server.methods.add(1, 5);\n }).to.throw('boom');\n });\n\n it('throws an error if unknown keys are present when making a server method using an object', () => {\n\n const fn = function () { };\n const server = Hapi.server();\n\n expect(() => {\n\n server.method({\n name: 'fn',\n method: fn,\n cache: {}\n });\n }).to.throw(/^Invalid methodObject options/);\n });\n });\n\n describe('generateKey()', () => {\n\n it('handles string argument type', async () => {\n\n const method = (id) => id;\n const server = Hapi.server();\n server.method('test', method, { cache: { expiresIn: 1000, generateTimeout: 10 } });\n\n await server.initialize();\n const value = await server.methods.test('x');\n expect(value).to.equal('x');\n });\n\n it('handles multiple arguments', async () => {\n\n const method = (a, b, c) => a + b + c;\n const server = Hapi.server();\n server.method('test', method, { cache: { expiresIn: 1000, generateTimeout: 10 } });\n\n await server.initialize();\n const value = await server.methods.test('a', 'b', 'c');\n expect(value).to.equal('abc');\n });\n\n it('errors on invalid argument type', async () => {\n\n const method = (id) => id;\n const server = Hapi.server();\n server.method('test', method, { cache: { expiresIn: 1000, generateTimeout: 10 } });\n\n await server.initialize();\n await expect(server.methods.test({})).to.reject('Invalid method key when invoking: test');\n });\n });\n});\n" }, { "path": "test/payload.js", "content": "'use strict';\n\nconst Events = require('events');\nconst Fs = require('fs');\nconst Http = require('http');\nconst Net = require('net');\nconst Path = require('path');\nconst Zlib = require('zlib');\n\nconst Boom = require('@hapi/boom');\nconst Code = require('@hapi/code');\nconst Hapi = require('..');\nconst Hoek = require('@hapi/hoek');\nconst Lab = require('@hapi/lab');\nconst Wreck = require('@hapi/wreck');\n\nconst internals = {};\n\n\nconst { describe, it } = exports.lab = Lab.script();\nconst expect = Code.expect;\n\n\ndescribe('Payload', () => {\n\n it('sets payload', async () => {\n\n const payload = '{\"x\":\"1\",\"y\":\"2\",\"z\":\"3\"}';\n\n const handler = (request) => {\n\n expect(request.payload).to.exist();\n expect(request.payload.z).to.equal('3');\n expect(request.mime).to.equal('application/json');\n return request.payload;\n };\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', options: { handler } });\n\n const res = await server.inject({ method: 'POST', url: '/', payload });\n expect(res.result).to.exist();\n expect(res.result.x).to.equal('1');\n });\n\n it('handles request socket error', async () => {\n\n let called = false;\n const handler = function () {\n\n called = true;\n return null;\n };\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', options: { handler } });\n\n const res = await server.inject({ method: 'POST', url: '/', payload: 'test', simulate: { error: true, end: false } });\n expect(res.result).to.exist();\n expect(res.result.statusCode).to.equal(500);\n expect(called).to.be.false();\n });\n\n it('handles request socket close', async () => {\n\n const handler = function () {\n\n throw new Error('never called');\n };\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', options: { handler } });\n\n const responded = server.ext('onPostResponse');\n\n server.inject({ method: 'POST', url: '/', payload: 'test', simulate: { close: true, end: false } });\n const request = await responded;\n expect(request._isReplied).to.equal(true);\n expect(request.response.output.statusCode).to.equal(500);\n });\n\n it('handles aborted request mid-lifecycle step', async (flags) => {\n\n let req = null;\n const server = Hapi.server();\n\n server.route({\n method: 'GET',\n path: '/',\n handler: async (request) => {\n\n req.destroy();\n\n await request.events.once('disconnect');\n\n return 'ok';\n }\n });\n\n // Register post handler that should not be called\n\n let post = 0;\n server.ext('onPostHandler', () => {\n\n ++post;\n });\n\n flags.onCleanup = () => server.stop();\n await server.start();\n\n req = Http.request({\n hostname: 'localhost',\n port: server.info.port,\n method: 'get'\n });\n\n req.on('error', Hoek.ignore);\n req.end();\n\n const [request] = await server.events.once('response');\n\n expect(request.response.isBoom).to.be.true();\n expect(request.response.output.statusCode).to.equal(499);\n expect(request.info.completed).to.be.above(0);\n expect(request.info.responded).to.equal(0);\n\n expect(post).to.equal(0);\n });\n\n it('handles aborted request', { retry: true }, async () => {\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', options: { handler: () => 'Success', payload: { parse: false } } });\n\n const log = server.events.once('log');\n\n await server.start();\n\n const options = {\n hostname: 'localhost',\n port: server.info.port,\n path: '/',\n method: 'POST',\n headers: {\n 'Content-Length': '10'\n }\n };\n\n const req = Http.request(options, (res) => { });\n req.on('error', Hoek.ignore);\n req.write('Hello\\n');\n setTimeout(() => req.destroy(), 50);\n\n const [event] = await log;\n expect(event.error.message).to.equal('Parse Error');\n await server.stop({ timeout: 10 });\n });\n\n it('errors when payload too big', async () => {\n\n const payload = '{\"x\":\"1\",\"y\":\"2\",\"z\":\"3\"}';\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', options: { handler: () => null, payload: { maxBytes: 10 } } });\n\n const res = await server.inject({ method: 'POST', url: '/', payload, headers: { 'content-length': payload.length } });\n expect(res.statusCode).to.equal(413);\n expect(res.result).to.exist();\n expect(res.result.message).to.equal('Payload content length greater than maximum allowed: 10');\n });\n\n it('errors when payload too big (implicit length)', async () => {\n\n const payload = '{\"x\":\"1\",\"y\":\"2\",\"z\":\"3\"}';\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', options: { handler: () => null, payload: { maxBytes: 10 } } });\n\n const res = await server.inject({ method: 'POST', url: '/', payload });\n expect(res.statusCode).to.equal(413);\n expect(res.result).to.exist();\n expect(res.result.message).to.equal('Payload content length greater than maximum allowed: 10');\n });\n\n it('errors when payload too big (file)', async () => {\n\n const payload = '{\"x\":\"1\",\"y\":\"2\",\"z\":\"3\"}';\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', options: { handler: () => null, payload: { output: 'file', maxBytes: 10 } } });\n\n const res = await server.inject({ method: 'POST', url: '/', payload, headers: { 'content-length': payload.length } });\n expect(res.statusCode).to.equal(413);\n expect(res.result).to.exist();\n expect(res.result.message).to.equal('Payload content length greater than maximum allowed: 10');\n });\n\n it('errors when payload too big (file implicit length)', async () => {\n\n const payload = '{\"x\":\"1\",\"y\":\"2\",\"z\":\"3\"}';\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', options: { handler: () => null, payload: { output: 'file', maxBytes: 10 } } });\n\n const res = await server.inject({ method: 'POST', url: '/', payload });\n expect(res.statusCode).to.equal(413);\n expect(res.result).to.exist();\n expect(res.result.message).to.equal('Payload content length greater than maximum allowed: 10');\n });\n\n it('errors when payload contains prototype poisoning', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', handler: (request) => request.payload.x });\n\n const payload = '{\"x\":\"1\",\"y\":\"2\",\"z\":\"3\",\"__proto__\":{\"x\":\"4\"}}';\n const res = await server.inject({ method: 'POST', url: '/', payload });\n expect(res.statusCode).to.equal(400);\n });\n\n it('ignores when payload contains prototype poisoning', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'POST',\n path: '/',\n options: {\n payload: {\n protoAction: 'ignore'\n },\n handler: (request) => request.payload.__proto__\n }\n });\n\n const payload = '{\"x\":\"1\",\"y\":\"2\",\"z\":\"3\",\"__proto__\":{\"x\":\"4\"}}';\n const res = await server.inject({ method: 'POST', url: '/', payload });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal({ x: '4' });\n });\n\n it('sanitizes when payload contains prototype poisoning', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'POST',\n path: '/',\n options: {\n payload: {\n protoAction: 'remove'\n },\n handler: (request) => request.payload.__proto__\n }\n });\n\n const payload = '{\"x\":\"1\",\"y\":\"2\",\"z\":\"3\",\"__proto__\":{\"x\":\"4\"}}';\n const res = await server.inject({ method: 'POST', url: '/', payload });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal({});\n });\n\n it('returns 413 with response when payload is not consumed', async () => {\n\n const payload = Buffer.alloc(10 * 1024 * 1024).toString();\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', options: { handler: () => null, payload: { maxBytes: 1024 * 1024 } } });\n\n await server.start();\n\n const uri = 'http://localhost:' + server.info.port;\n const err = await expect(Wreck.post(uri, { payload })).to.reject();\n expect(err.data.res.statusCode).to.equal(413);\n expect(err.data.payload.toString()).to.equal('{\"statusCode\":413,\"error\":\"Request Entity Too Large\",\"message\":\"Payload content length greater than maximum allowed: 1048576\"}');\n\n await server.stop();\n });\n\n it('handles expect 100-continue', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', handler: (request) => request.payload });\n\n await server.start();\n\n const client = Net.connect(server.info.port);\n\n await Events.once(client, 'connect');\n\n client.write('POST / HTTP/1.1\\r\\nexpect: 100-continue\\r\\nhost: host\\r\\naccept-encoding: gzip\\r\\n' +\n 'content-type: application/json\\r\\ncontent-length: 14\\r\\nConnection: close\\r\\n\\r\\n');\n\n const lines = [];\n client.setEncoding('ascii');\n for await (const chunk of client) {\n\n if (chunk.startsWith('HTTP/1.1 100 Continue')) {\n client.write('{\"hello\":true}');\n }\n else {\n lines.push(...chunk.split('\\r\\n'));\n }\n }\n\n const res = lines.shift();\n const payload = lines.pop();\n\n expect(res).to.equal('HTTP/1.1 200 OK');\n expect(payload).to.equal('{\"hello\":true}');\n\n await server.stop();\n });\n\n it('does not continue on errors before payload processing', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', handler: (request) => request.payload });\n server.ext('onPreAuth', (request, h) => {\n\n throw new Boom.forbidden();\n });\n\n await server.start();\n\n const client = Net.connect(server.info.port);\n\n await Events.once(client, 'connect');\n\n client.write('POST / HTTP/1.1\\r\\nexpect: 100-continue\\r\\nhost: host\\r\\naccept-encoding: gzip\\r\\n' +\n 'content-type: application/json\\r\\ncontent-length: 14\\r\\nConnection: close\\r\\n\\r\\n');\n\n let continued = false;\n const lines = [];\n client.setEncoding('ascii');\n for await (const chunk of client) {\n\n if (chunk.startsWith('HTTP/1.1 100 Continue')) {\n client.write('{\"hello\":true}');\n continued = true;\n }\n else {\n lines.push(...chunk.split('\\r\\n'));\n }\n }\n\n const res = lines.shift();\n\n expect(res).to.equal('HTTP/1.1 403 Forbidden');\n expect(continued).to.be.false();\n\n await server.stop();\n });\n\n it('handles expect 100-continue on undefined routes', async () => {\n\n const server = Hapi.server();\n await server.start();\n\n const client = Net.connect(server.info.port);\n\n await Events.once(client, 'connect');\n\n client.write('POST / HTTP/1.1\\r\\nexpect: 100-continue\\r\\nhost: host\\r\\naccept-encoding: gzip\\r\\n' +\n 'content-type: application/json\\r\\ncontent-length: 14\\r\\nConnection: close\\r\\n\\r\\n');\n\n let continued = false;\n const lines = [];\n client.setEncoding('ascii');\n for await (const chunk of client) {\n\n if (chunk.startsWith('HTTP/1.1 100 Continue')) {\n client.write('{\"hello\":true}');\n continued = true;\n }\n else {\n lines.push(...chunk.split('\\r\\n'));\n }\n }\n\n const res = lines.shift();\n\n expect(res).to.equal('HTTP/1.1 404 Not Found');\n expect(continued).to.be.false();\n\n await server.stop();\n });\n\n it('does not continue on custom request.payload', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', handler: (request) => request.payload });\n server.ext('onRequest', (request, h) => {\n\n request.payload = { custom: true };\n return h.continue;\n });\n\n await server.start();\n\n const client = Net.connect(server.info.port);\n\n await Events.once(client, 'connect');\n\n client.write('POST / HTTP/1.1\\r\\nexpect: 100-continue\\r\\nhost: host\\r\\naccept-encoding: gzip\\r\\n' +\n 'content-type: application/json\\r\\ncontent-length: 14\\r\\nConnection: close\\r\\n\\r\\n');\n\n let continued = false;\n const lines = [];\n client.setEncoding('ascii');\n for await (const chunk of client) {\n\n if (chunk.startsWith('HTTP/1.1 100 Continue')) {\n client.write('{\"hello\":true}');\n continued = true;\n }\n else {\n lines.push(...chunk.split('\\r\\n'));\n }\n }\n\n const res = lines.shift();\n const payload = lines.pop();\n\n expect(res).to.equal('HTTP/1.1 200 OK');\n expect(payload).to.equal('{\"custom\":true}');\n expect(continued).to.be.false();\n\n await server.stop();\n });\n\n it('peeks at unparsed data', async () => {\n\n let data = null;\n const ext = (request, h) => {\n\n const chunks = [];\n request.events.on('peek', (chunk, encoding) => {\n\n chunks.push(chunk);\n });\n\n request.events.once('finish', () => {\n\n data = Buffer.concat(chunks);\n });\n\n return h.continue;\n };\n\n const server = Hapi.server();\n server.ext('onRequest', ext);\n server.route({ method: 'POST', path: '/', options: { handler: () => data, payload: { parse: false } } });\n\n const payload = '0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789';\n const res = await server.inject({ method: 'POST', url: '/', payload });\n expect(res.result).to.equal(payload);\n });\n\n it('peeks at unparsed data (finish only)', async () => {\n\n let peeked = false;\n const ext = (request, h) => {\n\n request.events.once('finish', () => {\n\n peeked = true;\n });\n\n return h.continue;\n };\n\n const server = Hapi.server();\n server.ext('onRequest', ext);\n server.route({ method: 'POST', path: '/', options: { handler: () => null, payload: { parse: false } } });\n\n const payload = '0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789';\n await server.inject({ method: 'POST', url: '/', payload });\n expect(peeked).to.be.true();\n });\n\n it('handles gzipped payload', async () => {\n\n const message = { 'msg': 'This message is going to be gzipped.' };\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', handler: (request) => request.payload });\n\n const compressed = await new Promise((resolve) => Zlib.gzip(JSON.stringify(message), (ignore, result) => resolve(result)));\n\n const request = {\n method: 'POST',\n url: '/',\n headers: {\n 'content-type': 'application/json',\n 'content-encoding': 'gzip',\n 'content-length': compressed.length\n },\n payload: compressed\n };\n\n const res = await server.inject(request);\n expect(res.result).to.exist();\n expect(res.result).to.equal(message);\n });\n\n it('handles deflated payload', async () => {\n\n const message = { 'msg': 'This message is going to be gzipped.' };\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', handler: (request) => request.payload });\n\n const compressed = await new Promise((resolve) => Zlib.deflate(JSON.stringify(message), (ignore, result) => resolve(result)));\n\n const request = {\n method: 'POST',\n url: '/',\n headers: {\n 'content-type': 'application/json',\n 'content-encoding': 'deflate',\n 'content-length': compressed.length\n },\n payload: compressed\n };\n\n const res = await server.inject(request);\n expect(res.result).to.exist();\n expect(res.result).to.equal(message);\n });\n\n it('handles custom compression', async () => {\n\n const message = { 'msg': 'This message is going to be gzipped.' };\n const server = Hapi.server({ routes: { payload: { compression: { test: { some: 'options' } } } } });\n\n const decoder = (options) => {\n\n expect(options).to.equal({ some: 'options' });\n return Zlib.createGunzip();\n };\n\n server.decoder('test', decoder);\n server.route({ method: 'POST', path: '/', handler: (request) => request.payload });\n\n const compressed = await new Promise((resolve) => Zlib.gzip(JSON.stringify(message), (ignore, result) => resolve(result)));\n\n const request = {\n method: 'POST',\n url: '/',\n headers: {\n 'content-type': 'application/json',\n 'content-encoding': 'test',\n 'content-length': compressed.length\n },\n payload: compressed\n };\n\n const res = await server.inject(request);\n expect(res.result).to.exist();\n expect(res.result).to.equal(message);\n });\n\n it('saves a file after content decoding', async () => {\n\n const path = Path.join(__dirname, './file/image.jpg');\n const sourceContents = Fs.readFileSync(path);\n const stats = Fs.statSync(path);\n\n const handler = (request) => {\n\n const receivedContents = Fs.readFileSync(request.payload.path);\n Fs.unlinkSync(request.payload.path);\n expect(receivedContents).to.equal(sourceContents);\n return request.payload.bytes;\n };\n\n const compressed = await new Promise((resolve) => Zlib.gzip(sourceContents, (ignore, result) => resolve(result)));\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/file', options: { handler, payload: { output: 'file' } } });\n const res = await server.inject({ method: 'POST', url: '/file', payload: compressed, headers: { 'content-encoding': 'gzip' } });\n expect(res.result).to.equal(stats.size);\n });\n\n it('errors saving a file without parse', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/file', options: { handler: Hoek.block, payload: { output: 'file', parse: false, uploads: '/a/b/c/d/not' } } });\n const res = await server.inject({ method: 'POST', url: '/file', payload: 'abcde' });\n expect(res.statusCode).to.equal(500);\n });\n\n it('sets parse mode when route method is * and request is POST', async () => {\n\n const server = Hapi.server();\n server.route({ method: '*', path: '/any', handler: (request) => request.payload.key });\n\n const res = await server.inject({ url: '/any', method: 'POST', payload: { key: '09876' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('09876');\n });\n\n it('returns an error on unsupported mime type', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', handler: (request) => request.payload.key });\n await server.start();\n\n const options = {\n headers: {\n 'Content-Type': 'application/unknown',\n 'Content-Length': '18'\n },\n payload: '{ \"key\": \"value\" }'\n };\n\n const err = await expect(Wreck.post(`http://localhost:${server.info.port}/?x=4`, options)).to.reject();\n expect(err.output.statusCode).to.equal(415);\n await server.stop({ timeout: 1 });\n });\n\n it('ignores unsupported mime type', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', options: { handler: (request) => request.payload, payload: { failAction: 'ignore' } } });\n\n const res = await server.inject({ method: 'POST', url: '/', payload: 'testing123', headers: { 'content-type': 'application/unknown' } });\n expect(res.statusCode).to.equal(204);\n expect(res.result).to.equal(null);\n });\n\n it('returns 200 on octet mime type', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', handler: () => 'ok' });\n\n const res = await server.inject({ method: 'POST', url: '/', payload: 'testing123', headers: { 'content-type': 