# @hapi/hapi
#### The Simple, Secure Framework Developers Trust
Build powerful, scalable applications, with minimal overhead and full out-of-the-box functionality - your code, your way.
### Visit the [hapi.dev](https://hapi.dev) Developer Portal for tutorials, documentation, and support
## Useful resources
- [Documentation and API](https://hapi.dev/)
- [Version status](https://hapi.dev/resources/status/#hapi) (builds, dependencies, node versions, licenses, eol)
- [Changelog](https://hapi.dev/resources/changelog/)
- [Project policies](https://hapi.dev/policies/)
- [Support](https://hapi.dev/support/)
## Technical Steering Committee (TSC) Members
- Devin Ivy ([@devinivy](https://github.com/devinivy))
- Lloyd Benson ([@lloydbenson](https://github.com/lloydbenson))
- Nathan LaFreniere ([@nlf](https://github.com/nlf))
- Wyatt Lyon Preul ([@geek](https://github.com/geek))
- Nicolas Morel ([@marsup](https://github.com/marsup))
- Jonathan Samines ([@jonathansamines](https://github.com/jonathansamines))
================================================
FILE: SPONSORS.md
================================================
We'd like to thank our sponsors as well as the legacy sponsors who have supported hapi throughout the years. Thanks so much for your support!
> Below are hapi's top recurring sponsors, but there are many more to thank. For the complete list, see [hapi.dev/policies/sponsors](https://hapi.dev/policies/sponsors/) or [hapijs/.github/SPONSORS.md](https://github.com/hapijs/.github/blob/master/SPONSORS.md).
# Staff Sponsors
- [Big Room Studios](https://www.bigroomstudios.com/)
- [Dixeed](https://dixeed.com/)
# Top Sponsors
- Fabian Gündel / [DataWrapper.de](https://www.datawrapper.de/)
- Devin Stewart
- [Raider.IO](https://raider.io/)
- [Florence Healthcare](https://florencehc.com/)
================================================
FILE: lib/auth.js
================================================
'use strict';
const Boom = require('@hapi/boom');
const Bounce = require('@hapi/bounce');
const Hoek = require('@hapi/hoek');
const Config = require('./config');
const Request = require('./request');
const internals = {
missing: Symbol('missing')
};
exports = module.exports = internals.Auth = class {
#core = null;
#schemes = {};
#strategies = {};
api = {}; // Do not reassign api or settings, as they are referenced in public()
settings = {
default: null // Strategy used as default if route has no auth settings
};
constructor(core) {
this.#core = core;
}
public(server) {
return {
api: this.api,
settings: this.settings,
scheme: this.scheme.bind(this),
strategy: this._strategy.bind(this, server),
default: this.default.bind(this),
test: this.test.bind(this),
verify: this.verify.bind(this),
lookup: this.lookup.bind(this)
};
}
scheme(name, scheme) {
Hoek.assert(name, 'Authentication scheme must have a name');
Hoek.assert(!this.#schemes[name], 'Authentication scheme name already exists:', name);
Hoek.assert(typeof scheme === 'function', 'scheme must be a function:', name);
this.#schemes[name] = scheme;
}
_strategy(server, name, scheme, options = {}) {
Hoek.assert(name, 'Authentication strategy must have a name');
Hoek.assert(typeof options === 'object', 'options must be an object');
Hoek.assert(!this.#strategies[name], 'Authentication strategy name already exists');
Hoek.assert(scheme, 'Authentication strategy', name, 'missing scheme');
Hoek.assert(this.#schemes[scheme], 'Authentication strategy', name, 'uses unknown scheme:', scheme);
server = server._clone();
const strategy = this.#schemes[scheme](server, options);
Hoek.assert(strategy.authenticate, 'Invalid scheme:', name, 'missing authenticate() method');
Hoek.assert(typeof strategy.authenticate === 'function', 'Invalid scheme:', name, 'invalid authenticate() method');
Hoek.assert(!strategy.payload || typeof strategy.payload === 'function', 'Invalid scheme:', name, 'invalid payload() method');
Hoek.assert(!strategy.response || typeof strategy.response === 'function', 'Invalid scheme:', name, 'invalid response() method');
strategy.options = strategy.options ?? {};
Hoek.assert(strategy.payload || !strategy.options.payload, 'Cannot require payload validation without a payload method');
this.#strategies[name] = {
methods: strategy,
realm: server.realm
};
if (strategy.api) {
this.api[name] = strategy.api;
}
}
default(options) {
Hoek.assert(!this.settings.default, 'Cannot set default strategy more than once');
options = Config.apply('auth', options, 'default strategy');
this.settings.default = this._setupRoute(Hoek.clone(options)); // Prevent changes to options
const routes = this.#core.router.table();
for (const route of routes) {
route.rebuild();
}
}
async test(name, request) {
Hoek.assert(name, 'Missing authentication strategy name');
const strategy = this.#strategies[name];
Hoek.assert(strategy, 'Unknown authentication strategy:', name);
const bind = strategy.methods;
