npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

yarnemia

v1.0.0

Published

Cookie jar plugin for Hapi without iron encryption

Downloads

4

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

pmoonspmoons

Keywords

hapiplugincookiesjarsessionunencrpyted

Readme

yarnemia Logo

CircleCI codecov Code Climate

A HapiJS session plugin and cookie jar without unnecessary Iron cookie encryption

Lead Maintainer: Peter Mooney

Forked from Yar a maintained module by Mark Bradshaw

Install (only for Hapi >= 14.0.0)

$ npm install yarnemia --save
or
$ yarn add yarnemia

About

The yarnemia hapi plugin adds session support - a persistent state across multiple browser requests using server-side storage. It uses server storage via the hapi plugin cache interface. The difference between Yar and Yarnemia is the use of an iron encrypted cookie.

Yarnemia attempts to enforce good practice by storing all important session data on the server side. The only piece of data that should be in a cookie is the session identifier used to match up the session data on the server. Due to this deviation from yar, there is no need for encrypting and decrypting the cookie. An encrypted token containing only the session identifier would behave the exact same way an unencrypted token would. Removing this unnecessary encryption step will remove the negative performance impact of encrypting and decrypting the cookie.

Differences

  • customSessionIDGenerator function has been removed. Allowing someone to provide their own ID generation logic opens up the possibility of implementing something that is not cryptographically random, possibly enabling an attacker to guess session ids of other users. The current ID Generator is UUID v4.
  • errorOnCacheNotReady flag has been removed as an available option. This flag was silly and could easily break the expectations a developer would have around the status of the session manager. Also, since session data can now only be stored in one place (sever-side cache) and not the cookie, it makes sense to throw an error for an unprepared cache. Cache defaults to local server cache Catbox-Memory
  • isHttpOnly flag has had the default changed to true. This helps prevent XSS attacks by preventing the cookie from being read by JavaScript.

Usage

Other than what is mentioned above, there are virtually no differences between the yar API and yarnemia's. All store data will be scoped per user based on session id provided in the header.

var handler1 = function (request, reply) {

    request.yarnemia.set('example', { key: 'value' });
    return reply();
};

var handler2 = function (request, reply) {

    var example = request.yarnemia.get('example');
    reply(example.key);     // Will send back 'value'
};

Setup up yarnemia is simple.

var options = {
    storeBlank: false,
    cookieOptions: {
        isSecure: true
    }
};

/*
  Please note that there are other default cookie options that can impact your security.
  Please look at the description of the cookie options below to make sure this is doing
  what you expect.
*/

var server = new Hapi.Server();

server.register({
    register: require('yarnemia'),
    options: options
}, function (err) { });

Cookie Options

You can read about more cookie options in the Api.

isSecure

Set isSecure (default true) to false if you are using standard http. Take care to do this in development mode only though. You don't want to use cookies sent over insecure channels for session management. One way to take care of this is to use the NODE_ENV environment variable like this:

var options = {
    cookieOptions: {
        isSecure: process.env.NODE_ENV !== 'development',
        ...
    }
};

clearInvalid

clearInvalid (default true) tells Hapi that if a session cookie is invalid for any reason, to clear it from the browser. This prevents Hapi from having to reprocess the bad cookie on future requests. In general you'll probably want this on, but if you'd prefer that session cookies be dealt with in some other way you may set this to false.

API Reference

Api Reference