'application/octet-stream' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('ok');\n });\n\n it('returns 200 on text mime type', async () => {\n\n const handler = (request) => {\n\n return request.payload + '+456';\n };\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/text', handler });\n\n const res = await server.inject({ method: 'POST', url: '/text', payload: 'testing123', headers: { 'content-type': 'text/plain' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('testing123+456');\n });\n\n it('returns 200 on override mime type', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/override', options: { handler: (request) => request.payload.key, payload: { override: 'application/json' } } });\n\n const res = await server.inject({ method: 'POST', url: '/override', payload: '{\"key\":\"cool\"}', headers: { 'content-type': 'text/plain' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('cool');\n });\n\n it('returns 200 on text mime type when allowed', async () => {\n\n const handler = (request) => {\n\n return request.payload + '+456';\n };\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/textOnly', options: { handler, payload: { allow: 'text/plain' } } });\n\n const res = await server.inject({ method: 'POST', url: '/textOnly', payload: 'testing123', headers: { 'content-type': 'text/plain' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('testing123+456');\n });\n\n it('returns 415 on non text mime type when disallowed', async () => {\n\n const handler = (request) => {\n\n return request.payload + '+456';\n };\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/textOnly', options: { handler, payload: { allow: 'text/plain' } } });\n\n const res = await server.inject({ method: 'POST', url: '/textOnly', payload: 'testing123', headers: { 'content-type': 'application/octet-stream' } });\n expect(res.statusCode).to.equal(415);\n });\n\n it('returns 200 on text mime type when allowed (array)', async () => {\n\n const handler = (request) => {\n\n return request.payload + '+456';\n };\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/textOnlyArray', options: { handler, payload: { allow: ['text/plain'] } } });\n\n const res = await server.inject({ method: 'POST', url: '/textOnlyArray', payload: 'testing123', headers: { 'content-type': 'text/plain' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('testing123+456');\n });\n\n it('returns 415 on non text mime type when disallowed (array)', async () => {\n\n const handler = (request) => {\n\n return request.payload + '+456';\n };\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/textOnlyArray', options: { handler, payload: { allow: ['text/plain'] } } });\n\n const res = await server.inject({ method: 'POST', url: '/textOnlyArray', payload: 'testing123', headers: { 'content-type': 'application/octet-stream' } });\n expect(res.statusCode).to.equal(415);\n });\n\n it('returns parsed multipart data (route)', async () => {\n\n const multipartPayload =\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"x\"\\r\\n' +\n '\\r\\n' +\n 'First\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"x\"\\r\\n' +\n '\\r\\n' +\n 'Second\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"x\"\\r\\n' +\n '\\r\\n' +\n 'Third\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"field1\"\\r\\n' +\n '\\r\\n' +\n 'Joe Blow\\r\\nalmost tricked you!\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"field1\"\\r\\n' +\n '\\r\\n' +\n 'Repeated name segment\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"pics\"; filename=\"file1.txt\"\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n '... contents of file1.txt ...\\r\\r\\n' +\n '--AaB03x--\\r\\n';\n\n const handler = (request) => {\n\n const result = {};\n const keys = Object.keys(request.payload);\n for (let i = 0; i < keys.length; ++i) {\n const key = keys[i];\n const value = request.payload[key];\n result[key] = value._readableState ? true : value;\n }\n\n return result;\n };\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/echo', handler, options: { payload: { multipart: true } } });\n\n const res = await server.inject({ method: 'POST', url: '/echo', payload: multipartPayload, headers: { 'content-type': 'multipart/form-data; boundary=AaB03x' } });\n expect(Object.keys(res.result).length).to.equal(3);\n expect(res.result.field1).to.exist();\n expect(res.result.field1.length).to.equal(2);\n expect(res.result.field1[1]).to.equal('Repeated name segment');\n expect(res.result.pics).to.exist();\n });\n\n it('returns parsed multipart data (server)', async () => {\n\n const multipartPayload =\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"x\"\\r\\n' +\n '\\r\\n' +\n 'First\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"x\"\\r\\n' +\n '\\r\\n' +\n 'Second\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"x\"\\r\\n' +\n '\\r\\n' +\n 'Third\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"field1\"\\r\\n' +\n '\\r\\n' +\n 'Joe Blow\\r\\nalmost tricked you!\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"field1\"\\r\\n' +\n '\\r\\n' +\n 'Repeated name segment\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"pics\"; filename=\"file1.txt\"\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n '... contents of file1.txt ...\\r\\r\\n' +\n '--AaB03x--\\r\\n';\n\n const handler = (request) => {\n\n const result = {};\n const keys = Object.keys(request.payload);\n for (let i = 0; i < keys.length; ++i) {\n const key = keys[i];\n const value = request.payload[key];\n result[key] = value._readableState ? true : value;\n }\n\n return result;\n };\n\n const server = Hapi.server({ routes: { payload: { multipart: true } } });\n server.route({ method: 'POST', path: '/echo', handler });\n\n const res = await server.inject({ method: 'POST', url: '/echo', payload: multipartPayload, headers: { 'content-type': 'multipart/form-data; boundary=AaB03x' } });\n expect(Object.keys(res.result).length).to.equal(3);\n expect(res.result.field1).to.exist();\n expect(res.result.field1.length).to.equal(2);\n expect(res.result.field1[1]).to.equal('Repeated name segment');\n expect(res.result.pics).to.exist();\n });\n\n it('places default limit on max parts in multipart payloads', async () => {\n\n const part = '--AaB03x\\r\\n' + 'content-disposition: form-data; name=\"x\"\\r\\n\\r\\n' + 'x\\r\\n';\n const multipartPayload = part.repeat(1001) + '--AaB03x--\\r\\n';\n\n const server = Hapi.server({ routes: { payload: { multipart: true } } });\n server.route({ method: 'POST', path: '/', handler: () => null });\n\n const res = await server.inject({ method: 'POST', url: '/', payload: multipartPayload, headers: { 'content-type': 'multipart/form-data; boundary=AaB03x' } });\n expect(res.statusCode).to.equal(400);\n expect(res.result.message).to.equal('Invalid multipart payload format');\n });\n\n it('signals connection close when payload is unconsumed', async () => {\n\n const payload = Buffer.alloc(1024);\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', options: { handler: () => 'ok', payload: { maxBytes: 1024, output: 'stream', parse: false } } });\n\n const res = await server.inject({ method: 'POST', url: '/', payload, headers: { 'content-type': 'application/octet-stream' } });\n expect(res.statusCode).to.equal(200);\n expect(res.headers).to.include({ connection: 'close' });\n expect(res.result).to.equal('ok');\n });\n\n it('times out when client request taking too long', async () => {\n\n const server = Hapi.server({ routes: { payload: { timeout: 50 } } });\n server.route({ method: 'POST', path: '/', handler: () => null });\n await server.start();\n\n const request = () => {\n\n const options = {\n hostname: '127.0.0.1',\n port: server.info.port,\n path: '/',\n method: 'POST'\n };\n\n const req = Http.request(options);\n req.on('error', Hoek.ignore);\n req.write('{}\\n');\n setTimeout(() => req.end(), 100);\n return new Promise((resolve) => req.once('response', resolve));\n };\n\n const timer = new Hoek.Bench();\n const res = await request();\n expect(res.statusCode).to.equal(408);\n expect(timer.elapsed()).to.be.at.least(50);\n\n await server.stop({ timeout: 1 });\n });\n\n it('times out when client request taking too long (route override)', async () => {\n\n const server = Hapi.server({ routes: { payload: { timeout: false } } });\n server.route({ method: 'POST', path: '/', options: { payload: { timeout: 50 }, handler: () => null } });\n await server.start();\n\n const request = () => {\n\n const options = {\n hostname: '127.0.0.1',\n port: server.info.port,\n path: '/',\n method: 'POST'\n };\n\n const req = Http.request(options);\n req.on('error', Hoek.ignore);\n req.write('{}\\n');\n setTimeout(() => req.end(), 100);\n return new Promise((resolve) => req.once('response', resolve));\n };\n\n const timer = new Hoek.Bench();\n const res = await request();\n expect(res.statusCode).to.equal(408);\n expect(timer.elapsed()).to.be.at.least(50);\n\n await server.stop({ timeout: 1 });\n });\n\n it('returns payload when timeout is not triggered', async () => {\n\n const server = Hapi.server({ routes: { payload: { timeout: 50 } } });\n server.route({ method: 'POST', path: '/', handler: () => 'fast' });\n await server.start();\n const { res } = await Wreck.post(`http://localhost:${server.info.port}/`);\n expect(res.statusCode).to.equal(200);\n await server.stop({ timeout: 1 });\n });\n\n it('errors if multipart payload exceeds byte limit', async () => {\n\n const multipartPayload =\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"x\"\\r\\n' +\n '\\r\\n' +\n 'First\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"x\"\\r\\n' +\n '\\r\\n' +\n 'Second\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"x\"\\r\\n' +\n '\\r\\n' +\n 'Third\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"field1\"\\r\\n' +\n '\\r\\n' +\n 'Joe Blow\\r\\nalmost tricked you!\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"field1\"\\r\\n' +\n '\\r\\n' +\n 'Repeated name segment\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"pics\"; filename=\"file1.txt\"\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n '... contents of file1.txt ...\\r\\r\\n' +\n '--AaB03x--\\r\\n';\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/echo', options: { handler: () => 'result', payload: { output: 'data', parse: true, maxBytes: 5, multipart: true } } });\n\n const res = await server.inject({ method: 'POST', url: '/echo', payload: multipartPayload, simulate: { split: true }, headers: { 'content-length': null, 'content-type': 'multipart/form-data; boundary=AaB03x' } });\n expect(res.statusCode).to.equal(400);\n expect(res.payload.toString()).to.equal('{\"statusCode\":400,\"error\":\"Bad Request\",\"message\":\"Invalid multipart payload format\"}');\n });\n\n it('errors if multipart disabled (default)', async () => {\n\n const multipartPayload =\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"x\"\\r\\n' +\n '\\r\\n' +\n 'First\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"x\"\\r\\n' +\n '\\r\\n' +\n 'Second\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"x\"\\r\\n' +\n '\\r\\n' +\n 'Third\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"field1\"\\r\\n' +\n '\\r\\n' +\n 'Joe Blow\\r\\nalmost tricked you!\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"field1\"\\r\\n' +\n '\\r\\n' +\n 'Repeated name segment\\r\\n' +\n '--AaB03x\\r\\n' +\n 'content-disposition: form-data; name=\"pics\"; filename=\"file1.txt\"\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n '... contents of file1.txt ...\\r\\r\\n' +\n '--AaB03x--\\r\\n';\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/echo', options: { handler: () => 'result', payload: { output: 'data', parse: true, maxBytes: 5 } } });\n\n const res = await server.inject({ method: 'POST', url: '/echo', payload: multipartPayload, simulate: { split: true }, headers: { 'content-length': null, 'content-type': 'multipart/form-data; boundary=AaB03x' } });\n expect(res.statusCode).to.equal(415);\n });\n});\n" }, { "path": "test/request.js", "content": "'use strict';\n\nconst Http = require('http');\nconst Net = require('net');\nconst Stream = require('stream');\nconst Url = require('url');\nconst Events = require('events');\n\nconst Boom = require('@hapi/boom');\nconst Code = require('@hapi/code');\nconst Hapi = require('..');\nconst Hoek = require('@hapi/hoek');\nconst Joi = require('joi');\nconst Lab = require('@hapi/lab');\nconst Teamwork = require('@hapi/teamwork');\nconst Wreck = require('@hapi/wreck');\n\nconst Common = require('./common');\n\nconst internals = {};\n\n\nconst { describe, it } = exports.lab = Lab.script();\nconst expect = Code.expect;\n\n\ndescribe('Request.Generator', () => {\n\n it('decorates request multiple times', async () => {\n\n const server = Hapi.server();\n\n server.decorate('request', 'x2', () => 2);\n server.decorate('request', 'abc', () => 1);\n\n server.route({\n method: 'GET',\n path: '/',\n handler: (request) => {\n\n return request.x2() + request.abc();\n }\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal(3);\n });\n\n it('decorates request with non function method', async () => {\n\n const server = Hapi.server();\n const symbol = Symbol('abc');\n\n server.decorate('request', 'x2', 2);\n server.decorate('request', symbol, 1);\n\n server.route({\n method: 'GET',\n path: '/',\n handler: (request) => {\n\n return request.x2 + request[symbol];\n }\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal(3);\n });\n\n it('does not share decorations between servers via prototypes', async () => {\n\n const server1 = Hapi.server();\n const server2 = Hapi.server();\n const route = {\n method: 'GET',\n path: '/',\n handler: (request) => {\n\n return Object.keys(Object.getPrototypeOf(request));\n }\n };\n let res;\n\n server1.decorate('request', 'x1', 1);\n server2.decorate('request', 'x2', 2);\n\n server1.route(route);\n server2.route(route);\n\n res = await server1.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal(['x1']);\n\n res = await server2.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal(['x2']);\n });\n\n it('decorates symbols when apply=true', async () => {\n\n const server = Hapi.server();\n const symbol = Symbol('abc');\n\n server.decorate('request', symbol, () => 'foo', { apply: true });\n\n server.route({\n method: 'GET',\n path: '/',\n handler: (request) => {\n\n return request[symbol];\n }\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('foo');\n\n });\n});\n\ndescribe('Request', () => {\n\n it('sets host and hostname', async () => {\n\n const server = Hapi.server();\n\n const handler = (request) => {\n\n return [request.info.host, request.info.hostname].join('|');\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const res1 = await server.inject({ url: '/', headers: { host: 'host' } });\n expect(res1.payload).to.equal('host|host');\n\n const res2 = await server.inject({ url: '/', headers: { host: 'host:123' } });\n expect(res2.payload).to.equal('host:123|host');\n\n const res3 = await server.inject({ url: '/', headers: { host: '127.0.0.1' } });\n expect(res3.payload).to.equal('127.0.0.1|127.0.0.1');\n\n const res4 = await server.inject({ url: '/', headers: { host: '127.0.0.1:123' } });\n expect(res4.payload).to.equal('127.0.0.1:123|127.0.0.1');\n\n const res5 = await server.inject({ url: '/', headers: { host: '[::1]' } });\n expect(res5.payload).to.equal('[::1]|[::1]');\n\n const res6 = await server.inject({ url: '/', headers: { host: '[::1]:123' } });\n expect(res6.payload).to.equal('[::1]:123|[::1]');\n });\n\n it('sets client address (default)', async (flags) => {\n\n const server = Hapi.server();\n\n const handler = (request) => {\n\n // Call twice to reuse cached values\n\n if (Common.hasIPv6) {\n // 127.0.0.1 on node v14 and v16, ::1 on node v18 since DNS resolved to IPv6.\n expect(request.info.remoteAddress).to.match(/^127\\.0\\.0\\.1|::1$/);\n expect(request.info.remoteAddress).to.match(/^127\\.0\\.0\\.1|::1$/);\n }\n else {\n expect(request.info.remoteAddress).to.equal('127.0.0.1');\n expect(request.info.remoteAddress).to.equal('127.0.0.1');\n }\n\n expect(request.info.remotePort).to.be.above(0);\n expect(request.info.remotePort).to.be.above(0);\n\n return 'ok';\n };\n\n server.route({ method: 'get', path: '/', handler });\n\n await server.start();\n flags.onCleanup = () => server.stop();\n\n const { payload } = await Wreck.get('http://localhost:' + server.info.port);\n expect(payload.toString()).to.equal('ok');\n });\n\n it('sets client address (ipv4)', async (flags) => {\n\n const server = Hapi.server();\n\n const handler = (request) => {\n\n Object.defineProperty(request.raw.req.socket, 'remoteAddress', {\n value: '100.100.100.100'\n });\n\n return request.info.remoteAddress;\n };\n\n server.route({ method: 'get', path: '/', handler });\n\n await server.start();\n flags.onCleanup = () => server.stop();\n\n const { payload } = await Wreck.get('http://localhost:' + server.info.port);\n expect(payload.toString()).to.equal('100.100.100.100');\n });\n\n it('sets client address (ipv6)', async (flags) => {\n\n const server = Hapi.server();\n\n const handler = (request) => {\n\n Object.defineProperty(request.raw.req.socket, 'remoteAddress', {\n value: '::ffff:0:0:0:0:1'\n });\n\n return request.info.remoteAddress;\n };\n\n server.route({ method: 'get', path: '/', handler });\n\n await server.start();\n flags.onCleanup = () => server.stop();\n\n const { payload } = await Wreck.get('http://localhost:' + server.info.port);\n expect(payload.toString()).to.equal('::ffff:0:0:0:0:1');\n });\n\n it('sets client address (ipv4-mapped ipv6)', async (flags) => {\n\n const server = Hapi.server();\n\n const handler = (request) => {\n\n Object.defineProperty(request.raw.req.socket, 'remoteAddress', {\n value: '::ffff:100.100.100.100'\n });\n\n return request.info.remoteAddress;\n };\n\n server.route({ method: 'get', path: '/', handler });\n\n await server.start();\n flags.onCleanup = () => server.stop();\n\n const { payload } = await Wreck.get('http://localhost:' + server.info.port);\n expect(payload.toString()).to.equal('100.100.100.100');\n });\n\n it('sets client address to nothing when not available', async (flags) => {\n\n const server = Hapi.server();\n const abortedReqTeam = new Teamwork.Team();\n let remoteAddr = 'not executed';\n\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: async (request, h) => {\n\n req.destroy();\n\n while (request.active()) {\n await Hoek.wait(5);\n }\n\n abortedReqTeam.attend();\n\n remoteAddr = request.info.remoteAddress;\n return null;\n }\n }\n });\n\n await server.start();\n flags.onCleanup = () => server.stop();\n\n const req = Http.get(server.info.uri, Hoek.ignore);\n req.on('error', Hoek.ignore);\n\n await abortedReqTeam.work;\n\n expect(remoteAddr).to.equal(undefined);\n });\n\n it('sets port to nothing when not available', async () => {\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/', handler: (request) => request.info.remotePort === '' });\n const res = await server.inject('/');\n expect(res.result).to.equal(true);\n });\n\n it('sets referrer', async () => {\n\n const server = Hapi.server();\n\n const handler = (request) => {\n\n expect(request.info.referrer).to.equal('http://site.com');\n return 'ok';\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject({ url: '/', headers: { referrer: 'http://site.com' } });\n expect(res.result).to.equal('ok');\n });\n\n it('sets referer', async () => {\n\n