const realm = strategy.realm;
const response = await request._core.toolkit.execute(strategy.methods.authenticate, request, { bind, realm, auth: true });
if (!response.isAuth) {
throw response;
}
if (response.error) {
throw response.error;
}
return response.data;
}
async verify(request) {
const auth = request.auth;
if (auth.error) {
throw auth.error;
}
if (!auth.isAuthenticated) {
return;
}
const strategy = this.#strategies[auth.strategy];
Hoek.assert(strategy, 'Unknown authentication strategy:', auth.strategy);
if (!strategy.methods.verify) {
return;
}
const bind = strategy.methods;
await strategy.methods.verify.call(bind, auth);
}
static testAccess(request, route) {
const auth = request._core.auth;
try {
return auth._access(request, route);
}
catch (err) {
Bounce.rethrow(err, 'system');
return false;
}
}
_setupRoute(options, path) {
if (!options) {
return options; // Preserve the difference between undefined and false
}
if (typeof options === 'string') {
options = { strategies: [options] };
}
else if (options.strategy) {
options.strategies = [options.strategy];
delete options.strategy;
}
if (path &&
!options.strategies) {
Hoek.assert(this.settings.default, 'Route missing authentication strategy and no default defined:', path);
options = Hoek.applyToDefaults(this.settings.default, options);
}
path = path ?? 'default strategy';
Hoek.assert(options.strategies?.length, 'Missing authentication strategy:', path);
options.mode = options.mode ?? 'required';
if (options.entity !== undefined || // Backwards compatibility with <= 11.x.x
options.scope !== undefined) {
options.access = [{ entity: options.entity, scope: options.scope }];
delete options.entity;
delete options.scope;
}
if (options.access) {
for (const access of options.access) {
access.scope = internals.setupScope(access);
}
}
if (options.payload === true) {
options.payload = 'required';
}
let hasAuthenticatePayload = false;
for (const name of options.strategies) {
const strategy = this.#strategies[name];
Hoek.assert(strategy, 'Unknown authentication strategy', name, 'in', path);
Hoek.assert(strategy.methods.payload || options.payload !== 'required', 'Payload validation can only be required when all strategies support it in', path);
hasAuthenticatePayload = hasAuthenticatePayload || strategy.methods.payload;
Hoek.assert(!strategy.methods.options.payload || options.payload === undefined || options.payload === 'required', 'Cannot set authentication payload to', options.payload, 'when a strategy requires payload validation in', path);
}
Hoek.assert(!options.payload || hasAuthenticatePayload, 'Payload authentication requires at least one strategy with payload support in', path);
return options;
}
lookup(route) {
if (route.settings.auth === false) {
return false;
}
return route.settings.auth || this.settings.default;
}
_enabled(route, type) {
const config = this.lookup(route);
if (!config) {
return false;
}
if (type === 'authenticate') {
return true;
}
if (type === 'access') {
return !!config.access;
}
for (const name of config.strategies) {
const strategy = this.#strategies[name];
if (strategy.methods[type]) {
return true;
}
}
return false;
}
static authenticate(request) {
const auth = request._core.auth;
return auth._authenticate(request);
}
async _authenticate(request) {
const config = this.lookup(request.route);
const errors = [];
request.auth.mode = config.mode;
// Injection bypass
if (request.auth.credentials) {
internals.validate(null, { credentials: request.auth.credentials, artifacts: request.auth.artifacts }, request.auth.strategy, config, request, errors);
return;
}
// Try each strategy
for (const name of config.strategies) {
const strategy = this.#strategies[name];
const bind = strategy.methods;
const realm = strategy.realm;
const response = await request._core.toolkit.execute(strategy.methods.authenticate, request, { bind, realm, auth: true });
const message = (response.isAuth ? internals.validate(response.error, response.data, name, config, request, errors) : internals.validate(response, null, name, config, request, errors));
if (!message) {
return;
}
if (message !== internals.missing) {
return message;
}
}
// No more strategies
const err = Boom.unauthorized('Missing authentication', errors);
if (config.mode === 'required') {
throw err;
}
request.auth.isAuthenticated = false;
request.auth.credentials = null;
request.auth.error = err;
request._log(['auth', 'unauthenticated']);
}
static access(request) {
const auth = request._core.auth;
request.auth.isAuthorized = auth._access(request);
}
_access(request, route) {
const config = this.lookup(route || request.route);
if (!config?.access) {
return true;
}
const credentials = request.auth.credentials;
if (!credentials) {
if (config.mode !== 'required') {
return false;
}
throw Boom.forbidden('Request is unauthenticated');
}
const requestEntity = (credentials.user ? 'user' : 'app');
const scopeErrors = [];