const server = Hapi.server();\n\n const handler = (request) => {\n\n expect(request.info.referrer).to.equal('http://site.com');\n return 'ok';\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject({ url: '/', headers: { referer: 'http://site.com' } });\n expect(res.result).to.equal('ok');\n });\n\n it('sets acceptEncoding', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => request.info.acceptEncoding });\n\n const res = await server.inject({ url: '/', headers: { 'accept-encoding': 'gzip' } });\n expect(res.result).to.equal('gzip');\n });\n\n it('handles invalid accept encoding header', async () => {\n\n const server = Hapi.server({ routes: { log: { collect: true } } });\n\n const handler = (request) => {\n\n expect(request.logs[0].error.header).to.equal('a;b');\n return request.info.acceptEncoding;\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject({ url: '/', headers: { 'accept-encoding': 'a;b' } });\n expect(res.result).to.equal('identity');\n });\n\n it('sets headers', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => request.headers['user-agent'] });\n\n const res = await server.inject('/');\n expect(res.payload).to.equal('shot');\n });\n\n it('sets host info from :authority header when host header is absent', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => `${request.info.host}|${request.info.hostname}` });\n\n const res = await server.inject({ url: '/', headers: { host: '', ':authority': 'example.com:8080' } });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('example.com:8080|example.com');\n });\n\n it('generates unique request id', async () => {\n\n const server = Hapi.server();\n server._core.requestCounter = { value: 10, min: 10, max: 11 };\n server.route({ method: 'GET', path: '/', handler: (request) => request.info.id });\n\n const res1 = await server.inject('/');\n expect(res1.result).to.match(/10$/);\n\n const res2 = await server.inject('/');\n expect(res2.result).to.match(/11$/);\n\n const res3 = await server.inject('/');\n expect(res3.result).to.match(/10$/);\n });\n\n it('can serialize request.info with JSON.stringify()', async () => {\n\n const server = Hapi.server();\n\n const handler = (request) => {\n\n const actual = JSON.stringify(request.info);\n const expected = JSON.stringify({\n acceptEncoding: request.info.acceptEncoding,\n completed: request.info.completed,\n cors: request.info.cors,\n host: request.info.host,\n hostname: request.info.hostname,\n id: request.info.id,\n received: request.info.received,\n referrer: request.info.referrer,\n remoteAddress: request.info.remoteAddress,\n remotePort: request.info.remotePort,\n responded: request.info.responded\n });\n\n expect(actual).to.equal(expected);\n return 'ok';\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject({ url: '/' });\n expect(res.result).to.equal('ok');\n });\n\n describe('active()', () => {\n\n it('exits handler early when request is no longer active', { retry: true }, async (flags) => {\n\n let testComplete = false;\n\n const onCleanup = [];\n flags.onCleanup = async () => {\n\n testComplete = true;\n\n for (const cleanup of onCleanup) {\n await cleanup();\n }\n };\n\n const server = Hapi.server();\n const leaveHandlerTeam = new Teamwork.Team();\n\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: async (request, h) => {\n\n req.destroy();\n\n while (request.active() && !testComplete) {\n await Hoek.wait(10);\n }\n\n leaveHandlerTeam.attend({\n active: request.active(),\n testComplete\n });\n\n return null;\n }\n }\n });\n\n await server.start();\n onCleanup.unshift(() => server.stop());\n\n const req = Http.get(server.info.uri, Hoek.ignore);\n req.on('error', Hoek.ignore);\n\n const note = await leaveHandlerTeam.work;\n\n expect(note).to.equal({\n active: false,\n testComplete: false\n });\n });\n });\n\n describe('_execute()', () => {\n\n it('returns 400 on invalid path', async () => {\n\n const server = Hapi.server();\n\n server.ext('onRequest', (request, h) => {\n\n expect(request.url).to.be.null();\n expect(request.query).to.equal({});\n expect(request.path).to.equal('invalid');\n return h.continue;\n });\n\n const res = await server.inject('invalid');\n expect(res.statusCode).to.equal(400);\n expect(res.result.message).to.startWith('Invalid URL');\n });\n\n it('returns boom response on ext error', async () => {\n\n const server = Hapi.server();\n\n const ext = (request) => {\n\n throw Boom.badRequest();\n };\n\n server.ext('onPostHandler', ext);\n server.route({ method: 'GET', path: '/', handler: () => 'OK' });\n\n const res = await server.inject('/');\n expect(res.result.statusCode).to.equal(400);\n });\n\n it('returns error response on ext error', async () => {\n\n const server = Hapi.server();\n\n const ext = (request) => {\n\n throw new Error('oops');\n };\n\n server.ext('onPostHandler', ext);\n server.route({ method: 'GET', path: '/', handler: () => 'OK' });\n\n const res = await server.inject('/');\n expect(res.result.statusCode).to.equal(500);\n });\n\n it('returns error response on ext timeout', async () => {\n\n const server = Hapi.server();\n\n const responded = server.ext('onPostResponse');\n const ext = (request) => {\n\n return Hoek.block();\n };\n\n server.ext('onPostHandler', ext, { timeout: 100 });\n server.route({ method: 'GET', path: '/', handler: () => 'OK' });\n\n const res = await server.inject('/');\n expect(res.result.statusCode).to.equal(500);\n\n const request = await responded;\n expect(request.response._error).to.be.an.error('onPostHandler timed out');\n });\n\n it('logs error responses on onPostResponse ext error', async () => {\n\n const server = Hapi.server();\n\n const ext1 = () => {\n\n throw new Error('oops1');\n };\n\n server.ext('onPostResponse', ext1);\n\n const ext2 = () => {\n\n throw new Error('oops2');\n };\n\n server.ext('onPostResponse', ext2);\n\n server.route({ method: 'GET', path: '/', handler: () => 'OK' });\n\n const log = server.events.few({ name: 'request', channels: 'internal', filter: 'ext', count: 2 });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n\n const [[, event1], [, event2]] = await log;\n expect(event1.error).to.be.an.error('oops1');\n expect(event2.error).to.be.an.error('oops2');\n });\n\n it('handles aborted requests (during response)', async () => {\n\n const handler = (request) => {\n\n const TestStream = class extends Stream.Readable {\n\n _read(size) {\n\n if (this.isDone) {\n return;\n }\n\n this.isDone = true;\n\n this.push('success');\n this.emit('data', 'success');\n }\n };\n\n const stream = new TestStream();\n return stream;\n };\n\n const server = Hapi.server({ info: { remote: true } });\n server.route({ method: 'GET', path: '/', handler });\n\n let disconnected = 0;\n let info;\n const onRequest = (request, h) => {\n\n request.events.once('disconnect', () => {\n\n info = request.info;\n ++disconnected;\n });\n\n return h.continue;\n };\n\n server.ext('onRequest', onRequest);\n\n await server.start();\n\n let total = 2;\n const createConnection = function () {\n\n const client = Net.connect(server.info.port, () => {\n\n client.write('GET / HTTP/1.1\\r\\nHost: host\\r\\n\\r\\n');\n client.write('GET / HTTP/1.1\\r\\nHost: host\\r\\n\\r\\n');\n });\n\n client.on('data', () => {\n\n --total;\n client.destroy();\n });\n };\n\n await new Promise((resolve) => {\n\n const check = function () {\n\n if (total) {\n createConnection();\n setTimeout(check, 100);\n }\n else {\n expect(disconnected).to.equal(4); // Each connection sends two HTTP requests\n resolve();\n }\n };\n\n check();\n });\n\n await server.stop();\n expect(info.remotePort).to.exist();\n expect(info.remoteAddress).to.exist();\n });\n\n it('handles aborted requests (before response)', { retry: true }, async (flags) => {\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/test',\n handler: () => null\n });\n\n const codes = [];\n server.ext('onPostResponse', (request) => codes.push(Boom.isBoom(request.response) ? request.response.output.statusCode : request.response.statusCode));\n\n const team = new Teamwork.Team();\n const onRequest = (request, h) => {\n\n request.events.once('disconnect', () => team.attend());\n return h.continue;\n };\n\n server.ext('onRequest', onRequest);\n\n let firstRequest = true;\n const onPreHandler = async (request, h) => {\n\n if (firstRequest) {\n client.destroy();\n firstRequest = false;\n }\n else {\n // To avoid timing differences between node versions, ensure that\n // the second and third requests always experience the disconnect\n await team.work;\n }\n\n return h.continue;\n };\n\n server.ext('onPreHandler', onPreHandler);\n\n await server.start();\n flags.onCleanup = () => server.stop();\n\n const client = Net.connect(server.info.port, () => {\n\n client.write('GET /test HTTP/1.1\\r\\nHost: host\\r\\n\\r\\n');\n client.write('GET /test HTTP/1.1\\r\\nHost: host\\r\\n\\r\\n');\n client.write('GET /test HTTP/1.1\\r\\nHost: host\\r\\n\\r\\n');\n });\n\n await team.work;\n await server.stop();\n\n expect(codes).to.equal([204, 499, 499]);\n });\n\n it('returns empty params array when none present', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => request.params });\n\n const res = await server.inject('/');\n expect(res.result).to.equal({});\n });\n\n it('returns empty params array when none present (not found)', async () => {\n\n const server = Hapi.server();\n const preResponse = (request) => {\n\n return request.params;\n };\n\n server.ext('onPreResponse', preResponse);\n\n const res = await server.inject('/');\n expect(res.result).to.equal({});\n });\n\n it('does not fail on abort', async () => {\n\n const server = Hapi.server();\n const team = new Teamwork.Team();\n\n const handler = async (request) => {\n\n clientRequest.destroy();\n await Hoek.wait(10);\n team.attend();\n throw new Error('fail');\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n await server.start();\n\n const clientRequest = Http.request({\n hostname: 'localhost',\n port: server.info.port,\n method: 'GET'\n });\n\n clientRequest.on('error', Hoek.ignore);\n clientRequest.end();\n\n await team.work;\n await server.stop();\n });\n\n it('does not fail on abort (onPreHandler)', async () => {\n\n const server = Hapi.server();\n const team = new Teamwork.Team();\n\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n const preHandler = async (request, h) => {\n\n clientRequest.destroy();\n await Hoek.wait(10);\n team.attend();\n return h.continue;\n };\n\n server.ext('onPreHandler', preHandler);\n\n await server.start();\n\n const clientRequest = Http.request({\n hostname: 'localhost',\n port: server.info.port,\n method: 'GET'\n });\n\n clientRequest.on('error', Hoek.ignore);\n clientRequest.end();\n\n await team.work;\n await server.stop();\n });\n\n it('does not fail on abort with ext', async () => {\n\n const handler = async (request) => {\n\n clientRequest.destroy();\n await Hoek.wait(10);\n throw new Error('boom');\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const preResponse = (request, h) => {\n\n return h.continue;\n };\n\n server.ext('onPreResponse', preResponse);\n\n const log = server.events.once('response');\n\n await server.start();\n\n const clientRequest = Http.request({\n hostname: 'localhost',\n port: server.info.port,\n method: 'GET'\n });\n\n clientRequest.on('error', Hoek.ignore);\n clientRequest.end();\n\n await log;\n await server.stop();\n });\n\n it('returns not found on internal only route (external)', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/some/route',\n options: {\n isInternal: true,\n handler: () => 'ok'\n }\n });\n\n await server.start();\n const err = await expect(Wreck.get('http://localhost:' + server.info.port)).to.reject();\n expect(err.data.res.statusCode).to.equal(404);\n expect(err.data.payload.toString()).to.equal('{\"statusCode\":404,\"error\":\"Not Found\",\"message\":\"Not Found\"}');\n await server.stop();\n });\n\n it('returns not found on internal only route (inject)', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/some/route',\n options: {\n isInternal: true,\n handler: () => 'ok'\n }\n });\n\n const res = await server.inject('/some/route');\n expect(res.statusCode).to.equal(404);\n });\n\n it('allows internal only route (inject with allowInternals)', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/some/route',\n options: {\n isInternal: true,\n handler: () => 'ok'\n }\n });\n\n const res = await server.inject({ url: '/some/route', allowInternals: true });\n expect(res.statusCode).to.equal(200);\n });\n\n it('allows internal only route (inject with allowInternals and authority)', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/some/route',\n options: {\n isInternal: true,\n handler: () => 'ok'\n }\n });\n\n const res = await server.inject({ url: '/some/route', allowInternals: true, authority: 'server:8000' });\n expect(res.statusCode).to.equal(200);\n });\n\n it('creates arrays from multiple entries', async () => {\n\n const server = Hapi.server();\n\n const handler = (request) => {\n\n return { a: request.query.a, array: Array.isArray(request.query.a), instance: request.query.a instanceof Array };\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/?a=1&a=2');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal({ a: ['1', '2'], array: true, instance: true });\n });\n\n it('supports custom query parser (new object)', async () => {\n\n const parser = (query) => {\n\n return { hello: query.hi };\n };\n\n const server = Hapi.server({ query: { parser } });\n\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => request.query.hello\n }\n });\n\n const res = await server.inject('/?hi=hola');\n expect(res.statusCode).to.equal(200);\n expect(res.payload).to.equal('hola');\n });\n\n it('supports custom query parser (same object)', async () => {\n\n const parser = (query) => {\n\n query.hello = query.hi;\n return query;\n };\n\n const server = Hapi.server({ query: { parser } });\n\n server.route({\n method: 'GET', path: '/', options: {\n handler: (request) => request.query.hello\n }\n });\n\n const res = await server.inject('/?hi=hola');\n expect(res.statusCode).to.equal(200);\n expect(res.payload).to.equal('hola');\n });\n\n it('returns 500 when custom query parser returns non-object', async () => {\n\n const server = Hapi.server({ debug: false, query: { parser: () => 'something' } });\n\n server.route({\n method: 'GET', path: '/', options: {\n handler: (request) => request.query.hello\n }\n });\n\n const res = await server.inject('/?hi=hola');\n expect(res.statusCode).to.equal(500);\n expect(res.request.response._error).to.be.an.error('Parsed query must be an object');\n });\n\n it('returns 500 when custom query parser returns null', async () => {\n\n const server = Hapi.server({ debug: false, query: { parser: () => null } });\n\n server.route({\n method: 'GET', path: '/', options: {\n handler: (request) => request.query.hello\n }\n });\n\n const res = await server.inject('/?hi=hola');\n expect(res.statusCode).to.equal(500);\n expect(res.request.response._error).to.be.an.error('Parsed query must be an object');\n });\n });\n\n describe('_onRequest()', () => {\n\n it('errors on non-takeover response', async () => {\n\n const server = Hapi.server({ debug: false });\n server.ext('onRequest', () => 'something');\n server.route({ method: 'GET', path: '/', handler: () => null });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n });\n\n describe('_lifecycle()', () => {\n\n it('errors on non-takeover response in pre handler ext', async () => {\n\n const server = Hapi.server({ debug: false });\n server.ext('onPreHandler', () => 'something');\n server.route({ method: 'GET', path: '/', handler: () => null });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n\n it('logs thrown errors as boom errors', async () => {\n\n const server = Hapi.server({ debug: false });\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: function () {\n\n // eslint-disable-next-line no-undef\n NOT_DEFINED_VAR;\n }\n }\n });\n\n const log = new Promise((resolve) => {\n\n server.events.on({ name: 'request', channels: 'internal' }, (request, event, tags) => {\n\n if (tags.handler &&\n tags.error) {\n\n resolve({ event, tags });\n }\n });\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n\n const { event } = await log;\n expect(event.error.isBoom).to.equal(true);\n expect(event.error.output.statusCode).to.equal(500);\n expect(event.error.stack).to.exist();\n });\n });\n\n describe('_postCycle()', () => {\n\n it('skips onPreResponse when validation terminates request', { retry: true }, async (flags) => {\n\n const server = Hapi.server();\n const abortedReqTeam = new Teamwork.Team();\n\n let called = false;\n server.ext('onPreResponse', (request, h) => {\n\n called = true;\n return h.continue;\n });\n\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: (request) => {\n\n // Stash raw so that we can access it on response validation\n Object.assign(request.app, request.raw);\n\n return null;\n },\n response: {\n status: {\n 200: async (_, { context }) => {\n\n req.destroy();\n\n const raw = context.app.request;\n await Events.once(raw.req, 'aborted');\n\n abortedReqTeam.attend();\n }\n }\n }\n }\n });\n\n await server.start();\n flags.onCleanup = () => server.stop();\n\n const req = Http.get(server.info.uri, Hoek.ignore);\n req.on('error', Hoek.ignore);\n\n await abortedReqTeam.work;\n\n await server.events.once('response');\n\n expect(called).to.be.false();\n });\n\n it('handles continue signal', async () => {\n\n const server = Hapi.server({ debug: false });\n server.route({\n method: 'GET',\n path: '/',\n options: {\n handler: () => ({ a: '1' }),\n validate: {\n validator: Joi\n },\n response: {\n failAction: (request, h) => h.continue,\n schema: {\n b: Joi.string()\n }\n }\n }\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n });\n });\n\n describe('_reply()', () => {\n\n it('returns a reply with auto end in onPreResponse', async () => {\n\n const server = Hapi.server();\n server.ext('onPreResponse', (request, h) => h.close);\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('');\n });\n });\n\n describe('_finalize()', () => {\n\n it('generate response event', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n const log = server.events.once('response');\n await server.inject('/');\n const [request] = await log;\n expect(request.info.responded).to.be.min(request.info.received);\n expect(request.info.completed).to.be.min(request.info.responded);\n expect(request.response.source).to.equal('ok');\n expect(request.response.statusCode).to.equal(200);\n });\n\n it('skips logging error when not the result of a thrown error', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request, h) => h.response().code(500) });\n\n let called = false;\n server.events.once('request', () => {\n\n called = true;\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n expect(res.request.response._error).to.not.exist();\n expect(called).to.be.false();\n });\n\n it('destroys response after server timeout', async () => {\n\n const team = new Teamwork.Team();\n const handler = async (request) => {\n\n await Hoek.wait(100);\n\n const stream = new Stream.Readable();\n stream._read = function (size) {\n\n this.push('value');\n this.push(null);\n };\n\n stream._destroy = () => team.attend();\n return stream;\n };\n\n const server = Hapi.server({ routes: { timeout: { server: 50 } } });\n server.route({\n method: 'GET',\n path: '/',\n handler\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(503);\n await team.work;\n });\n\n it('does not attempt to close error response after server timeout', async () => {\n\n const handler = async (request) => {\n\n await Hoek.wait(40);\n throw new Error('after');\n };\n\n const server = Hapi.server({ routes: { timeout: { server: 20 } } });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(503);\n });\n\n it('emits request-error once', async () => {\n\n const server = Hapi.server({ debug: false, routes: { log: { collect: true } } });\n\n let errs = 0;\n let req = null;\n server.events.on({ name: 'request', channels: 'error' }, (request, { error }) => {\n\n errs++;\n expect(error).to.exist();\n expect(error.message).to.equal('boom2');\n req = request;\n });\n\n const preResponse = (request) => {\n\n throw new Error('boom2');\n };\n\n server.ext('onPreResponse', preResponse);\n\n const handler = (request) => {\n\n throw new Error('boom1');\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const log = server.events.once('response');\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n expect(res.result).to.exist();\n expect(res.result.message).to.equal('An internal server error occurred');\n\n await log;\n expect(errs).to.equal(1);\n expect(req.logs[1].tags).to.equal(['internal', 'error']);\n });\n\n it('does not emit request-error when error is replaced with valid response', async () => {\n\n const server = Hapi.server({ debug: false });\n\n let errs = 0;\n server.events.on({ name: 'request', channels: 'error' }, (request, event) => {\n\n errs++;\n });\n\n server.ext('onPreResponse', () => 'ok');\n\n const handler = (request) => {\n\n throw new Error('boom1');\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const log = server.events.once('response');\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('ok');\n\n await log;\n expect(errs).to.equal(0);\n });\n });\n\n describe('setMethod()', () => {\n\n it('changes method with a lowercase version of the value passed in', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n const onRequest = (request, h) => {\n\n request.setMethod('POST');\n return h.response(request.method).takeover();\n };\n\n server.ext('onRequest', onRequest);\n\n const res = await server.inject('/');\n expect(res.payload).to.equal('post');\n });\n\n it('errors on missing method', async () => {\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/', handler: () => null });\n server.ext('onRequest', (request) => request.setMethod());\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n\n it('errors on invalid method type', async () => {\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/', handler: () => null });\n server.ext('onRequest', (request) => request.setMethod(42));\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n });\n\n describe('setUrl()', () => {\n\n it('sets url, path, and query', async () => {\n\n const url = 'http://localhost/page?param1=something';\n const server = Hapi.server();\n\n const handler = (request) => {\n\n return [request.url.href, request.path, request.query.param1].join('|');\n };\n\n server.route({ method: 'GET', path: '/page', handler });\n\n const onRequest = (request, h) => {\n\n request.setUrl(url);\n return h.continue;\n };\n\n server.ext('onRequest', onRequest);\n\n const res = await server.inject('/');\n expect(res.payload).to.equal(url + '|/page|something');\n });\n\n it('sets root url', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: (request) => request.url.pathname });\n\n const onRequest = (request, h) => {\n\n request.setUrl('/');\n return h.continue;\n };\n\n server.ext('onRequest', onRequest);\n\n const res = await server.inject('/a/b/c');\n expect(res.result).to.equal('/');\n });\n\n it('updates host info', async () => {\n\n const url = 'http://redirected:321/';\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n const onRequest = (request, h) => {\n\n const initialHost = request.info.host;\n\n request.setUrl(url);\n return h.response([request.url.href, request.path, initialHost, request.info.host, request.info.hostname].join('|')).takeover();\n };\n\n server.ext('onRequest', onRequest);\n\n const res = await server.inject({ url: '/', headers: { host: 'initial:123' } });\n expect(res.payload).to.equal(url + '|/|initial:123|redirected:321|redirected');\n });\n\n it('updates host info when set without port number', async () => {\n\n const url = 'http://redirected/';\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n const onRequest = (request, h) => {\n\n const initialHost = request.info.host;\n\n request.setUrl(url);\n return h.response([request.url.href, request.path, initialHost, request.info.host, request.info.hostname].join('|')).takeover();\n };\n\n server.ext('onRequest', onRequest);\n\n const res1 = await server.inject({ url: '/', headers: { host: 'initial:123' } });\n const res2 = await server.inject({ url: '/', headers: { host: 'initial' } });\n expect(res1.payload).to.equal(url + '|/|initial:123|redirected|redirected');\n expect(res2.payload).to.equal(url + '|/|initial|redirected|redirected');\n });\n\n it('overrides query string content', async () => {\n\n const server = Hapi.server();\n\n const handler = (request) => {\n\n return [request.url.href, request.path, request.query.a].join('|');\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const onRequest = (request, h) => {\n\n const uri = request.raw.req.url;\n const parsed = new Url.URL(uri, 'http://test/');\n parsed.searchParams.set('a', 2);\n request.setUrl(parsed);\n return h.continue;\n };\n\n server.ext('onRequest', onRequest);\n\n const res = await server.inject('/?a=1');\n expect(res.payload).to.equal('http://test/?a=2|/|2');\n });\n\n it('normalizes a path', async () => {\n\n const rawPath = '/%0%1%2%3%4%5%6%7%8%9%a%b%c%d%e%f%10%11%12%13%14%15%16%17%18%19%1a%1b%1c%1d%1e%1f%20%21%22%23%24%25%26%27%28%29%2a%2b%2c%2d%2e%2f%30%31%32%33%34%35%36%37%38%39%3a%3b%3c%3d%3e%3f%40%41%42%43%44%45%46%47%48%49%4a%4b%4c%4d%4e%4f%50%51%52%53%54%55%56%57%58%59%5a%5b%5c%5d%5e%5f%60%61%62%63%64%65%66%67%68%69%6a%6b%6c%6d%6e%6f%70%71%72%73%74%75%76%77%78%79%7a%7b%7c%7d%7e%7f%80%81%82%83%84%85%86%87%88%89%8a%8b%8c%8d%8e%8f%90%91%92%93%94%95%96%97%98%99%9a%9b%9c%9d%9e%9f%a0%a1%a2%a3%a4%a5%a6%a7%a8%a9%aa%ab%ac%ad%ae%af%b0%b1%b2%b3%b4%b5%b6%b7%b8%b9%ba%bb%bc%bd%be%bf%c0%c1%c2%c3%c4%c5%c6%c7%c8%c9%ca%cb%cc%cd%ce%cf%d0%d1%d2%d3%d4%d5%d6%d7%d8%d9%da%db%dc%dd%de%df%e0%e1%e2%e3%e4%e5%e6%e7%e8%e9%ea%eb%ec%ed%ee%ef%f0%f1%f2%f3%f4%f5%f6%f7%f8%f9%fa%fb%fc%fd%fe%ff%0%1%2%3%4%5%6%7%8%9%A%B%C%D%E%F%10%11%12%13%14%15%16%17%18%19%1A%1B%1C%1D%1E%1F%20%21%22%23%24%25%26%27%28%29%2A%2B%2C%2D%2E%2F%30%31%32%33%34%35%36%37%38%39%3A%3B%3C%3D%3E%3F%40%41%42%43%44%45%46%47%48%49%4A%4B%4C%4D%4E%4F%50%51%52%53%54%55%56%57%58%59%5A%5B%5C%5D%5E%5F%60%61%62%63%64%65%66%67%68%69%6A%6B%6C%6D%6E%6F%70%71%72%73%74%75%76%77%78%79%7A%7B%7C%7D%7E%7F%80%81%82%83%84%85%86%87%88%89%8A%8B%8C%8D%8E%8F%90%91%92%93%94%95%96%97%98%99%9A%9B%9C%9D%9E%9F%A0%A1%A2%A3%A4%A5%A6%A7%A8%A9%AA%AB%AC%AD%AE%AF%B0%B1%B2%B3%B4%B5%B6%B7%B8%B9%BA%BB%BC%BD%BE%BF%C0%C1%C2%C3%C4%C5%C6%C7%C8%C9%CA%CB%CC%CD%CE%CF%D0%D1%D2%D3%D4%D5%D6%D7%D8%D9%DA%DB%DC%DD%DE%DF%E0%E1%E2%E3%E4%E5%E6%E7%E8%E9%EA%EB%EC%ED%EE%EF%F0%F1%F2%F3%F4%F5%F6%F7%F8%F9%FA%FB%FC%FD%FE%FF';\n const normPath = '/%0%1%2%3%4%5%6%7%8%9%a%b%c%d%e%f%10%11%12%13%14%15%16%17%18%19%1A%1B%1C%1D%1E%1F%20!%22%23$%25&\\'()*+,-.%2F0123456789:;%3C=%3E%3F@ABCDEFGHIJKLMNOPQRSTUVWXYZ%5B%5C%5D%5E_%60abcdefghijklmnopqrstuvwxyz%7B%7C%7D~%7F%80%81%82%83%84%85%86%87%88%89%8A%8B%8C%8D%8E%8F%90%91%92%93%94%95%96%97%98%99%9A%9B%9C%9D%9E%9F%A0%A1%A2%A3%A4%A5%A6%A7%A8%A9%AA%AB%AC%AD%AE%AF%B0%B1%B2%B3%B4%B5%B6%B7%B8%B9%BA%BB%BC%BD%BE%BF%C0%C1%C2%C3%C4%C5%C6%C7%C8%C9%CA%CB%CC%CD%CE%CF%D0%D1%D2%D3%D4%D5%D6%D7%D8%D9%DA%DB%DC%DD%DE%DF%E0%E1%E2%E3%E4%E5%E6%E7%E8%E9%EA%EB%EC%ED%EE%EF%F0%F1%F2%F3%F4%F5%F6%F7%F8%F9%FA%FB%FC%FD%FE%FF%0%1%2%3%4%5%6%7%8%9%A%B%C%D%E%F%10%11%12%13%14%15%16%17%18%19%1A%1B%1C%1D%1E%1F%20!%22%23$%25&\\'()*+,-.%2F0123456789:;%3C=%3E%3F@ABCDEFGHIJKLMNOPQRSTUVWXYZ%5B%5C%5D%5E_%60abcdefghijklmnopqrstuvwxyz%7B%7C%7D~%7F%80%81%82%83%84%85%86%87%88%89%8A%8B%8C%8D%8E%8F%90%91%92%93%94%95%96%97%98%99%9A%9B%9C%9D%9E%9F%A0%A1%A2%A3%A4%A5%A6%A7%A8%A9%AA%AB%AC%AD%AE%AF%B0%B1%B2%B3%B4%B5%B6%B7%B8%B9%BA%BB%BC%BD%BE%BF%C0%C1%C2%C3%C4%C5%C6%C7%C8%C9%CA%CB%CC%CD%CE%CF%D0%D1%D2%D3%D4%D5%D6%D7%D8%D9%DA%DB%DC%DD%DE%DF%E0%E1%E2%E3%E4%E5%E6%E7%E8%E9%EA%EB%EC%ED%EE%EF%F0%F1%F2%F3%F4%F5%F6%F7%F8%F9%FA%FB%FC%FD%FE%FF';\n\n const url = 'http://localhost' + rawPath + '?param1=something';\n const normUrl = 'http://localhost' + normPath + '?param1=something';\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler: () => null });\n\n const onRequest = (request, h) => {\n\n request.setUrl(url);\n return h.response([request.url.href, request.path, request.url.searchParams.get('param1')].join('|')).takeover();\n };\n\n server.ext('onRequest', onRequest);\n\n const res = await server.inject('/');\n expect(res.payload).to.equal(normUrl + '|' + normPath + '|something');\n });\n\n it('errors on empty path', async () => {\n\n const server = Hapi.server({ debug: false });\n const onRequest = (request, h) => {\n\n request.setUrl('');\n return h.continue;\n };\n\n server.ext('onRequest', onRequest);\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n\n it('throws when path is missing', async () => {\n\n const server = Hapi.server();\n const onRequest = (request, h) => {\n\n try {\n request.setUrl();\n }\n catch (err) {\n return h.response(err.message).takeover();\n }\n\n return h.continue;\n };\n\n server.ext('onRequest', onRequest);\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.payload).to.equal('Url must be a string or URL object');\n });\n\n it('strips trailing slash', async () => {\n\n const server = Hapi.server({ router: { stripTrailingSlash: true } });\n server.route({ method: 'GET', path: '/test', handler: () => null });\n\n const res1 = await server.inject('/test/');\n expect(res1.statusCode).to.equal(204);\n\n const res2 = await server.inject('/test');\n expect(res2.statusCode).to.equal(204);\n });\n\n it('does not strip trailing slash on /', async () => {\n\n const server = Hapi.server({ router: { stripTrailingSlash: true } });\n server.route({ method: 'GET', path: '/', handler: () => null });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n });\n\n it('strips trailing slash with query', async () => {\n\n const server = Hapi.server({ router: { stripTrailingSlash: true } });\n server.route({ method: 'GET', path: '/test', handler: () => null });\n const res = await server.inject('/test/?a=b');\n expect(res.statusCode).to.equal(204);\n });\n\n it('clones passed url', async () => {\n\n const urlObject = new Url.URL('http:/%41');\n let requestUrl;\n\n const server = Hapi.server();\n const onRequest = (request, h) => {\n\n request.setUrl(urlObject);\n requestUrl = request.url;\n\n return h.continue;\n };\n\n server.ext('onRequest', onRequest);\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(404);\n expect(requestUrl).to.equal(urlObject);\n expect(requestUrl).to.not.shallow.equal(urlObject);\n });\n\n it('handles vhost redirection', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', vhost: 'one', handler: () => 'success' });\n\n const onRequest = (request, h) => {\n\n request.setUrl('http://one/');\n return h.continue;\n };\n\n server.ext('onRequest', onRequest);\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.payload).to.equal('success');\n });\n\n it('handles hostname in HTTP request resource', async () => {\n\n const server = Hapi.server({ debug: false });\n const team = new Teamwork.Team();\n\n let hostname;\n server.route({\n method: 'GET',\n path: '/',\n handler: (request) => {\n\n hostname = request.info.hostname;\n team.attend();\n return null;\n }\n });\n\n await server.start();\n const socket = Net.createConnection(server.info.port, '127.0.0.1', () => socket.write('GET http://host.com\\r\\n\\r\\n'));\n await team.work;\n socket.destroy();\n await server.stop();\n expect(hostname).to.equal('host.com');\n });\n\n it('handles url starting with multiple /', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/{p*}',\n handler: (request) => {\n\n return {\n p: request.params.p,\n path: request.path,\n hostname: request.info.hostname.toLowerCase() // Lowercase for OSX tests\n };\n }\n });\n\n const res = await server.inject('//path');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal({ p: '/path', path: '//path', hostname: server.info.host.toLowerCase() });\n });\n\n it('handles escaped path segments', async () => {\n\n const server = Hapi.server();\n server.route({ path: '/%2F/%2F', method: 'GET', handler: (request) => request.path });\n\n const tests = [\n ['/', 404],\n ['////', 404],\n ['/%2F/%2F', 200, '/%2F/%2F'],\n ['/%2F/%2F#x', 200, '/%2F/%2F'],\n ['/%2F/%2F?a=1#x', 200, '/%2F/%2F']\n ];\n\n for (const [uri, code, result] of tests) {\n const res = await server.inject(uri);\n expect(res.statusCode).to.equal(code);\n\n if (code < 400) {\n expect(res.result).to.equal(result);\n }\n }\n });\n\n it('handles fragments (no query)', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/{p*}', handler: (request) => request.path });\n\n await server.start();\n\n const options = {\n hostname: 'localhost',\n port: server.info.port,\n path: '/path#ignore',\n method: 'GET'\n };\n\n const team = new Teamwork.Team();\n const req = Http.request(options, (res) => team.attend(res));\n req.end();\n\n const res = await team.work;\n const payload = await Wreck.read(res);\n expect(payload.toString()).to.equal('/path');\n\n await server.stop();\n });\n\n it('handles fragments (with query)', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/{p*}', handler: (request) => request.query.a });\n\n await server.start();\n\n const options = {\n hostname: 'localhost',\n port: server.info.port,\n path: '/path?a=1#ignore',\n method: 'GET'\n };\n\n const team = new Teamwork.Team();\n const req = Http.request(options, (res) => team.attend(res));\n req.end();\n\n const res = await team.work;\n const payload = await Wreck.read(res);\n expect(payload.toString()).to.equal('1');\n\n await server.stop();\n });\n\n it('handles fragments with ? (no query)', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/{p*}', handler: (request) => request.path });\n\n await server.start();\n\n const options = {\n hostname: 'localhost',\n port: server.info.port,\n path: '/path#ignore?x',\n method: 'GET'\n };\n\n const team = new Teamwork.Team();\n const req = Http.request(options, (res) => team.attend(res));\n req.end();\n\n const res = await team.work;\n const payload = await Wreck.read(res);\n expect(payload.toString()).to.equal('/path');\n\n await server.stop();\n });\n\n it('handles absolute URL (proxy)', async () => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/{p*}', handler: (request) => request.query.a.join() });\n\n await server.start();\n\n const options = {\n hostname: 'localhost',\n port: server.info.port,\n path: 'http://example.com/path?a=1&a=2#ignore',\n method: 'GET'\n };\n\n const team = new Teamwork.Team();\n const req = Http.request(options, (res) => team.attend(res));\n req.end();\n\n const res = await team.work;\n const payload = await Wreck.read(res);\n expect(payload.toString()).to.equal('1,2');\n\n await server.stop();\n });\n });\n\n describe('url', () => {\n\n it('generates URL object lazily', async () => {\n\n const server = Hapi.server();\n\n const handler = (request) => {\n\n expect(request._url).to.not.exist();\n return request.url.pathname;\n };\n\n server.route({ path: '/test', method: 'GET', handler });\n const res = await server.inject('/test?a=1');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('/test');\n });\n\n it('generates URL object lazily (no host header)', async () => {\n\n const server = Hapi.server();\n\n const handler = (request) => {\n\n delete request.info.host;\n expect(request._url).to.not.exist();\n return request.url.pathname;\n };\n\n server.route({ path: '/test', method: 'GET', handler });\n const res = await server.inject('/test?a=1');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('/test');\n });\n\n it('generates valid URL when server host is IPv6 and host header is absent', async () => {\n\n const server = Hapi.server({ host: '::1' });\n\n const handler = (request) => {\n\n delete request.info.host;\n expect(request._url).to.not.exist();\n return request.url.host;\n };\n\n server.route({ path: '/test', method: 'GET', handler });\n const res = await server.inject('/test');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.match(/^\\[::1\\]:\\d+$/);\n });\n });\n\n describe('_tap()', () => {\n\n it('listens to request payload read finish', async () => {\n\n let finish;\n const ext = (request, h) => {\n\n finish = request.events.once('finish');\n return h.continue;\n };\n\n const server = Hapi.server();\n server.ext('onRequest', ext);\n server.route({ method: 'POST', path: '/', options: { handler: () => null, payload: { parse: false } } });\n\n const payload = '0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789';\n await server.inject({ method: 'POST', url: '/', payload });\n await finish;\n });\n\n it('ignores emitter when created for other events', async () => {\n\n const ext = (request, h) => {\n\n request.events;\n return h.continue;\n };\n\n const server = Hapi.server();\n server.ext('onRequest', ext);\n server.route({ method: 'POST', path: '/', options: { handler: () => null, payload: { parse: false } } });\n\n const payload = '0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789';\n await server.inject({ method: 'POST', url: '/', payload });\n });\n });\n\n describe('log()', () => {\n\n it('outputs log data to debug console', async () => {\n\n const handler = (request) => {\n\n request.log(['implementation'], 'data');\n return null;\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const log = new Promise((resolve) => {\n\n const orig = console.error;\n console.error = function (...args) {\n\n expect(args[0]).to.equal('Debug:');\n expect(args[1]).to.equal('implementation');\n expect(args[2]).to.equal('\\n data');\n console.error = orig;\n resolve();\n };\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n await log;\n });\n\n it('emits a request event', async () => {\n\n const server = Hapi.server();\n\n const handler = async (request) => {\n\n const log = server.events.once({ name: 'request', channels: 'app' });\n request.log(['test'], 'data');\n const [, event, tags] = await log;\n expect(event).to.contain(['request', 'timestamp', 'tags', 'data', 'channel']);\n expect(event.data).to.equal('data');\n expect(event.channel).to.equal('app');\n expect(tags).to.equal({ test: true });\n return null;\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n });\n\n it('emits a request event (function data + collect)', async () => {\n\n const server = Hapi.server({ routes: { log: { collect: true } } });\n\n const handler = async (request) => {\n\n const log = server.events.once('request');\n request.log(['test'], () => 'data');\n\n const [, event, tags] = await log;\n expect(event).to.contain(['request', 'timestamp', 'tags', 'data', 'channel']);\n expect(event.data).to.equal('data');\n expect(event.channel).to.equal('app');\n expect(tags).to.equal({ test: true });\n expect(request.logs[0].data).to.equal('data');\n return null;\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n });\n\n it('emits a request event (function data)', async () => {\n\n const server = Hapi.server();\n\n const handler = async (request) => {\n\n const log = server.events.once('request');\n request.log(['test'], () => 'data');\n\n const [, event, tags] = await log;\n expect(event).to.contain(['request', 'timestamp', 'tags', 'data', 'channel']);\n expect(event.data).to.equal('data');\n expect(event.channel).to.equal('app');\n expect(tags).to.equal({ test: true });\n return null;\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n });\n\n it('outputs log to debug console without data', async () => {\n\n const handler = (request) => {\n\n request.log(['implementation']);\n return null;\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const log = new Promise((resolve) => {\n\n const orig = console.error;\n console.error = function (...args) {\n\n expect(args[0]).to.equal('Debug:');\n expect(args[1]).to.equal('implementation');\n expect(args[2]).to.equal('');\n console.error = orig;\n resolve();\n };\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n await log;\n });\n\n it('outputs log to debug console with error data', async () => {\n\n const handler = (request) => {\n\n request.log(['implementation'], new Error('boom'));\n return null;\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const log = new Promise((resolve) => {\n\n const orig = console.error;\n console.error = function (...args) {\n\n expect(args[0]).to.equal('Debug:');\n expect(args[1]).to.equal('implementation');\n expect(args[2]).to.contain('Error: boom');\n console.error = orig;\n resolve();\n };\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n await log;\n });\n\n it('handles invalid log data object stringify', async () => {\n\n const handler = (request) => {\n\n const obj = {};\n obj.a = obj;\n\n request.log(['implementation'], obj);\n return null;\n };\n\n const server = Hapi.server({ routes: { log: { collect: true } } });\n server.route({ method: 'GET', path: '/', handler });\n\n const log = new Promise((resolve) => {\n\n const orig = console.error;\n console.error = function (...args) {\n\n expect(args[0]).to.equal('Debug:');\n expect(args[1]).to.equal('implementation');\n expect(args[2]).to.match(/Cannot display object: Converting circular structure to JSON/);\n console.error = orig;\n resolve();\n };\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n await log;\n });\n\n it('adds a log event to the request', async () => {\n\n const handler = (request) => {\n\n request.log('1', 'log event 1');\n request.log(['2'], 'log event 2');\n request.log(['3', '4']);\n request.log(['1', '4']);\n request.log(['2', '3']);\n request.log(['4']);\n request.log('4');\n\n return request.logs.map((event) => event.tags).join('|');\n };\n\n const server = Hapi.server({ routes: { log: { collect: true } } });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.payload).to.equal('1|2|3,4|1,4|2,3|4|4');\n });\n\n it('does not output events when debug disabled', async () => {\n\n const server = Hapi.server({ debug: false });\n\n let i = 0;\n const orig = console.error;\n console.error = function () {\n\n ++i;\n };\n\n const handler = (request) => {\n\n request.log(['implementation']);\n return null;\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n await server.inject('/');\n console.error('nothing');\n expect(i).to.equal(1);\n console.error = orig;\n });\n\n it('does not output events when debug.request disabled', async () => {\n\n const server = Hapi.server({ debug: { request: false } });\n\n let i = 0;\n const orig = console.error;\n console.error = function () {\n\n ++i;\n };\n\n const handler = (request) => {\n\n request.log(['implementation']);\n return null;\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n await server.inject('/');\n console.error('nothing');\n expect(i).to.equal(1);\n console.error = orig;\n });\n\n it('does not output non-implementation events by default', async () => {\n\n const server = Hapi.server();\n\n let i = 0;\n const orig = console.error;\n console.error = function () {\n\n ++i;\n };\n\n const handler = (request) => {\n\n request.log(['xyz']);\n return null;\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n await server.inject('/');\n console.error('nothing');\n expect(i).to.equal(1);\n console.error = orig;\n });\n\n it('logs nothing', async () => {\n\n const server = Hapi.server({ debug: false, routes: { log: { collect: false } } });\n\n const handler = (request) => {\n\n expect(request.logs).to.have.length(0);\n return request.info.acceptEncoding;\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject({ url: '/', headers: { 'accept-encoding': 'a;b' } });\n expect(res.result).to.equal('identity');\n });\n\n it('logs when only collect is true', async () => {\n\n const server = Hapi.server({ debug: false, routes: { log: { collect: true } } });\n\n const handler = (request) => {\n\n expect(request.logs).to.have.length(1);\n return request.info.acceptEncoding;\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject({ url: '/', headers: { 'accept-encoding': 'a;b' } });\n expect(res.result).to.equal('identity');\n });\n });\n\n describe('_setResponse()', () => {\n\n it('leaves the response open when the same response is set again', async () => {\n\n const server = Hapi.server();\n const postHandler = (request) => {\n\n return request.response;\n };\n\n server.ext('onPostHandler', postHandler);\n\n const handler = (request) => {\n\n const stream = new Stream.Readable();\n stream._read = function (size) {\n\n this.push('value');\n this.push(null);\n };\n\n return stream;\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('value');\n });\n\n it('leaves the response open when the same response source is set again', async () => {\n\n const server = Hapi.server();\n server.ext('onPostHandler', (request) => request.response.source);\n\n const handler = (request) => {\n\n const stream = new Stream.Readable();\n stream._read = function (size) {\n\n this.push('value');\n this.push(null);\n };\n\n return stream;\n };\n\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('value');\n });\n });\n\n describe('timeout', () => {\n\n it('returns server error message when server taking too long', async () => {\n\n const handler = async (request) => {\n\n await Hoek.wait(100);\n return 'too slow';\n };\n\n const server = Hapi.server({ routes: { timeout: { server: 50 } } });\n server.route({ method: 'GET', path: '/timeout', handler });\n\n const timer = new Hoek.Bench();\n\n const res = await server.inject('/timeout');\n expect(res.statusCode).to.equal(503);\n expect(timer.elapsed()).to.be.at.least(49);\n });\n\n it('returns server error message when server timeout happens during request execution (and handler yields)', async () => {\n\n const handler = async (request) => {\n\n await Hoek.wait(20);\n return null;\n };\n\n const server = Hapi.server({ routes: { timeout: { server: 10 } } });\n server.route({ method: 'GET', path: '/', options: { handler } });\n\n const postHandler = (request, h) => {\n\n return h.continue;\n };\n\n server.ext('onPostHandler', postHandler);\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(503);\n });\n\n it('returns server error message when server timeout is short and already occurs when request executes', async () => {\n\n const server = Hapi.server({ routes: { timeout: { server: 2 } } });\n server.route({ method: 'GET', path: '/', options: { handler: function () { } } });\n const onRequest = async (request, h) => {\n\n await Hoek.wait(10);\n return h.continue;\n };\n\n server.ext('onRequest', onRequest);\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(503);\n });\n\n it('handles server handler timeout with onPreResponse ext', async () => {\n\n const handler = async (request) => {\n\n await Hoek.wait(20);\n return null;\n };\n\n const server = Hapi.server({ routes: { timeout: { server: 10 } } });\n server.route({ method: 'GET', path: '/', options: { handler } });\n const preResponse = (request, h) => {\n\n return h.continue;\n };\n\n server.ext('onPreResponse', preResponse);\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(503);\n });\n\n it('does not return an error response when server is slow but faster than timeout', async () => {\n\n const slowHandler = async (request) => {\n\n await Hoek.wait(30);\n return 'slow';\n };\n\n const server = Hapi.server({ routes: { timeout: { server: 50 } } });\n server.route({ method: 'GET', path: '/slow', options: { handler: slowHandler } });\n\n const timer = new Hoek.Bench();\n const res = await server.inject('/slow');\n expect(timer.elapsed()).to.be.at.least(20);\n expect(res.statusCode).to.equal(200);\n });\n\n it('creates error response when request is aborted while draining payload', async () => {\n\n const server = Hapi.server({ routes: { timeout: { server: false } } });\n await server.start();\n\n const log = server.events.once('response');\n const ready = new Promise((resolve) => {\n\n server.ext('onRequest', (request, h) => {\n\n resolve();\n return h.continue;\n });\n });\n\n const req = Http.request({\n hostname: 'localhost',\n port: server.info.port,\n method: 'GET',\n headers: { 'content-length': 42 }\n });\n\n req.on('error', Hoek.ignore);\n req.flushHeaders();\n\n await ready;\n req.destroy();\n const [request] = await log;\n\n expect(request.response.output.statusCode).to.equal(499);\n\n await server.stop({ timeout: 1 });\n });\n\n it('returns an unlogged bad request error when parser fails before request is setup', async () => {\n\n const server = Hapi.server({ routes: { timeout: { server: false } } });\n await server.start();\n\n let responseCount = 0;\n server.events.on('response', () => {\n\n responseCount += 1;\n });\n\n const client = Net.connect(server.info.port);\n const clientEnded = new Promise((resolve, reject) => {\n\n let response = '';\n client.on('data', (chunk) => {\n\n response = response + chunk.toString();\n });\n\n client.on('end', () => resolve(response));\n client.on('error', reject);\n });\n\n await new Promise((resolve) => client.on('connect', resolve));\n client.write('hello\\n\\r');\n\n const clientResponse = await clientEnded;\n expect(clientResponse).to.contain('400 Bad Request');\n expect(responseCount).to.equal(0);\n\n await server.stop({ timeout: 1 });\n });\n\n it('returns normal response when parser fails with bad method after request is setup', async () => {\n\n const server = Hapi.server({ routes: { timeout: { server: false } } });\n server.route({ path: '/', method: 'GET', handler: () => 'PAYLOAD' });\n await server.start();\n\n const log = server.events.once('response');\n const client = Net.connect(server.info.port);\n const clientEnded = Wreck.read(client);\n\n await new Promise((resolve) => client.on('connect', resolve));\n client.write('GET / HTTP/1.1\\r\\nHost: test\\r\\nContent-Length: 0\\r\\n\\r\\ninvalid data');\n\n const [request] = await log;\n expect(request.response.statusCode).to.equal(200);\n expect(request.response.source).to.equal('PAYLOAD');\n const clientResponse = (await clientEnded).toString();\n expect(clientResponse).to.contain('HTTP/1.1 200 OK');\n\n const nextResponse = clientResponse.slice(clientResponse.indexOf('PAYLOAD') + 7);\n expect(nextResponse).to.startWith('HTTP/1.1 400 Bad Request');\n\n await server.stop({ timeout: 1 });\n });\n\n it('returns nothing when parser fails with bad method after request is setup and the connection is closed', async () => {\n\n const server = Hapi.server({ routes: { timeout: { server: false } } });\n server.route({ path: '/', method: 'GET', handler: (request, h) => {\n\n request.raw.res.destroy();\n return h.abandon;\n } });\n\n await server.start();\n\n const log = server.events.once('response');\n const client = Net.connect(server.info.port);\n const clientEnded = Wreck.read(client);\n\n await new Promise((resolve) => client.on('connect', resolve));\n client.write('GET / HTTP/1.1\\r\\nHost: test\\r\\nContent-Length: 0\\r\\n\\r\\n\\r\\ninvalid data');\n\n const [request] = await log;\n expect(request.response.statusCode).to.be.undefined();\n const clientResponse = (await clientEnded).toString();\n expect(clientResponse).to.equal('');\n\n await server.stop({ timeout: 1 });\n });\n\n it('returns a bad request when parser fails after request is setup (cleanStop false)', async () => {\n\n const server = Hapi.server({ routes: { timeout: { server: false } }, operations: { cleanStop: false } });\n server.route({ path: '/', method: 'GET', handler: Hoek.block });\n await server.start();\n\n const client = Net.connect(server.info.port);\n const clientEnded = new Promise((resolve, reject) => {\n\n let response = '';\n client.on('data', (chunk) => {\n\n response = response + chunk.toString();\n });\n\n client.on('end', () => resolve(response));\n client.on('error', reject);\n });\n\n await new Promise((resolve) => client.on('connect', resolve));\n client.write('GET / HTTP/1.1\\r\\nHost: test\\nContent-Length: 0\\r\\n\\r\\ninvalid data');\n\n const clientResponse = await clientEnded;\n expect(clientResponse).to.contain('400 Bad Request');\n\n await server.stop({ timeout: 1 });\n });\n\n it('returns a bad request for POST request when chunked parsing fails', async () => {\n\n const server = Hapi.server({ routes: { timeout: { server: false } } });\n server.route({ path: '/', method: 'POST', handler: () => 'ok', options: { payload: { parse: true } } });\n await server.start();\n\n const log = server.events.once('response');\n const client = Net.connect(server.info.port);\n const clientEnded = Wreck.read(client);\n\n await new Promise((resolve) => client.on('connect', resolve));\n client.write('POST / HTTP/1.1\\r\\nHost: test\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n');\n await Hoek.wait(10);\n client.write('not chunked\\r\\n');\n\n const [request] = await log;\n expect(request.response.statusCode).to.equal(400);\n expect(request.response.source).to.contain({ error: 'Bad Request' });\n const clientResponse = (await clientEnded).toString();\n expect(clientResponse).to.contain('400 Bad Request');\n\n await server.stop({ timeout: 1 });\n });\n\n it('returns a bad request for POST request when chunked parsing fails (cleanStop false)', async () => {\n\n const server = Hapi.server({ routes: { timeout: { server: false } }, operations: { cleanStop: false } });\n server.route({ path: '/', method: 'POST', handler: () => 'ok', options: { payload: { parse: true } } });\n await server.start();\n\n const client = Net.connect(server.info.port);\n const clientEnded = Wreck.read(client);\n\n await new Promise((resolve) => client.on('connect', resolve));\n client.write('POST / HTTP/1.1\\r\\nHost: test\\r\\nTransfer-Encoding: chunked\\r\\n\\r\\n');\n await Hoek.wait(10);\n client.write('not chunked\\r\\n');\n\n const clientResponse = (await clientEnded).toString();\n expect(clientResponse).to.contain('400 Bad Request');\n\n await server.stop({ timeout: 1 });\n });\n\n it('returns a bad request for POST request when chunked parsing fails', async () => {\n\n const server = Hapi.server({ routes: { timeout: { server: false } } });\n server.route({ path: '/', method: 'POST', handler: () => 'ok', options: { payload: { parse: true } } });\n await server.start();\n\n const log = server.events.once('response');\n const client = Net.connect(server.info.port);\n const clientEnded = Wreck.read(client);\n\n await new Promise((resolve) => client.on('connect', resolve));\n client.write('POST / HTTP/1.1\\r\\nHost: test\\r\\nContent-Length: 5\\r\\n\\r\\n');\n await Hoek.wait(10);\n client.write('111A1'); // Doesn't work if 'A' is replaced with '1' !?!\n client.write('\\Q\\r\\n'); // Extra bytes considered to be start of next request\n client.end();\n\n const [request] = await log;\n expect(request.response.statusCode).to.equal(400);\n expect(request.response.source).to.contain({ error: 'Bad Request' });\n const clientResponse = (await clientEnded).toString();\n expect(clientResponse).to.contain('400 Bad Request');\n\n await server.stop({ timeout: 1 });\n });\n\n it('does not return an error when server is responding when the timeout occurs', async () => {\n\n let ended = false;\n const TestStream = class extends Stream.Readable {\n\n _read(size) {\n\n if (this.isDone) {\n return;\n }\n\n this.isDone = true;\n this.push('Hello');\n\n setTimeout(() => {\n\n this.push(null);\n ended = true;\n }, 150);\n }\n };\n\n const handler = (request) => {\n\n return new TestStream();\n };\n\n const timer = new Hoek.Bench();\n\n const server = Hapi.server({ routes: { timeout: { server: 100 } } });\n server.route({ method: 'GET', path: '/', handler });\n await server.start();\n const { res } = await Wreck.get('http://localhost:' + server.info.port);\n expect(ended).to.be.true();\n expect(timer.elapsed()).to.be.at.least(150);\n expect(res.statusCode).to.equal(200);\n await server.stop({ timeout: 1 });\n });\n\n it('does not return an error response when server is slower than timeout but response has started', async () => {\n\n const streamHandler = (request) => {\n\n const TestStream = class extends Stream.Readable {\n\n _read(size) {\n\n if (this.isDone) {\n return;\n }\n\n this.isDone = true;\n\n setTimeout(() => {\n\n this.push('Hello');\n }, 30);\n\n setTimeout(() => {\n\n this.push(null);\n }, 60);\n }\n };\n\n return new TestStream();\n };\n\n const server = Hapi.server({ routes: { timeout: { server: 50 } } });\n server.route({ method: 'GET', path: '/stream', options: { handler: streamHandler } });\n\n await server.start();\n const { res } = await Wreck.get(`http://localhost:${server.info.port}/stream`);\n expect(res.statusCode).to.equal(200);\n await server.stop({ timeout: 1 });\n });\n\n it('does not return an error response when server takes less than timeout to respond', async () => {\n\n const server = Hapi.server({ routes: { timeout: { server: 50 } } });\n server.route({ method: 'GET', path: '/fast', handler: () => 'Fast' });\n\n const res = await server.inject('/fast');\n expect(res.statusCode).to.equal(200);\n });\n\n it('handles race condition between equal client and server timeouts', async (flags) => {\n\n const onCleanup = [];\n flags.onCleanup = async () => {\n\n for (const cleanup of onCleanup) {\n await cleanup();\n }\n };\n\n const server = Hapi.server({ routes: { timeout: { server: 100 }, payload: { timeout: 100 } } });\n server.route({ method: 'POST', path: '/timeout', options: { handler: Hoek.block } });\n\n await server.start();\n onCleanup.unshift(() => server.stop());\n\n const timer = new Hoek.Bench();\n const options = {\n hostname: 'localhost',\n port: server.info.port,\n path: '/timeout',\n method: 'POST'\n };\n\n const req = Http.request(options);\n onCleanup.unshift(() => req.destroy());\n\n req.write('\\n');\n\n const [res] = await Events.once(req, 'response');\n\n expect([503, 408]).to.contain(res.statusCode);\n expect(timer.elapsed()).to.be.at.least(80);\n\n await Events.once(req, 'close'); // Ensures that req closes without error\n });\n });\n\n describe('event()', () => {\n\n it('does not emit request error on normal close', async () => {\n\n const server = Hapi.server();\n const events = [];\n server.events.on('request', (request, event, tags) => events.push(tags));\n\n server.route({ method: 'GET', path: '/', handler: () => 'ok' });\n\n await server.start();\n\n const { payload } = await Wreck.get('http://localhost:' + server.info.port);\n