for (const access of config.access) {
// Check entity
const entity = access.entity;
if (entity &&
entity !== 'any' &&
entity !== requestEntity) {
continue;
}
// Check scope
let scope = access.scope;
if (scope) {
if (!credentials.scope) {
scopeErrors.push(scope);
continue;
}
scope = internals.expandScope(request, scope);
if (!internals.validateScope(credentials, scope, 'required') ||
!internals.validateScope(credentials, scope, 'selection') ||
!internals.validateScope(credentials, scope, 'forbidden')) {
scopeErrors.push(scope);
continue;
}
}
return true;
}
// Scope error
if (scopeErrors.length) {
request._log(['auth', 'scope', 'error']);
throw Boom.forbidden('Insufficient scope', { got: credentials.scope, need: scopeErrors });
}
// Entity error
if (requestEntity === 'app') {
request._log(['auth', 'entity', 'user', 'error']);
throw Boom.forbidden('Application credentials cannot be used on a user endpoint');
}
request._log(['auth', 'entity', 'app', 'error']);
throw Boom.forbidden('User credentials cannot be used on an application endpoint');
}
static async payload(request) {
if (!request.auth.isAuthenticated || !request.auth[Request.symbols.authPayload]) {
return;
}
const auth = request._core.auth;
const strategy = auth.#strategies[request.auth.strategy];
Hoek.assert(strategy, 'Unknown authentication strategy:', request.auth.strategy);
if (!strategy.methods.payload) {
return;
}
const config = auth.lookup(request.route);
const setting = config.payload ?? (strategy.methods.options.payload ? 'required' : false);
if (!setting) {
return;
}
const bind = strategy.methods;
const realm = strategy.realm;
const response = await request._core.toolkit.execute(strategy.methods.payload, request, { bind, realm });
if (response.isBoom &&
response.isMissing) {
return setting === 'optional' ? undefined : Boom.unauthorized('Missing payload authentication');
}
return response;
}
static async response(response) {
const request = response.request;
const auth = request._core.auth;
if (!request.auth.isAuthenticated) {
return;
}
const strategy = auth.#strategies[request.auth.strategy];
Hoek.assert(strategy, 'Unknown authentication strategy:', request.auth.strategy);
if (!strategy.methods.response) {
return;
}
const bind = strategy.methods;
const realm = strategy.realm;
const error = await request._core.toolkit.execute(strategy.methods.response, request, { bind, realm, continue: 'undefined' });
if (error) {
throw error;
}
}
};
internals.setupScope = function (access) {
// No scopes
if (!access.scope) {
return false;
}
// Already setup
if (!Array.isArray(access.scope)) {
return access.scope;
}
const scope = {};
for (const value of access.scope) {
const prefix = value[0];
const type = prefix === '+' ? 'required' : (prefix === '!' ? 'forbidden' : 'selection');
const clean = type === 'selection' ? value : value.slice(1);
scope[type] = scope[type] ?? [];
scope[type].push(clean);
if ((!scope._hasParameters?.[type]) &&
/{([^}]+)}/.test(clean)) {
scope._hasParameters = scope._hasParameters ?? {};
scope._hasParameters[type] = true;
}
}
return scope;
};
internals.validate = function (err, result, name, config, request, errors) { // err can be Boom, Error, or a valid response object
result = result ?? {};
request.auth.isAuthenticated = !err;
if (err) {
// Non-error response
if (err instanceof Error === false) {
request._log(['auth', 'unauthenticated', 'response', name], { statusCode: err.statusCode });
return err;
}
// Missing authenticated
if (err.isMissing) {
request._log(['auth', 'unauthenticated', 'missing', name], err);
errors.push(err.output.headers['WWW-Authenticate']);
return internals.missing;
}
}
request.auth.strategy = name;
request.auth.credentials = result.credentials;
request.auth.artifacts = result.artifacts;
// Authenticated
if (!err) {
return;
}
// Unauthenticated
request.auth.error = err;
if (config.mode === 'try') {
request._log(['auth', 'unauthenticated', 'try', name], err);
return;
}
request._log(['auth', 'unauthenticated', 'error', name], err);
throw err;
};
internals.expandScope = function (request, scope) {
if (!scope._hasParameters) {
return scope;
}
const expanded = {
required: internals.expandScopeType(request, scope, 'required'),
selection: internals.expandScopeType(request, scope, 'selection'),
forbidden: internals.expandScopeType(request, scope, 'forbidden')
};
return expanded;
};
internals.expandScopeType = function (request, scope, type) {
if (!scope._hasParameters[type]) {
return scope[type];
}
const expanded = [];
const context = {
params: request.params,
query: request.query,
payload: request.payload,
credentials: request.auth.credentials
};
for (const template of scope[type]) {
expanded.push(Hoek.reachTemplate(context, template));
}
return expanded;
};
internals.validateScope = function (credentials, scope, type) {
if (!scope[type]) {
return true;
}
const count = typeof credentials.scope === 'string' ?