expect(payload.toString()).to.equal('ok');\n await server.stop();\n\n expect(events).to.have.length(0);\n });\n });\n});\n" }, { "path": "test/response.js", "content": "'use strict';\n\nconst Events = require('events');\nconst Http = require('http');\nconst Path = require('path');\nconst Stream = require('stream');\n\nconst Code = require('@hapi/code');\nconst Handlebars = require('handlebars');\nconst LegacyReadableStream = require('legacy-readable-stream');\nconst Hapi = require('..');\nconst Inert = require('@hapi/inert');\nconst Lab = require('@hapi/lab');\nconst Vision = require('@hapi/vision');\n\nconst Response = require('../lib/response');\n\n\nconst internals = {};\n\n\nconst { describe, it } = exports.lab = Lab.script();\nconst expect = Code.expect;\n\n\ndescribe('Response', () => {\n\n it('returns a response', async () => {\n\n const handler = (request, h) => {\n\n return h.response('text')\n .type('text/plain')\n .charset('ISO-8859-1')\n .ttl(1000)\n .header('set-cookie', 'abc=123')\n .state('sid', 'abcdefg123456')\n .state('other', 'something', { isSecure: true })\n .unstate('x')\n .header('Content-Type', 'text/plain; something=something')\n .header('vary', 'x-control')\n .header('combo', 'o')\n .header('combo', 'k', { append: true, separator: '-' })\n .header('combo', 'bad', { override: false })\n .code(200)\n .message('Super');\n };\n\n const server = Hapi.server({ compression: { minBytes: 1 } });\n server.route({ method: 'GET', path: '/', options: { handler, cache: { expiresIn: 9999 } } });\n server.state('sid', { encoding: 'base64' });\n server.state('always', { autoValue: 'present' });\n\n const postHandler = (request, h) => {\n\n h.state('test', '123');\n h.unstate('empty', { path: '/path' });\n return h.continue;\n };\n\n server.ext('onPostHandler', postHandler);\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.exist();\n expect(res.result).to.equal('text');\n expect(res.statusMessage).to.equal('Super');\n expect(res.headers['cache-control']).to.equal('max-age=1, must-revalidate, private');\n expect(res.headers['content-type']).to.equal('text/plain; something=something; charset=ISO-8859-1');\n expect(res.headers['set-cookie']).to.equal(['abc=123', 'sid=YWJjZGVmZzEyMzQ1Ng==; Secure; HttpOnly; SameSite=Strict', 'other=something; Secure; HttpOnly; SameSite=Strict', 'x=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict', 'test=123; Secure; HttpOnly; SameSite=Strict', 'empty=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict; Path=/path', 'always=present; Secure; HttpOnly; SameSite=Strict']);\n expect(res.headers.vary).to.equal('x-control,accept-encoding');\n expect(res.headers.combo).to.equal('o-k');\n });\n\n it('sets content-type charset (trailing semi column)', async () => {\n\n const handler = (request, h) => {\n\n return h.response('text').header('Content-Type', 'text/plain; something=something;');\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.headers['content-type']).to.equal('text/plain; something=something; charset=utf-8');\n });\n\n describe('_setSource()', () => {\n\n it('returns an empty string response', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n handler: () => ''\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n expect(res.headers['content-length']).to.not.exist();\n expect(res.headers['content-type']).to.equal('text/html; charset=utf-8');\n expect(res.result).to.equal(null);\n expect(res.payload).to.equal('');\n });\n\n it('returns a null response', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n handler: () => null\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n expect(res.headers['content-length']).to.not.exist();\n expect(res.headers['content-type']).to.not.exist();\n expect(res.result).to.equal(null);\n expect(res.payload).to.equal('');\n });\n\n it('returns a stream', async () => {\n\n const handler = (request) => {\n\n const stream = new Stream.Readable({\n read() {\n\n this.push('x');\n this.push(null);\n }\n });\n\n return stream;\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('x');\n expect(res.statusCode).to.equal(200);\n expect(res.headers['content-type']).to.equal('application/octet-stream');\n });\n });\n\n describe('code()', () => {\n\n it('sets manual code regardless of emptyStatusCode override', async () => {\n\n const server = Hapi.server({ routes: { response: { emptyStatusCode: 200 } } });\n server.route({ method: 'GET', path: '/', handler: (request, h) => h.response().code(204) });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n });\n });\n\n describe('header()', () => {\n\n it('appends to set-cookie header', async () => {\n\n const handler = (request, h) => {\n\n return h.response('ok').header('set-cookie', 'A').header('set-cookie', 'B', { append: true });\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.headers['set-cookie']).to.equal(['A', 'B']);\n });\n\n it('sets null header', async () => {\n\n const handler = (request, h) => {\n\n return h.response('ok').header('set-cookie', null);\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.headers['set-cookie']).to.not.exist();\n });\n\n it('throws error on non-ascii value', async () => {\n\n const handler = (request, h) => {\n\n return h.response('ok').header('set-cookie', decodeURIComponent('%E0%B4%8Aset-cookie:%20foo=bar'));\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n\n it('throws error on non-ascii value (header name)', async () => {\n\n const handler = (request, h) => {\n\n const badName = decodeURIComponent('%E0%B4%8Aset-cookie:%20foo=bar');\n return h.response('ok').header(badName, 'value');\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n\n it('throws error on non-ascii value (buffer)', async () => {\n\n const handler = (request, h) => {\n\n return h.response('ok').header('set-cookie', Buffer.from(decodeURIComponent('%E0%B4%8Aset-cookie:%20foo=bar')));\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n });\n\n describe('created()', () => {\n\n it('returns a response (created)', async () => {\n\n const handler = (request, h) => {\n\n return h.response({ a: 1 }).created('/special');\n };\n\n const server = Hapi.server();\n server.route({ method: 'POST', path: '/', handler });\n\n const res = await server.inject({ method: 'POST', url: '/' });\n expect(res.result).to.equal({ a: 1 });\n expect(res.statusCode).to.equal(201);\n expect(res.headers.location).to.equal('/special');\n expect(res.headers['cache-control']).to.equal('no-cache');\n });\n\n it('returns error on created with GET', async () => {\n\n const handler = (request, h) => {\n\n return h.response().created('/something');\n };\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n\n it('does not return an error on created with PUT', async () => {\n\n const handler = (request, h) => {\n\n return h.response({ a: 1 }).created();\n };\n\n const server = Hapi.server();\n server.route({ method: 'PUT', path: '/', handler });\n\n const res = await server.inject({ method: 'PUT', url: '/' });\n expect(res.result).to.equal({ a: 1 });\n expect(res.statusCode).to.equal(201);\n });\n\n it('does not return an error on created with PATCH', async () => {\n\n const handler = (request, h) => {\n\n return h.response({ a: 1 }).created();\n };\n\n const server = Hapi.server();\n server.route({ method: 'PATCH', path: '/', handler });\n\n const res = await server.inject({ method: 'PATCH', url: '/' });\n expect(res.result).to.equal({ a: 1 });\n expect(res.statusCode).to.equal(201);\n });\n });\n\n describe('state()', () => {\n\n it('returns an error on bad cookie', async () => {\n\n const handler = (request, h) => {\n\n return h.response('text').state(';sid', 'abcdefg123456');\n };\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.exist();\n expect(res.statusCode).to.equal(500);\n expect(res.result.message).to.equal('An internal server error occurred');\n expect(res.headers['set-cookie']).to.not.exist();\n });\n });\n\n describe('unstate()', () => {\n\n it('allows options', async () => {\n\n const handler = (request, h) => {\n\n return h.response().unstate('session', { path: '/unset', isSecure: true });\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n expect(res.headers['set-cookie']).to.equal(['session=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict; Path=/unset']);\n });\n });\n\n describe('vary()', () => {\n\n it('sets Vary header with single value', async () => {\n\n const handler = (request, h) => {\n\n return h.response('ok').vary('x');\n };\n\n const server = Hapi.server({ compression: { minBytes: 1 } });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('ok');\n expect(res.statusCode).to.equal(200);\n expect(res.headers.vary).to.equal('x,accept-encoding');\n });\n\n it('sets Vary header with multiple values', async () => {\n\n const handler = (request, h) => {\n\n return h.response('ok').vary('x').vary('y');\n };\n\n const server = Hapi.server({ compression: { minBytes: 1 } });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('ok');\n expect(res.statusCode).to.equal(200);\n expect(res.headers.vary).to.equal('x,y,accept-encoding');\n });\n\n it('sets Vary header with *', async () => {\n\n const handler = (request, h) => {\n\n return h.response('ok').vary('*');\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('ok');\n expect(res.statusCode).to.equal(200);\n expect(res.headers.vary).to.equal('*');\n });\n\n it('leaves Vary header with * on additional values', async () => {\n\n const handler = (request, h) => {\n\n return h.response('ok').vary('*').vary('x');\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('ok');\n expect(res.statusCode).to.equal(200);\n expect(res.headers.vary).to.equal('*');\n });\n\n it('drops other Vary header values when set to *', async () => {\n\n const handler = (request, h) => {\n\n return h.response('ok').vary('x').vary('*');\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('ok');\n expect(res.statusCode).to.equal(200);\n expect(res.headers.vary).to.equal('*');\n });\n\n it('sets Vary header with multiple similar and identical values', async () => {\n\n const handler = (request, h) => {\n\n return h.response('ok').vary('x').vary('xyz').vary('xy').vary('x');\n };\n\n const server = Hapi.server({ compression: { minBytes: 1 } });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('ok');\n expect(res.statusCode).to.equal(200);\n expect(res.headers.vary).to.equal('x,xyz,xy,accept-encoding');\n });\n });\n\n describe('etag()', () => {\n\n it('sets etag', async () => {\n\n const handler = (request, h) => {\n\n return h.response('ok').etag('abc');\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.headers.etag).to.equal('\"abc\"');\n });\n\n it('sets weak etag', async () => {\n\n const handler = (request, h) => {\n\n return h.response('ok').etag('abc', { weak: true });\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.headers.etag).to.equal('W/\"abc\"');\n });\n\n it('ignores varyEtag when etag header is removed', async () => {\n\n const handler = (request, h) => {\n\n const response = h.response('ok').etag('abc').vary('x');\n delete response.headers.etag;\n return response;\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.headers.etag).to.not.exist();\n });\n\n it('leaves etag header when varyEtag is false', async () => {\n\n const handler = (request, h) => {\n\n return h.response('ok').etag('abc', { vary: false }).vary('x');\n };\n\n const server = Hapi.server({ compression: { minBytes: 1 } });\n server.route({ method: 'GET', path: '/', handler });\n const res1 = await server.inject('/');\n expect(res1.statusCode).to.equal(200);\n expect(res1.headers.etag).to.equal('\"abc\"');\n\n const res2 = await server.inject({ url: '/', headers: { 'if-none-match': '\"abc-gzip\"', 'accept-encoding': 'gzip' } });\n expect(res2.statusCode).to.equal(200);\n expect(res2.headers.etag).to.equal('\"abc\"');\n });\n\n it('applies varyEtag when returning 304 due to if-modified-since match', async () => {\n\n const mdate = new Date().toUTCString();\n\n const handler = (request, h) => {\n\n return h.response('ok').etag('abc').header('last-modified', mdate);\n };\n\n const server = Hapi.server({ compression: { minBytes: 1 } });\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject({ url: '/', headers: { 'if-modified-since': mdate, 'accept-encoding': 'gzip' } });\n expect(res.statusCode).to.equal(304);\n expect(res.headers.etag).to.equal('\"abc-gzip\"');\n });\n });\n\n describe('passThrough()', () => {\n\n it('passes stream headers and code through', async () => {\n\n const TestStream = class extends Stream.Readable {\n\n constructor() {\n\n super();\n this.statusCode = 299;\n this.headers = { xcustom: 'some value', 'content-type': 'something/special' };\n }\n\n _read(size) {\n\n if (this.isDone) {\n return;\n }\n\n this.isDone = true;\n\n this.push('x');\n this.push(null);\n }\n };\n\n const handler = (request) => {\n\n return new TestStream();\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('x');\n expect(res.statusCode).to.equal(299);\n expect(res.headers.xcustom).to.equal('some value');\n expect(res.headers['content-type']).to.equal('something/special');\n });\n\n it('excludes connection header and connection options', async () => {\n\n const upstreamConnectionHeader = 'x-test, x-test-also';\n\n const TestStream = class extends Stream.Readable {\n\n constructor() {\n\n super();\n this.statusCode = 200;\n this.headers = {\n connection: upstreamConnectionHeader,\n 'x-test': 'something',\n 'x-test-also': 'also'\n };\n }\n\n _read(size) {\n\n if (this.isDone) {\n return;\n }\n\n this.isDone = true;\n\n this.push('x');\n this.push(null);\n }\n };\n\n const handler = (request) => {\n\n return new TestStream();\n };\n\n const server = new Hapi.Server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('x');\n expect(res.statusCode).to.equal(200);\n expect(res.headers.connection).to.not.equal(upstreamConnectionHeader);\n expect(res.headers['x-test']).to.not.exist();\n expect(res.headers['x-test-also']).to.not.exist();\n });\n\n it('excludes stream headers and code when passThrough is false', async () => {\n\n const TestStream = class extends Stream.Readable {\n\n constructor() {\n\n super();\n this.statusCode = 299;\n this.headers = { xcustom: 'some value' };\n }\n\n _read(size) {\n\n if (this.isDone) {\n return;\n }\n\n this.isDone = true;\n\n this.push('x');\n this.push(null);\n }\n };\n\n const handler = (request, h) => {\n\n return h.response(new TestStream()).passThrough(false);\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('x');\n expect(res.statusCode).to.equal(200);\n expect(res.headers.xcustom).to.not.exist();\n });\n\n it('ignores stream headers when empty', async () => {\n\n const TestStream = class extends Stream.Readable {\n\n constructor() {\n\n super();\n this.statusCode = 299;\n this.headers = {};\n }\n\n _read(size) {\n\n if (this.isDone) {\n return;\n }\n\n this.isDone = true;\n\n this.push('x');\n this.push(null);\n }\n };\n\n const handler = (request) => {\n\n return new TestStream();\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('x');\n expect(res.statusCode).to.equal(299);\n expect(res.headers.xcustom).to.not.exist();\n });\n\n it('retains local headers with stream headers pass-through', async () => {\n\n const TestStream = class extends Stream.Readable {\n\n constructor() {\n\n super();\n this.headers = { xcustom: 'some value', 'set-cookie': 'a=1' };\n }\n\n _read(size) {\n\n if (this.isDone) {\n return;\n }\n\n this.isDone = true;\n\n this.push('x');\n this.push(null);\n }\n };\n\n const handler = (request, h) => {\n\n return h.response(new TestStream()).header('xcustom', 'other value').state('b', '2');\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('x');\n expect(res.headers.xcustom).to.equal('other value');\n expect(res.headers['set-cookie']).to.equal(['a=1', 'b=2; Secure; HttpOnly; SameSite=Strict']);\n });\n });\n\n describe('replacer()', () => {\n\n it('errors when called on wrong type', async () => {\n\n const handler = (request, h) => {\n\n return h.response('x').replacer(['x']);\n };\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n });\n\n describe('compressed()', () => {\n\n it('errors on missing encoding', async () => {\n\n const handler = (request, h) => {\n\n return h.response('x').compressed();\n };\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n\n it('errors on invalid encoding', async () => {\n\n const handler = (request, h) => {\n\n return h.response('x').compressed(123);\n };\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n });\n\n describe('spaces()', () => {\n\n it('errors when called on wrong type', async () => {\n\n const handler = (request, h) => {\n\n return h.response('x').spaces(2);\n };\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n });\n\n describe('suffix()', () => {\n\n it('errors when called on wrong type', async () => {\n\n const handler = (request, h) => {\n\n return h.response('x').suffix('x');\n };\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n });\n\n describe('escape()', () => {\n\n it('returns 200 when called with true', async () => {\n\n const handler = (request, h) => {\n\n return h.response({ x: 'x' }).escape(true);\n };\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n });\n\n it('errors when called on wrong type', async () => {\n\n const handler = (request, h) => {\n\n return h.response('x').escape('x');\n };\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n });\n\n describe('type()', () => {\n\n it('returns a file in the response with the correct headers using custom mime type', async () => {\n\n const server = Hapi.server({ routes: { files: { relativeTo: Path.join(__dirname, '../') } } });\n await server.register(Inert);\n const handler = (request, h) => {\n\n return h.file('./LICENSE.md').type('application/example');\n };\n\n server.route({ method: 'GET', path: '/file', handler });\n\n const res = await server.inject('/file');\n expect(res.headers['content-type']).to.equal('application/example');\n });\n });\n\n describe('charset()', () => {\n\n it('sets charset with default type', async () => {\n\n const handler = (request, h) => {\n\n return h.response('text').charset('abc');\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.headers['content-type']).to.equal('text/html; charset=abc');\n });\n\n it('sets charset with default type in onPreResponse', async () => {\n\n const onPreResponse = (request, h) => {\n\n request.response.charset('abc');\n return h.continue;\n };\n\n const server = Hapi.server();\n server.ext('onPreResponse', onPreResponse);\n\n server.route({ method: 'GET', path: '/', handler: () => 'text' });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.headers['content-type']).to.equal('text/html; charset=abc');\n });\n\n it('sets type inside marshal', async () => {\n\n const handler = (request) => {\n\n const marshal = (response) => {\n\n if (!response.headers['content-type']) {\n response.type('text/html');\n }\n\n return response.source.value;\n };\n\n return request.generateResponse({ value: 'text' }, { variety: 'test', marshal });\n };\n\n const onPreResponse = (request, h) => {\n\n request.response.charset('abc');\n return h.continue;\n };\n\n const server = Hapi.server();\n server.ext('onPreResponse', onPreResponse);\n\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.headers['content-type']).to.equal('text/html; charset=abc');\n });\n });\n\n describe('redirect()', () => {\n\n it('returns a redirection