scope[type].indexOf(credentials.scope) !== -1 ? 1 : 0 :
Hoek.intersect(scope[type], credentials.scope).length;
if (type === 'forbidden') {
return count === 0;
}
if (type === 'required') {
return count === scope.required.length;
}
return !!count;
};
================================================
FILE: lib/compression.js
================================================
'use strict';
const Zlib = require('zlib');
const Accept = require('@hapi/accept');
const Bounce = require('@hapi/bounce');
const Hoek = require('@hapi/hoek');
const internals = {
common: ['gzip, deflate', 'deflate, gzip', 'gzip', 'deflate', 'gzip, deflate, br']
};
exports = module.exports = internals.Compression = class {
decoders = {
gzip: (options) => Zlib.createGunzip(options),
deflate: (options) => Zlib.createInflate(options)
};
encodings = ['identity', 'gzip', 'deflate'];
encoders = {
identity: null,
gzip: (options) => Zlib.createGzip(options),
deflate: (options) => Zlib.createDeflate(options)
};
#common = null;
constructor() {
this._updateCommons();
}
_updateCommons() {
this.#common = new Map();
for (const header of internals.common) {
this.#common.set(header, Accept.encoding(header, this.encodings));
}
}
addEncoder(encoding, encoder) {
Hoek.assert(this.encoders[encoding] === undefined, `Cannot override existing encoder for ${encoding}`);
Hoek.assert(typeof encoder === 'function', `Invalid encoder function for ${encoding}`);
this.encoders[encoding] = encoder;
this.encodings.unshift(encoding);
this._updateCommons();
}
addDecoder(encoding, decoder) {
Hoek.assert(this.decoders[encoding] === undefined, `Cannot override existing decoder for ${encoding}`);
Hoek.assert(typeof decoder === 'function', `Invalid decoder function for ${encoding}`);
this.decoders[encoding] = decoder;
}
accept(request) {
const header = request.headers['accept-encoding'];
if (!header) {
return 'identity';
}
const common = this.#common.get(header);
if (common) {
return common;
}
try {
return Accept.encoding(header, this.encodings);
}
catch (err) {
Bounce.rethrow(err, 'system');
err.header = header;
request._log(['accept-encoding', 'error'], err);
return 'identity';
}
}
encoding(response, length) {
if (response.settings.compressed) {
response.headers['content-encoding'] = response.settings.compressed;
return null;
}
const request = response.request;
if (!request._core.settings.compression ||
length !== null && length < request._core.settings.compression.minBytes) {
return null;
}
const mime = request._core.mime.type(response.headers['content-type'] || 'application/octet-stream');
if (!mime.compressible) {
return null;
}
response.vary('accept-encoding');
if (response.headers['content-encoding']) {
return null;
}
return request.info.acceptEncoding === 'identity' ? null : request.info.acceptEncoding;
}
encoder(request, encoding) {
const encoder = this.encoders[encoding];
Hoek.assert(encoder !== undefined, `Unknown encoding ${encoding}`);
return encoder(request.route.settings.compression[encoding]);
}
};
================================================
FILE: lib/config.js
================================================
'use strict';
const Os = require('os');
const Somever = require('@hapi/somever');
const Validate = require('@hapi/validate');
const internals = {};
exports.symbol = Symbol('hapi-response');
exports.apply = function (type, options, ...message) {
const result = internals[type].validate(options);
if (result.error) {
throw new Error(`Invalid ${type} options ${message.length ? '(' + message.join(' ') + ')' : ''} ${result.error.annotate()}`);
}
return result.value;
};
exports.enable = function (options) {
const settings = options ? Object.assign({}, options) : {}; // Shallow cloned
if (settings.security === true) {
settings.security = {};
}
if (settings.cors === true) {
settings.cors = {};
}
return settings;
};
exports.versionMatch = (version, range) => Somever.match(version, range, { includePrerelease: true });
internals.access = Validate.object({
entity: Validate.valid('user', 'app', 'any'),
scope: [false, Validate.array().items(Validate.string()).single().min(1)]
});
internals.auth = Validate.alternatives([
Validate.string(),
internals.access.keys({
mode: Validate.valid('required', 'optional', 'try'),
strategy: Validate.string(),
strategies: Validate.array().items(Validate.string()).min(1),
access: Validate.array().items(internals.access.min(1)).single().min(1),
payload: [
Validate.valid('required', 'optional'),
Validate.boolean()
]
})
.without('strategy', 'strategies')
.without('access', ['scope', 'entity'])
]);
internals.event = Validate.object({
method: Validate.array().items(Validate.function()).single(),
options: Validate.object({
before: Validate.array().items(Validate.string()).single(),
after: Validate.array().items(Validate.string()).single(),
bind: Validate.any(),
sandbox: Validate.valid('server', 'plugin'),
timeout: Validate.number().integer().min(1)
})
.default({})
});
internals.exts = Validate.array()
.items(internals.event.keys({ type: Validate.string().required() })).single();
internals.failAction = Validate.alternatives([
Validate.valid('error', 'log', 'ignore'),
Validate.function()
])
.default('error');
internals.routeBase = Validate.object({
app: Validate.object().allow(null),
auth: internals.auth.allow(false),
bind: Validate.object().allow(null),
cache: Validate.object({
expiresIn: Validate.number(),
expiresAt: Validate.string(),
privacy: Validate.valid('default', 'public', 'private'),
statuses: Validate.array().items(Validate.number().integer().min(200)).min(1).single().default([200, 204]),
otherwise: Validate.string().default('no-cache')
})
.allow(false)
.default(),
compression: Validate.object()
.pattern(/.+/, Validate.object())
.default(),
cors: Validate.object({
origin: Validate.array().min(1).allow('ignore').default(['*']),
maxAge: Validate.number().default(86400),
headers: Validate.array().items(Validate.string()).default(['Accept', 'Authorization', 'Content-Type', 'If-None-Match']),
additionalHeaders: Validate.array().items(Validate.string()).default([]),
exposedHeaders: Validate.array().items(Validate.string()).default(['WWW-Authenticate', 'Server-Authorization']),
additionalExposedHeaders: Validate.array().items(Validate.string()).default([]),
credentials: Validate.boolean().when('origin', { is: 'ignore', then: false }).default(false),
preflightStatusCode: Validate.valid(200, 204).default(200)
})
.allow(false, true)
.default(false),
ext: Validate.object({
onPreAuth: Validate.array().items(internals.event).single(),
onCredentials: Validate.array().items(internals.event).single(),
onPostAuth: Validate.array().items(internals.event).single(),
onPreHandler: Validate.array().items(internals.event).single(),
onPostHandler: Validate.array().items(internals.event).single(),
onPreResponse: Validate.array().items(internals.event).single(),
onPostResponse: Validate.array().items(internals.event).single()
})
.default({}),
files: Validate.object({
relativeTo: Validate.string().pattern(/^([\/\.])|([A-Za-z]:\\)|(\\\\)/).default('.')
})
.default(),
json: Validate.object({
replacer: Validate.alternatives(Validate.function(), Validate.array()).allow(null).default(null),
space: Validate.number().allow(null).default(null),
suffix: Validate.string().allow(null).default(null),
escape: Validate.boolean().default(false)
})
.default(),
log: Validate.object({
collect: Validate.boolean().default(false)
})
.default(),
payload: Validate.object({
output: Validate.valid('data', 'stream', 'file').default('data'),
parse: Validate.boolean().allow('gunzip').default(true),
multipart: Validate.object({
output: Validate.valid('data', 'stream', 'file', 'annotated').required()
})
.default(false)
.allow(true, false),
allow: Validate.array().items(Validate.string()).single(),
override: Validate.string(),
protoAction: Validate.valid('error', 'remove', 'ignore').default('error'),
maxBytes: Validate.number().integer().positive().default(1024 * 1024),
maxParts: Validate.number().integer().positive().default(1000),
uploads: Validate.string().default(Os.tmpdir()),
failAction: internals.failAction,
timeout: Validate.number().integer().positive().allow(false).default(10 * 1000),
defaultContentType: Validate.string().default('application/json'),
compression: Validate.object()
.pattern(/.+/, Validate.object())
.default()
})
.default(),
plugins: Validate.object(),
response: Validate.object({
disconnectStatusCode: Validate.number().integer().min(400).default(499),
emptyStatusCode: Validate.valid(200, 204).default(204),
failAction: internals.failAction,
modify: Validate.boolean(),
options: Validate.object(),
ranges: Validate.boolean().default(true),
sample: Validate.number().min(0).max(100).when('modify', { then: Validate.forbidden() }),
schema: Validate.alternatives(Validate.object(), Validate.array(), Validate.function()).allow(true, false),
status: Validate.object().pattern(/\d\d\d/, Validate.alternatives(Validate.object(), Validate.array(), Validate.function()).allow(true, false))
})
.default(),
security: Validate.object({
hsts: Validate.alternatives([