response', async () => {\n\n const handler = (request, h) => {\n\n return h.response('Please wait while we send your elsewhere').redirect('/example');\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('http://example.org/');\n expect(res.result).to.exist();\n expect(res.headers.location).to.equal('/example');\n expect(res.statusCode).to.equal(302);\n });\n\n it('returns a redirection response using verbose call', async () => {\n\n const handler = (request, h) => {\n\n return h.response('We moved!').redirect().location('/examplex');\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.result).to.exist();\n expect(res.result).to.equal('We moved!');\n expect(res.headers.location).to.equal('/examplex');\n expect(res.statusCode).to.equal(302);\n });\n\n it('returns a 301 redirection response', async () => {\n\n const handler = (request, h) => {\n\n return h.response().redirect('example').permanent().rewritable();\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(301);\n });\n\n it('returns a 302 redirection response', async () => {\n\n const handler = (request, h) => {\n\n return h.response().redirect('example').temporary().rewritable();\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(302);\n });\n\n it('returns a 307 redirection response', async () => {\n\n const handler = (request, h) => {\n\n return h.response().redirect('example').temporary().rewritable(false);\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(307);\n });\n\n it('returns a 308 redirection response', async () => {\n\n const handler = (request, h) => {\n\n return h.response().redirect('example').permanent().rewritable(false);\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(308);\n });\n\n it('returns a 301 redirection response (reversed methods)', async () => {\n\n const handler = (request, h) => {\n\n return h.response().redirect('example').rewritable().permanent();\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(301);\n });\n\n it('returns a 302 redirection response (reversed methods)', async () => {\n\n const handler = (request, h) => {\n\n return h.response().redirect('example').rewritable().temporary();\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(302);\n });\n\n it('returns a 307 redirection response (reversed methods)', async () => {\n\n const handler = (request, h) => {\n\n return h.response().redirect('example').rewritable(false).temporary();\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(307);\n });\n\n it('returns a 308 redirection response (reversed methods)', async () => {\n\n const handler = (request, h) => {\n\n return h.response().redirect('example').rewritable(false).permanent();\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(308);\n });\n\n it('returns a 302 redirection response (flip flop)', async () => {\n\n const handler = (request, h) => {\n\n return h.response().redirect('example').permanent().temporary();\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(302);\n });\n });\n\n describe('_marshal()', () => {\n\n it('emits request-error when view file for handler not found', async () => {\n\n const server = Hapi.server({ debug: false });\n await server.register(Vision);\n\n server.views({\n engines: { 'html': Handlebars },\n path: __dirname\n });\n\n const log = server.events.once({ name: 'request', channels: 'error' });\n\n server.route({ method: 'GET', path: '/{param}', handler: { view: 'templates/invalid' } });\n\n const res = await server.inject('/hello');\n expect(res.statusCode).to.equal(500);\n expect(res.result).to.exist();\n expect(res.result.message).to.equal('An internal server error occurred');\n\n const [, event] = await log;\n expect(event.error.message).to.contain('The partial x could not be found: The partial x could not be found');\n });\n\n it('returns a formatted response (spaces)', async () => {\n\n const handler = (request) => {\n\n return { a: 1, b: 2, '<': '&' };\n };\n\n const server = Hapi.server({ routes: { json: { space: 4, suffix: '\\n', escape: true } } });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.payload).to.equal('{\\n \\\"a\\\": 1,\\n \\\"b\\\": 2,\\n \\\"\\\\u003c\\\": \\\"\\\\u0026\\\"\\n}\\n');\n });\n\n it('returns a formatted response (replacer and spaces', async () => {\n\n const handler = (request) => {\n\n return { a: 1, b: 2, '<': '&' };\n };\n\n const server = Hapi.server({ routes: { json: { replacer: ['a', '<'], space: 4, suffix: '\\n', escape: true } } });\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.payload).to.equal('{\\n \\\"a\\\": 1,\\n \\\"\\\\u003c\\\": \\\"\\\\u0026\\\"\\n}\\n');\n });\n\n it('returns a response with options', async () => {\n\n const handler = (request, h) => {\n\n return h.response({ a: 1, b: 2, '<': '&' }).type('application/x-test').spaces(2).replacer(['a']).suffix('\\n').escape(false);\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.payload).to.equal('{\\n \\\"a\\\": 1\\n}\\n');\n expect(res.headers['content-type']).to.equal('application/x-test');\n });\n\n it('returns a response with options (different order)', async () => {\n\n const handler = (request, h) => {\n\n return h.response({ a: 1, b: 2, '<': '&' }).type('application/x-test').escape(false).replacer(['a']).suffix('\\n').spaces(2);\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.payload).to.equal('{\\n \\\"a\\\": 1\\n}\\n');\n expect(res.headers['content-type']).to.equal('application/x-test');\n });\n\n it('captures object which cannot be stringify', async () => {\n\n const handler = (request) => {\n\n const obj = {};\n obj.a = obj;\n return obj;\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n\n it('errors on non-readable stream response', async () => {\n\n const streamHandler = (request, h) => {\n\n const stream = new Stream();\n stream.writable = true;\n\n return h.response(stream);\n };\n\n const writableHandler = (request, h) => {\n\n const writable = new Stream.Writable();\n writable._write = function () { };\n\n return h.response(writable);\n };\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/stream', handler: streamHandler });\n server.route({ method: 'GET', path: '/writable', handler: writableHandler });\n\n await server.initialize();\n\n const log1 = server.events.once({ name: 'request', channels: 'error' });\n const res1 = await server.inject('/stream');\n expect(res1.statusCode).to.equal(500);\n\n const [, event1] = await log1;\n expect(event1.error).to.be.an.error('Cannot reply with a stream-like object that is not an instance of Stream.Readable');\n\n const log2 = server.events.once({ name: 'request', channels: 'error' });\n const res2 = await server.inject('/writable');\n expect(res2.statusCode).to.equal(500);\n\n const [, event2] = await log2;\n expect(event2.error).to.be.an.error('Cannot reply with a stream-like object that is not an instance of Stream.Readable');\n });\n\n it('errors on an http client stream response', async () => {\n\n const streamHandler = (request, h) => {\n\n const req = Http.get(request.server.info.uri);\n req.abort();\n return h.response(req);\n };\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/stream', handler: streamHandler });\n\n const log = server.events.once({ name: 'request', channels: 'error' });\n\n await server.initialize();\n const res = await server.inject('/stream');\n expect(res.statusCode).to.equal(500);\n\n const [, event] = await log;\n expect(event.error).to.be.an.error('Cannot reply with a stream-like object that is not an instance of Stream.Readable');\n });\n\n it('errors on a legacy readable stream response', async () => {\n\n const streamHandler = () => {\n\n const stream = new LegacyReadableStream.Readable();\n stream._read = function (size) {\n\n const chunk = new Array(size).join('x');\n\n setTimeout(() => {\n\n this.push(chunk);\n }, 10);\n };\n\n return stream;\n };\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/stream', handler: streamHandler });\n\n const log = server.events.once({ name: 'request', channels: 'error' });\n\n await server.initialize();\n const res = await server.inject('/stream');\n expect(res.statusCode).to.equal(500);\n\n const [, event] = await log;\n expect(event.error).to.be.an.error('Cannot reply with a stream-like object that is not an instance of Stream.Readable');\n });\n\n it('errors on objectMode stream response', async () => {\n\n const TestStream = class extends Stream.Readable {\n\n constructor() {\n\n super({ objectMode: true });\n }\n\n _read(size) {\n\n if (this.isDone) {\n return;\n }\n\n this.isDone = true;\n\n this.push({ x: 1 });\n this.push({ y: 1 });\n this.push(null);\n }\n };\n\n const handler = (request, h) => {\n\n return h.response(new TestStream());\n };\n\n const server = Hapi.server({ debug: false });\n server.route({ method: 'GET', path: '/', handler });\n\n const log = server.events.once({ name: 'request', channels: 'error' });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n\n const [, event] = await log;\n expect(event.error).to.be.an.error('Cannot reply with stream in object mode');\n });\n });\n\n describe('_prepare()', () => {\n\n it('boomifies response prepare error', async () => {\n\n const server = Hapi.server();\n\n server.route({\n method: 'GET',\n path: '/',\n handler: (request) => {\n\n const prepare = () => {\n\n throw new Error('boom');\n };\n\n return request.generateResponse('nothing', { variety: 'special', marshal: null, prepare, close: null });\n }\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(500);\n });\n\n it('is only called once for returned responses', async () => {\n\n let calls = 0;\n const pre = (request, h) => {\n\n const prepare = (response) => {\n\n ++calls;\n return response;\n };\n\n return request.generateResponse(null, { prepare });\n };\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n options: {\n pre: [\n { method: pre, assign: 'p' }\n ],\n handler: (request) => request.preResponses.p\n }\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n expect(calls).to.equal(1);\n });\n });\n\n describe('_tap()', () => {\n\n it('peeks into the response stream', async () => {\n\n const server = Hapi.server();\n\n let output = '';\n server.route({\n method: 'GET',\n path: '/',\n handler: (request, h) => {\n\n const response = h.response('1234567890');\n\n response.events.on('peek', (chunk, encoding) => {\n\n output += chunk.toString();\n });\n\n response.events.once('finish', () => {\n\n output += '!';\n });\n\n return response;\n }\n });\n\n await server.inject('/');\n expect(output).to.equal('1234567890!');\n });\n\n it('peeks into the response stream (finish only)', async () => {\n\n const server = Hapi.server();\n\n let output = false;\n server.route({\n method: 'GET',\n path: '/',\n handler: (request, h) => {\n\n const response = h.response('1234567890');\n\n response.events.once('finish', () => {\n\n output = true;\n });\n\n return response;\n }\n });\n\n await server.inject('/');\n expect(output).to.be.true();\n });\n\n it('peeks into the response stream (empty)', async () => {\n\n const server = Hapi.server();\n\n let output = '';\n server.route({\n method: 'GET',\n path: '/',\n handler: (request, h) => {\n\n const response = h.response(null);\n\n response.events.on('peek', (chunk, encoding) => { });\n\n response.events.once('finish', () => {\n\n output += '!';\n });\n\n return response;\n }\n });\n\n await server.inject('/');\n expect(output).to.equal('!');\n });\n\n it('peeks into the response stream (empty 304)', async () => {\n\n const server = Hapi.server();\n\n let output = '';\n server.route({\n method: 'GET',\n path: '/',\n handler: (request, h) => {\n\n const response = h.response(null).code(304);\n\n response.events.on('peek', (chunk, encoding) => { });\n\n response.events.once('finish', () => {\n\n output += '!';\n });\n\n return response;\n }\n });\n\n await server.inject('/');\n expect(output).to.equal('!');\n });\n });\n\n describe('_close()', () => {\n\n it('calls custom close processor', async () => {\n\n let closed = false;\n const close = function (response) {\n\n closed = true;\n };\n\n const handler = (request) => {\n\n return request.generateResponse(null, { close });\n };\n\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', handler });\n\n await server.inject('/');\n expect(closed).to.be.true();\n });\n\n it('logs custom close processor error', async () => {\n\n const close = function (response) {\n\n throw new Error('oops');\n };\n\n const handler = (request) => {\n\n return request.generateResponse(null, { close });\n };\n\n const server = Hapi.server();\n const log = server.events.once('request');\n server.route({ method: 'GET', path: '/', handler });\n\n await server.inject('/');\n const [, event] = await log;\n expect(event.tags).to.equal(['response', 'cleanup', 'error']);\n expect(event.error).to.be.an.error('oops');\n });\n });\n\n describe('Peek', () => {\n\n it('taps into pass-through stream', async () => {\n\n // Source\n\n const Source = class extends Stream.Readable {\n\n constructor(values) {\n\n super();\n this.data = values;\n this.pos = 0;\n }\n\n _read(/* size */) {\n\n if (this.pos === this.data.length) {\n this.push(null);\n return;\n }\n\n this.push(this.data[this.pos++]);\n }\n };\n\n // Target\n\n const Target = class extends Stream.Writable {\n\n constructor() {\n\n super();\n this.data = [];\n }\n\n _write(chunk, encoding, callback) {\n\n this.data.push(chunk.toString());\n return callback();\n }\n };\n\n // Peek\n\n const emitter = new Events.EventEmitter();\n const peek = new Response.Peek(emitter);\n\n const chunks = ['abcd', 'efgh', 'ijkl', 'mnop', 'qrst', 'uvwx'];\n const source = new Source(chunks);\n const target = new Target();\n\n const seen = [];\n emitter.on('peek', (update) => {\n\n const chunk = update[0];\n seen.push(chunk.toString());\n });\n\n const finish = new Promise((resolve) => {\n\n emitter.once('finish', () => {\n\n expect(seen).to.equal(chunks);\n expect(target.data).to.equal(chunks);\n resolve();\n });\n });\n\n source.pipe(peek).pipe(target);\n await finish;\n });\n });\n});\n" }, { "path": "test/route.js", "content": "'use strict';\n\nconst Path = require('path');\n\nconst Code = require('@hapi/code');\nconst Hapi = require('..');\nconst Inert = require('@hapi/inert');\nconst Joi = require('joi');\nconst Lab = require('@hapi/lab');\nconst Subtext = require('@hapi/subtext');\n\n\nconst internals = {};\n\n\nconst { describe, it } = exports.lab = Lab.script();\nconst expect = Code.expect;\n\n\ndescribe('Route', () => {\n\n it('registers with options function', async () => {\n\n const server = Hapi.server();\n server.bind({ a: 1 });\n server.app.b = 2;\n server.route({\n method: 'GET',\n path: '/',\n options: function (srv) {\n\n const a = this.a;\n\n return {\n handler: () => a + srv.app.b\n };\n }\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal(3);\n });\n\n it('registers with config', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'GET',\n path: '/',\n config: {\n handler: () => 'ok'\n }\n });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('ok');\n });\n\n it('throws an error when a route is missing a path', () => {\n\n expect(() => {\n\n const server = Hapi.server();\n server.route({ method: 'GET', handler: () => null });\n }).to.throw(/\"path\" is required/);\n });\n\n it('throws an error when a route is missing a method', () => {\n\n expect(() => {\n\n const server = Hapi.server();\n server.route({ path: '/', handler: () => null });\n }).to.throw(/\"method\" is required/);\n });\n\n it('throws an error when a route has a malformed method name', () => {\n\n expect(() => {\n\n const server = Hapi.server();\n server.route({ method: '\"GET\"', path: '/', handler: () => null });\n }).to.throw(/Invalid route options/);\n });\n\n it('throws an error when a route uses the HEAD method', () => {\n\n expect(() => {\n\n const server = Hapi.server();\n server.route({ method: 'HEAD', path: '/', handler: () => null });\n }).to.throw('Cannot set HEAD route: /');\n });\n\n it('throws an error when a route is missing a handler', () => {\n\n expect(() => {\n\n const server = Hapi.server();\n server.route({ path: '/test', method: 'put' });\n }).to.throw('Missing or undefined handler: PUT /test');\n });\n\n it('throws when handler is missing in config', () => {\n\n const server = Hapi.server();\n expect(() => {\n\n server.route({ method: 'GET', path: '/', options: {} });\n }).to.throw('Missing or undefined handler: GET /');\n });\n\n it('throws when path has trailing slash and server set to strip', () => {\n\n const server = Hapi.server({ router: { stripTrailingSlash: true } });\n expect(() => {\n\n server.route({ method: 'GET', path: '/test/', handler: () => null });\n }).to.throw('Path cannot end with a trailing slash when configured to strip: GET /test/');\n });\n\n it('allows / when path has trailing slash and server set to strip', () => {\n\n const server = Hapi.server({ router: { stripTrailingSlash: true } });\n expect(() => {\n\n server.route({ method: 'GET', path: '/', handler: () => null });\n }).to.not.throw();\n });\n\n it('sets route plugins and app settings', async () => {\n\n const handler = (request) => (request.route.settings.app.x + request.route.settings.plugins.x.y);\n const server = Hapi.server();\n server.route({ method: 'GET', path: '/', options: { handler, app: { x: 'o' }, plugins: { x: { y: 'k' } } } });\n const res = await server.inject('/');\n expect(res.result).to.equal('ok');\n });\n\n it('throws when validation is set without payload parsing', () => {\n\n const server = Hapi.server();\n expect(() => {\n\n server.route({ method: 'POST', path: '/', handler: () => null, options: { validate: { payload: {}, validator: Joi }, payload: { parse: false } } });\n }).to.throw('Route payload must be set to \\'parse\\' when payload validation enabled: POST /');\n });\n\n it('throws when validation is set without path parameters', () => {\n\n const server = Hapi.server();\n expect(() => {\n\n server.route({ method: 'POST', path: '/', handler: () => null, options: { validate: { params: {} } } });\n }).to.throw('Cannot set path parameters validations without path parameters: POST /');\n });\n\n it('ignores payload when overridden', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'POST',\n path: '/',\n handler: (request) => request.payload\n });\n\n server.ext('onRequest', (request, h) => {\n\n request.payload = 'x';\n return h.continue;\n });\n\n const res = await server.inject({ method: 'POST', url: '/', payload: 'y' });\n expect(res.statusCode).to.equal(200);\n expect(res.result).to.equal('x');\n });\n\n it('ignores payload parsing errors', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'POST',\n path: '/',\n handler: () => 'ok',\n options: {\n payload: {\n parse: true,\n failAction: 'ignore'\n }\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/', payload: '{a:\"abc\"}' });\n expect(res.statusCode).to.equal(200);\n });\n\n it('logs payload parsing errors', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'POST',\n path: '/',\n handler: () => 'ok',\n options: {\n payload: {\n parse: true,\n failAction: 'log'\n }\n }\n });\n\n let logged;\n server.events.on({ name: 'request', channels: 'internal' }, (request, event, tags) => {\n\n if (tags.payload && tags.error) {\n logged = event;\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/', payload: '{a:\"abc\"}' });\n expect(res.statusCode).to.equal(200);\n expect(logged).to.be.an.object();\n