Validate.object({
maxAge: Validate.number(),
includeSubdomains: Validate.boolean(),
includeSubDomains: Validate.boolean(),
preload: Validate.boolean()
}),
Validate.boolean(),
Validate.number()
])
.default(15768000),
xframe: Validate.alternatives([
Validate.boolean(),
Validate.valid('sameorigin', 'deny'),
Validate.object({
rule: Validate.valid('sameorigin', 'deny', 'allow-from'),
source: Validate.string()
})
])
.default('deny'),
xss: Validate.valid('enabled', 'disabled', false).default('disabled'),
noOpen: Validate.boolean().default(true),
noSniff: Validate.boolean().default(true),
referrer: Validate.alternatives([
Validate.boolean().valid(false),
Validate.valid('', 'no-referrer', 'no-referrer-when-downgrade',
'unsafe-url', 'same-origin', 'origin', 'strict-origin',
'origin-when-cross-origin', 'strict-origin-when-cross-origin')
])
.default(false)
})
.allow(null, false, true)
.default(false),
state: Validate.object({
parse: Validate.boolean().default(true),
failAction: internals.failAction
})
.default(),
timeout: Validate.object({
socket: Validate.number().integer().positive().allow(false),
server: Validate.number().integer().positive().allow(false).default(false)
})
.default(),
validate: Validate.object({
headers: Validate.alternatives(Validate.object(), Validate.array(), Validate.function()).allow(null, true),
params: Validate.alternatives(Validate.object(), Validate.array(), Validate.function()).allow(null, true),
query: Validate.alternatives(Validate.object(), Validate.array(), Validate.function()).allow(null, false, true),
payload: Validate.alternatives(Validate.object(), Validate.array(), Validate.function()).allow(null, false, true),
state: Validate.alternatives(Validate.object(), Validate.array(), Validate.function()).allow(null, false, true),
failAction: internals.failAction,
errorFields: Validate.object(),
options: Validate.object().default(),
validator: Validate.object()
})
.default()
});
internals.server = Validate.object({
address: Validate.string().hostname(),
app: Validate.object().allow(null),
autoListen: Validate.boolean(),
cache: Validate.allow(null), // Validated elsewhere
compression: Validate.object({
minBytes: Validate.number().min(1).integer().default(1024)
})
.allow(false)
.default(),
debug: Validate.object({
request: Validate.array().items(Validate.string()).single().allow(false).default(['implementation']),
log: Validate.array().items(Validate.string()).single().allow(false)
})
.allow(false)
.default(),
host: Validate.string().hostname().allow(null),
info: Validate.object({
remote: Validate.boolean().default(false)
})
.default({}),
listener: Validate.any(),
load: Validate.object({
sampleInterval: Validate.number().integer().min(0).default(0)
})
.unknown()
.default(),
mime: Validate.object().empty(null).default(),
operations: Validate.object({
cleanStop: Validate.boolean().default(true)
})
.default(),
plugins: Validate.object(),
port: Validate.alternatives([
Validate.number().integer().min(0), // TCP port
Validate.string().pattern(/\//), // Unix domain socket
Validate.string().pattern(/^\\\\\.\\pipe\\/) // Windows named pipe
])
.allow(null),
query: Validate.object({
parser: Validate.function()
})
.default(),
router: Validate.object({
isCaseSensitive: Validate.boolean().default(true),
stripTrailingSlash: Validate.boolean().default(false)
})
.default(),
routes: internals.routeBase.default(),
state: Validate.object(), // Cookie defaults
tls: Validate.alternatives([
Validate.object().allow(null),
Validate.boolean()
]),
uri: Validate.string().pattern(/[^/]$/)
});
internals.vhost = Validate.alternatives([
Validate.string().hostname(),
Validate.array().items(Validate.string().hostname()).min(1)
]);
internals.handler = Validate.alternatives([
Validate.function(),
Validate.object().length(1)
]);
internals.route = Validate.object({
method: Validate.string().pattern(/^[a-zA-Z0-9!#\$%&'\*\+\-\.^_`\|~]+$/).required(),
path: Validate.string().required(),
rules: Validate.object(),
vhost: internals.vhost,
// Validated in route construction
handler: Validate.any(),
options: Validate.any(),
config: Validate.any() // Backwards compatibility
})
.without('config', 'options');
internals.pre = [
Validate.function(),
Validate.object({
method: Validate.alternatives(Validate.string(), Validate.function()).required(),
assign: Validate.string(),
mode: Validate.valid('serial', 'parallel'),
failAction: internals.failAction
})
];
internals.routeConfig = internals.routeBase.keys({
description: Validate.string(),
id: Validate.string(),
isInternal: Validate.boolean(),
notes: [
Validate.string(),
Validate.array().items(Validate.string())
],
pre: Validate.array().items(...internals.pre.concat(Validate.array().items(...internals.pre).min(1))),
tags: [
Validate.string(),
Validate.array().items(Validate.string())
]
});
internals.cacheConfig = Validate.alternatives([
Validate.function(),
Validate.object({
name: Validate.string().invalid('_default'),
shared: Validate.boolean(),
provider: [
Validate.function(),
{
constructor: Validate.function().required(),
options: Validate.object({
partition: Validate.string().default('hapi-cache')
})
.unknown() // Catbox client validates other keys
.default({})
}
],
engine: Validate.object()
})
.xor('provider', 'engine')
]);
internals.cache = Validate.array().items(internals.cacheConfig).min(1).single();
internals.cachePolicy = Validate.object({
cache: Validate.string().allow(null).allow(''),
segment: Validate.string(),
shared: Validate.boolean()
})
.unknown(); // Catbox policy validates other keys
internals.method = Validate.object({
bind: Validate.object().allow(null),
generateKey: Validate.function(),
cache: internals.cachePolicy
});
internals.methodObject = Validate.object({
name: Validate.string().required(),
method: Validate.function().required(),
options: Validate.object()
});
internals.register = Validate.object({
once: true,
routes: Validate.object({
prefix: Validate.string().pattern(/^\/.+/),
vhost: internals.vhost
})
.default({})
});
internals.semver = Validate.string();
internals.plugin = internals.register.keys({
options: Validate.any(),
plugin: Validate.object({
register: Validate.function().required(),
name: Validate.string().when('pkg.name', { is: Validate.exist(), otherwise: Validate.required() }),
version: Validate.string(),
multiple: Validate.boolean().default(false),
dependencies: [
Validate.array().items(Validate.string()).single(),
Validate.object().pattern(/.+/, internals.semver)
],
once: true,
requirements: Validate.object({
hapi: Validate.string(),
node: Validate.string()
})
.default(),
pkg: Validate.object({
name: Validate.string(),
version: Validate.string().default('0.0.0')
})
.unknown()
.default({})
})
.unknown()
})
.without('once', 'options')
.unknown();
internals.rules = Validate.object({
validate: Validate.object({
schema: Validate.alternatives(Validate.object(), Validate.array()).required(),
options: Validate.object()
.default({ allowUnknown: true })
})
});
================================================
FILE: lib/core.js
================================================
'use strict';
const Http = require('http');
const Https = require('https');
const Os = require('os');
const Path = require('path');
const Boom = require('@hapi/boom');
const Bounce = require('@hapi/bounce');
const Call = require('@hapi/call');
const Catbox = require('@hapi/catbox');
const { Engine: CatboxMemory } = require('@hapi/catbox-memory');
const { Heavy } = require('@hapi/heavy');
const Hoek = require('@hapi/hoek');
const { Mimos } = require('@hapi/mimos');
const Podium = require('@hapi/podium');
const Statehood = require('@hapi/statehood');
const Auth = require('./auth');
const Compression = require('./compression');
const Config = require('./config');
const Cors = require('./cors');
const Ext = require('./ext');
const Methods = require('./methods');
const Request = require('./request');
const Response = require('./response');
const Route = require('./route');
const Toolkit = require('./toolkit');
const Validation = require('./validation');
const internals = {
counter: {
min: 10000,
max: 99999
},
events: [
{ name: 'cachePolicy', spread: true },
{ name: 'log', channels: ['app', 'internal'], tags: true },
{ name: 'request', channels: ['app', 'internal', 'error'], tags: true, spread: true },
'response',
'route',
'start',
'closing',
'stop'
],
badRequestResponse: Buffer.from('HTTP/1.1 400 Bad Request\r\n\r\n', 'ascii')
};
exports = module.exports = internals.Core = class {
actives = new WeakMap(); // Active requests being processed
app = {};
auth = new Auth(this);
caches = new Map(); // Cache clients
compression = new Compression();
controlled = null; // Other servers linked to the phases of this server
dependencies = []; // Plugin dependencies
events = new Podium.Podium(internals.events);
heavy = null;
info = null;
instances = new Set();
listener = null;
methods = new Methods(this); // Server methods
mime = null;
onConnection = null; // Used to remove event listener on stop
phase = 'stopped'; // 'stopped', 'initializing', 'initialized', 'starting', 'started', 'stopping', 'invalid'