expect(logged.error).to.be.an.error('Invalid request payload JSON format');\n expect(logged.error.data).to.be.an.error(SyntaxError, /at position 1/);\n });\n\n it('returns payload parsing errors', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'POST',\n path: '/',\n handler: () => 'ok',\n options: {\n payload: {\n parse: true,\n failAction: 'error'\n }\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/', payload: '{a:\"abc\"}' });\n expect(res.statusCode).to.equal(400);\n expect(res.result.message).to.equal('Invalid request payload JSON format');\n });\n\n it('replaces payload parsing errors with custom handler', async () => {\n\n const server = Hapi.server();\n server.route({\n method: 'POST',\n path: '/',\n handler: () => 'ok',\n options: {\n payload: {\n parse: true,\n failAction: function (request, h, error) {\n\n return h.response('This is a custom error').code(418).takeover();\n }\n }\n }\n });\n\n const res = await server.inject({ method: 'POST', url: '/', payload: '{a:\"abc\"}' });\n expect(res.statusCode).to.equal(418);\n expect(res.result).to.equal('This is a custom error');\n });\n\n it('throws when validation is set on GET', () => {\n\n const server = Hapi.server();\n expect(() => {\n\n server.route({ method: 'GET', path: '/', handler: () => null, options: { validate: { payload: {} } } });\n }).to.throw('Cannot validate HEAD or GET request payload: GET /');\n });\n\n it('throws when payload parsing is set on GET', () => {\n\n const server = Hapi.server();\n expect(() => {\n\n server.route({ method: 'GET', path: '/', handler: () => null, options: { payload: { parse: true } } });\n }).to.throw('Cannot set payload settings on HEAD or GET request: GET /');\n });\n\n it('ignores validation on * route when request is GET', async () => {\n\n const server = Hapi.server();\n server.validator(Joi);\n server.route({ method: '*', path: '/', handler: () => null, options: { validate: { payload: { a: Joi.required() } } } });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n });\n\n it('ignores validation on * route when request is HEAD', async () => {\n\n const server = Hapi.server();\n server.validator(Joi);\n server.route({ method: '*', path: '/', handler: () => null, options: { validate: { payload: { a: Joi.required() } } } });\n const res = await server.inject({ url: '/', method: 'HEAD' });\n expect(res.statusCode).to.equal(204);\n });\n\n it('skips payload on * route when request is HEAD', async (flags) => {\n\n const orig = Subtext.parse;\n let called = false;\n Subtext.parse = () => {\n\n called = true;\n };\n\n flags.onCleanup = () => {\n\n Subtext.parse = orig;\n };\n\n const server = Hapi.server();\n server.route({ method: '*', path: '/', handler: () => null });\n const res = await server.inject({ url: '/', method: 'HEAD' });\n expect(res.statusCode).to.equal(204);\n expect(called).to.be.false();\n });\n\n it('throws error when the default routes payload validation is set without payload parsing', () => {\n\n expect(() => {\n\n Hapi.server({ routes: { validate: { payload: {}, validator: Joi }, payload: { parse: false } } });\n }).to.throw('Route payload must be set to \\'parse\\' when payload validation enabled');\n });\n\n it('throws error when the default routes state validation is set without state parsing', () => {\n\n expect(() => {\n\n Hapi.server({ routes: { validate: { state: {}, validator: Joi }, state: { parse: false } } });\n }).to.throw('Route state must be set to \\'parse\\' when state validation enabled');\n });\n\n it('ignores default validation on GET', async () => {\n\n const server = Hapi.server({ routes: { validate: { payload: { a: Joi.required() }, validator: Joi } } });\n server.route({ method: 'GET', path: '/', handler: () => null });\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(204);\n });\n\n it('shallow copies route config bind', async () => {\n\n const server = Hapi.server();\n const context = { key: 'is ' };\n\n let count = 0;\n Object.defineProperty(context, 'test', {\n enumerable: true,\n configurable: true,\n get: function () {\n\n ++count;\n }\n });\n\n const handler = function (request) {\n\n return this.key + (this === context);\n };\n\n server.route({ method: 'GET', path: '/', handler, options: { bind: context } });\n const res = await server.inject('/');\n expect(res.result).to.equal('is true');\n expect(count).to.equal(0);\n });\n\n it('shallow copies route config bind (server.bind())', async () => {\n\n const server = Hapi.server();\n const context = { key: 'is ' };\n\n let count = 0;\n Object.defineProperty(context, 'test', {\n enumerable: true,\n configurable: true,\n get: function () {\n\n ++count;\n }\n });\n\n const handler = function (request) {\n\n return this.key + (this === context);\n };\n\n server.bind(context);\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.result).to.equal('is true');\n expect(count).to.equal(0);\n });\n\n it('shallow copies route config bind (connection defaults)', async () => {\n\n const context = { key: 'is ' };\n const server = Hapi.server({ routes: { bind: context } });\n\n let count = 0;\n Object.defineProperty(context, 'test', {\n enumerable: true,\n configurable: true,\n get: function () {\n\n ++count;\n }\n });\n\n const handler = function (request) {\n\n return this.key + (this === context);\n };\n\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.result).to.equal('is true');\n expect(count).to.equal(0);\n });\n\n it('shallow copies route config bind (server defaults)', async () => {\n\n const context = { key: 'is ' };\n\n let count = 0;\n Object.defineProperty(context, 'test', {\n enumerable: true,\n configurable: true,\n get: function () {\n\n ++count;\n }\n });\n\n const handler = function (request) {\n\n return this.key + (this === context);\n };\n\n const server = Hapi.server({ routes: { bind: context } });\n server.route({ method: 'GET', path: '/', handler });\n const res = await server.inject('/');\n expect(res.result).to.equal('is true');\n expect(count).to.equal(0);\n });\n\n it('overrides server relativeTo', async () => {\n\n const server = Hapi.server();\n await server.register(Inert);\n const handler = (request, h) => h.file('./package.json');\n server.route({ method: 'GET', path: '/file', handler, options: { files: { relativeTo: Path.join(__dirname, '../') } } });\n\n const res = await server.inject('/file');\n expect(res.payload).to.contain('hapi');\n });\n\n it('allows payload timeout more then socket timeout', () => {\n\n expect(() => {\n\n Hapi.server({ routes: { payload: { timeout: 60000 }, timeout: { socket: 12000 } } });\n }).to.not.throw();\n });\n\n it('allows payload timeout more then socket timeout (node default)', () => {\n\n expect(() => {\n\n Hapi.server({ routes: { payload: { timeout: 6000000 } } });\n }).to.not.throw();\n });\n\n it('allows server timeout more then socket timeout', () => {\n\n expect(() => {\n\n Hapi.server({ routes: { timeout: { server: 60000, socket: 12000 } } });\n }).to.not.throw();\n });\n\n it('allows server timeout more then socket timeout (node default)', () => {\n\n expect(() => {\n\n Hapi.server({ routes: { timeout: { server: 6000000 } } });\n }).to.not.throw();\n });\n\n it('ignores large server timeout when socket timeout disabled', () => {\n\n expect(() => {\n\n Hapi.server({ routes: { timeout: { server: 6000000, socket: false } } });\n }).to.not.throw();\n });\n\n describe('extensions', () => {\n\n it('combine connection extensions (route last)', async () => {\n\n const server = Hapi.server();\n const onRequest = (request, h) => {\n\n request.app.x = '1';\n return h.continue;\n };\n\n server.ext('onRequest', onRequest);\n\n const preAuth = (request, h) => {\n\n request.app.x += '2';\n return h.continue;\n };\n\n server.ext('onPreAuth', preAuth);\n\n const postAuth = (request, h) => {\n\n request.app.x += '3';\n return h.continue;\n };\n\n server.ext('onPostAuth', postAuth);\n\n const preHandler = (request, h) => {\n\n request.app.x += '4';\n return h.continue;\n };\n\n server.ext('onPreHandler', preHandler);\n\n const postHandler = (request, h) => {\n\n request.response.source += '5';\n return h.continue;\n };\n\n server.ext('onPostHandler', postHandler);\n\n const preResponse = (request, h) => {\n\n request.response.source += '6';\n return h.continue;\n };\n\n server.ext('onPreResponse', preResponse);\n\n server.route({\n method: 'GET',\n path: '/',\n handler: (request) => request.app.x\n });\n\n const res = await server.inject('/');\n expect(res.result).to.equal('123456');\n });\n\n it('combine connection extensions (route first)', async () => {\n\n const server = Hapi.server();\n\n server.route({\n method: 'GET',\n path: '/',\n handler: (request) => request.app.x\n });\n\n const onRequest = (request, h) => {\n\n request.app.x = '1';\n return h.continue;\n };\n\n server.ext('onRequest', onRequest);\n\n const preAuth = (request, h) => {\n\n request.app.x += '2';\n return h.continue;\n };\n\n server.ext('onPreAuth', preAuth);\n\n const postAuth = (request, h) => {\n\n request.app.x += '3';\n return h.continue;\n };\n\n server.ext('onPostAuth', postAuth);\n\n const preHandler = (request, h) => {\n\n request.app.x += '4';\n return h.continue;\n };\n\n server.ext('onPreHandler', preHandler);\n\n const postHandler = (request, h) => {\n\n request.response.source += '5';\n return h.continue;\n };\n\n server.ext('onPostHandler', postHandler);\n\n const preResponse = (request, h) => {\n\n request.response.source += '6';\n return h.continue;\n };\n\n server.ext('onPreResponse', preResponse);\n\n const res = await server.inject('/');\n expect(res.result).to.equal('123456');\n });\n\n it('combine connection extensions (route middle)', async () => {\n\n const server = Hapi.server();\n\n const onRequest = (request, h) => {\n\n request.app.x = '1';\n return h.continue;\n };\n\n server.ext('onRequest', onRequest);\n\n const preAuth = (request, h) => {\n\n request.app.x += '2';\n return h.continue;\n };\n\n server.ext('onPreAuth', preAuth);\n\n const postAuth = (request, h) => {\n\n request.app.x += '3';\n return h.continue;\n };\n\n server.ext('onPostAuth', postAuth);\n\n server.route({\n method: 'GET',\n path: '/',\n handler: (request) => request.app.x\n });\n\n const preHandler = (request, h) => {\n\n request.app.x += '4';\n return h.continue;\n };\n\n server.ext('onPreHandler', preHandler);\n\n const postHandler = (request, h) => {\n\n request.response.source += '5';\n return h.continue;\n };\n\n server.ext('onPostHandler', postHandler);\n\n const preResponse = (request, h) => {\n\n request.response.source += '6';\n return h.continue;\n };\n\n server.ext('onPreResponse', preResponse);\n\n const res = await server.inject('/');\n expect(res.result).to.equal('123456');\n });\n\n it('combine connection extensions (mixed sources)', async () => {\n\n const server = Hapi.server();\n\n const preAuth1 = (request, h) => {\n\n request.app.x = '1';\n return h.continue;\n };\n\n server.ext('onPreAuth', preAuth1);\n\n server.route({\n method: 'GET',\n path: '/',\n options: {\n ext: {\n onPreAuth: {\n method: (request, h) => {\n\n request.app.x += '2';\n return h.continue;\n }\n }\n },\n handler: (request) => request.app.x\n }\n });\n\n const preAuth3 = (request, h) => {\n\n request.app.x += '3';\n return h.continue;\n };\n\n server.ext('onPreAuth', preAuth3);\n\n server.route({\n method: 'GET',\n path: '/a',\n handler: (request) => request.app.x\n });\n\n const res1 = await server.inject('/');\n expect(res1.result).to.equal('123');\n\n const res2 = await server.inject('/a');\n expect(res2.result).to.equal('13');\n });\n\n it('skips inner extensions when not found', async () => {\n\n const server = Hapi.server();\n\n let state = '';\n\n const onRequest = (request, h) => {\n\n state += 1;\n return h.continue;\n };\n\n server.ext('onRequest', onRequest);\n\n const preAuth = (request) => {\n\n state += 2;\n return 'ok';\n };\n\n server.ext('onPreAuth', preAuth);\n\n const preResponse = (request, h) => {\n\n state += 3;\n return h.continue;\n };\n\n server.ext('onPreResponse', preResponse);\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(404);\n expect(state).to.equal('13');\n });\n });\n\n describe('rules', () => {\n\n it('compiles rules into config', async () => {\n\n const server = Hapi.server();\n server.validator(Joi);\n\n const processor = (rules) => {\n\n if (!rules) {\n return null;\n }\n\n return { validate: { query: { x: rules.x } } };\n };\n\n server.rules(processor);\n\n server.route({ path: '/1', method: 'GET', handler: () => null, rules: { x: Joi.number().valid(1) } });\n server.route({ path: '/2', method: 'GET', handler: () => null, rules: { x: Joi.number().valid(2) } });\n server.route({ path: '/3', method: 'GET', handler: () => null });\n\n expect((await server.inject('/1?x=1')).statusCode).to.equal(204);\n expect((await server.inject('/1?x=2')).statusCode).to.equal(400);\n expect((await server.inject('/2?x=1')).statusCode).to.equal(400);\n expect((await server.inject('/2?x=2')).statusCode).to.equal(204);\n expect((await server.inject('/3?x=1')).statusCode).to.equal(204);\n expect((await server.inject('/3?x=2')).statusCode).to.equal(204);\n });\n\n it('compiles rules into config (route info)', async () => {\n\n const server = Hapi.server();\n\n const processor = (rules, { method, path }) => {\n\n return { app: { method, path, x: rules.x } };\n };\n\n server.rules(processor);\n\n server.route({ path: '/1', method: 'GET', handler: (request) => request.route.settings.app, rules: { x: 1 } });\n\n expect((await server.inject('/1')).result).to.equal({ x: 1, path: '/1', method: 'get' });\n });\n\n it('compiles rules into config (validate)', () => {\n\n const server = Hapi.server();\n server.validator(Joi);\n\n const processor = (rules) => {\n\n return { validate: { query: { x: rules.x } } };\n };\n\n server.rules(processor, { validate: { schema: { x: Joi.number().required() } } });\n\n server.route({ path: '/1', method: 'GET', handler: () => null, rules: { x: 1 } });\n expect(() => server.route({ path: '/2', method: 'GET', handler: () => null, rules: { x: 'y' } })).to.throw(/must be a number/);\n });\n\n it('compiles rules into config (validate + options)', () => {\n\n const server = Hapi.server();\n server.validator(Joi);\n\n const processor = (rules) => {\n\n return { validate: { query: { x: rules.x } } };\n };\n\n server.rules(processor, { validate: { schema: { x: Joi.number().required() }, options: { allowUnknown: false } } });\n\n server.route({ path: '/1', method: 'GET', handler: () => null, rules: { x: 1 } });\n expect(() => server.route({ path: '/2', method: 'GET', handler: () => null, rules: { x: 1, y: 2 } })).to.throw(/is not allowed/);\n });\n\n it('cascades rules into configs', async () => {\n\n const handler = (request) => {\n\n return request.route.settings.app.x + ':' + Object.keys(request.route.settings.app).join('').slice(0, -1);\n };\n\n const p1 = {\n name: 'p1',\n register: async (srv) => {\n\n const processor = (rules) => {\n\n return { app: { x: '1+' + rules.x, 1: true } };\n };\n\n srv.rules(processor);\n await srv.register(p3);\n srv.route({ path: '/1', method: 'GET', handler, rules: { x: 1 } });\n }\n };\n\n const p2 = {\n name: 'p2',\n register: (srv) => {\n\n const processor = (rules) => {\n\n return { app: { x: '2+' + rules.x, 2: true } };\n };\n\n srv.rules(processor);\n srv.route({ path: '/2', method: 'GET', handler, rules: { x: 2 } });\n }\n };\n\n const p3 = {\n name: 'p3',\n register: async (srv) => {\n\n const processor = (rules) => {\n\n return { app: { x: '3+' + rules.x, 3: true } };\n };\n\n srv.rules(processor);\n await srv.register(p4);\n srv.route({ path: '/3', method: 'GET', handler, rules: { x: 3 } });\n }\n };\n\n const p4 = {\n name: 'p4',\n register: async (srv) => {\n\n await srv.register(p5);\n srv.route({ path: '/4', method: 'GET', handler, rules: { x: 4 } });\n }\n };\n\n const p5 = {\n name: 'p5',\n register: (srv) => {\n\n const processor = (rules) => {\n\n return { app: { x: '5+' + rules.x, 5: true } };\n };\n\n srv.rules(processor);\n srv.route({ path: '/5', method: 'GET', handler, rules: { x: 5 } });\n srv.route({ path: '/6', method: 'GET', handler, rules: { x: 6 }, config: { app: { x: '7' } } });\n }\n };\n\n const server = Hapi.server();\n\n const processor0 = (rules) => {\n\n return { app: { x: '0+' + rules.x, 0: true } };\n };\n\n server.rules(processor0);\n await server.register([p1, p2]);\n\n server.route({ path: '/0', method: 'GET', handler, rules: { x: 0 } });\n\n expect((await server.inject('/0')).result).to.equal('0+0:0');\n expect((await server.inject('/1')).result).to.equal('1+1:01');\n expect((await server.inject('/2')).result).to.equal('2+2:02');\n expect((await server.inject('/3')).result).to.equal('3+3:013');\n expect((await server.inject('/4')).result).to.equal('3+4:013');\n expect((await server.inject('/5')).result).to.equal('5+5:0135');\n expect((await server.inject('/6')).result).to.equal('7:0135');\n });\n });\n\n describe('drain()', () => {\n\n it('drains the request payload on 404', async () => {\n\n const server = Hapi.server();\n const res = await server.inject({ method: 'POST', url: '/nope', payload: 'something' });\n expect(res.statusCode).to.equal(404);\n expect(res.raw.req._readableState.ended).to.be.true();\n });\n });\n});\n" }, { "path": "test/security.js", "content": "'use strict';\n\nconst Code = require('@hapi/code');\nconst Hapi = require('..');\nconst Lab = require('@hapi/lab');\n\n\nconst internals = {};\n\n\nconst { describe, it } = exports.lab = Lab.script();\nconst expect = Code.expect;\n\n\ndescribe('security', () => {\n\n it('handles missing routes', async () => {\n\n const server = Hapi.server({ port: 8080, routes: { security: { xframe: true } } });\n\n const res = await server.inject('/');\n expect(res.statusCode).to.equal(404);\n expect(res.headers['x-frame-options']).to.exist();\n });\n\n it('blocks response splitting through the request.create method', async () => {\n\n const server = Hapi.server();\n const handler = (request, h) => h.response('Moved').created('/item/' + request.payload.name);\n server.route({ method: 'POST', path: '/item', handler });\n\n const res = await server.inject({\n method: 'POST', url: '/item',\n payload: '{\"name\": \"foobar\\r\\nContent-Length: \\r\\n\\r\\nHTTP/1.1 200 OK\\r\\nContent-Type: text/html\\r\\nContent-Length: 19\\r\\n\\r\\nShazam\"}',\n headers: { 'Content-Type': 'application/json' }\n });\n\n expect(res.statusCode).to.equal(400);\n });\n\n it('prevents xss with invalid content types', async () => {\n\n const server = Hapi.server();\n server.state('encoded', { encoding: 'iron' });\n server.route({\n method: 'POST', path: '/',\n handler: () => 'Success'\n });\n\n const res = await server.inject({\n method: 'POST',\n url: '/',\n payload: '{\"something\":\"something\"}',\n headers: { 'content-type': ';' }\n });\n\n expect(res.result.message).to.not.contain('script');\n });\n\n it('prevents xss with invalid cookie values in the request', async () => {\n\n const server = Hapi.server();\n server.state('encoded', { encoding: 'iron' });\n server.route({\n method: 'POST', path: '/',\n handler: () => 'Success'\n });\n\n const res = await server.inject({\n method: 'POST',\n url: '/',\n payload: '{\"something\":\"something\"}',\n headers: { cookie: 'encoded=\"\";' }\n });\n\n expect(res.result.message).to.not.contain('=value;' }\n });\n\n expect(res.result.message).to.not.contain('