plugins = {}; // Exposed plugin properties by name
registrations = {}; // Tracks plugin for dependency validation { name -> { version } }
registring = 0; // > 0 while register() is waiting for plugin callbacks
Request = class extends Request { };
Response = class extends Response { };
requestCounter = { value: internals.counter.min, min: internals.counter.min, max: internals.counter.max };
root = null;
router = null;
settings = null;
sockets = null; // Track open sockets for graceful shutdown
started = false;
states = null;
toolkit = new Toolkit.Manager();
type = null;
validator = null;
extensionsSeq = 0; // Used to keep absolute order of extensions based on the order added across locations
extensions = {
server: {
onPreStart: new Ext('onPreStart', this),
onPostStart: new Ext('onPostStart', this),
onPreStop: new Ext('onPreStop', this),
onPostStop: new Ext('onPostStop', this)
},
route: {
onRequest: new Ext('onRequest', this),
onPreAuth: new Ext('onPreAuth', this),
onCredentials: new Ext('onCredentials', this),
onPostAuth: new Ext('onPostAuth', this),
onPreHandler: new Ext('onPreHandler', this),
onPostHandler: new Ext('onPostHandler', this),
onPreResponse: new Ext('onPreResponse', this),
onPostResponse: new Ext('onPostResponse', this)
}
};
decorations = {
handler: new Map(),
request: new Map(),
response: new Map(),
server: new Map(),
toolkit: new Map(),
requestApply: null,
public: { handler: [], request: [], response: [], server: [], toolkit: [] }
};
constructor(options) {
const { settings, type } = internals.setup(options);
this.settings = settings;
this.type = type;
this.heavy = new Heavy(this.settings.load);
this.mime = new Mimos(this.settings.mime);
this.router = new Call.Router(this.settings.router);
this.states = new Statehood.Definitions(this.settings.state);
this._debug();
this._initializeCache();
if (this.settings.routes.validate.validator) {
this.validator = Validation.validator(this.settings.routes.validate.validator);
}
this.listener = this._createListener();
this._initializeListener();
this.info = this._info();
}
_debug() {
const debug = this.settings.debug;
if (!debug) {
return;
}
// Subscribe to server log events
const method = (event) => {
const data = event.error ?? event.data;
console.error('Debug:', event.tags.join(', '), data ? '\n ' + (data.stack ?? (typeof data === 'object' ? Hoek.stringify(data) : data)) : '');
};
if (debug.log) {
const filter = debug.log.some((tag) => tag === '*') ? undefined : debug.log;
this.events.on({ name: 'log', filter }, method);
}
if (debug.request) {
const filter = debug.request.some((tag) => tag === '*') ? undefined : debug.request;
this.events.on({ name: 'request', filter }, (request, event) => method(event));
}
}
_initializeCache() {
if (this.settings.cache) {
this._createCache(this.settings.cache);
}
if (!this.caches.has('_default')) {
this._createCache([{ provider: CatboxMemory }]); // Defaults to memory-based
}
}
_info() {
const now = Date.now();
const protocol = this.type === 'tcp' ? (this.settings.tls ? 'https' : 'http') : this.type;
const host = this.settings.host || Os.hostname() || 'localhost';
const port = this.settings.port;
const info = {
created: now,
started: 0,
host,
port,
protocol,
id: Os.hostname() + ':' + process.pid + ':' + now.toString(36),
uri: this.settings.uri ?? (protocol + ':' + (this.type === 'tcp' ? '//' + host + (port ? ':' + port : '') : port))
};
return info;
}
_counter() {
const next = ++this.requestCounter.value;
if (this.requestCounter.value > this.requestCounter.max) {
this.requestCounter.value = this.requestCounter.min;
}
return next - 1;
}
_createCache(configs) {
Hoek.assert(this.phase !== 'initializing', 'Cannot provision server cache while server is initializing');
configs = Config.apply('cache', configs);
const added = [];
for (let config of configs) {
// (type: 'handler', property: P, method: HandlerDecorationMethod, options?: { apply?: boolean | undefined, extend?: never }): void; decorate
(type: 'request', property: ExceptName (type: 'request', property: ExceptName (type: 'request', property: ExceptName (type: 'request', property: ExceptName (type: 'request', property: ExceptName (type: 'request', property: ExceptName (type: 'toolkit', property: ExceptName (type: 'toolkit', property: ExceptName (type: 'toolkit', property: ExceptName (type: 'toolkit', property: ExceptName (type: 'server', property: ExceptName (type: 'server', property: ExceptName (type: 'server', property: ExceptName (type: 'server', property: ExceptName