6.11.x API Reference

Hapi.Server

new Server([host], [port], [options])

Creates a new server instance with the following arguments:

  • host - the hostname, IP address, or path to UNIX domain socket the server is bound to. Defaults to 0.0.0.0 which means any available network interface. Set to 127.0.0.1 or localhost to restrict connection to those coming from the same machine. If host contains a '/' character, it is used as a UNIX domain socket path and if it starts with '\.\pipe' as a Windows named pipe.
  • port - the TCP port the server is listening to. Defaults to port 80 for HTTP and to 443 when TLS is configured. To use an ephemeral port, use 0 and once the server is started, retrieve the port allocation via server.info.port.
  • options - An object with the server configuration as described in server options.
var Hapi = require('hapi');
var server = new Hapi.Server('localhost', 8000, { cors: true });

createServer([host], [port], [options])

An alternative method for creating a server instance using the same arguments as new Server().

var Hapi = require('hapi');
var server = Hapi.createServer('localhost', 8000, { cors: true });

Server options

When creating a server instance, the following options configure the server's behavior:

  • app - application-specific configuration which can later be accessed via server.settings.app. Provides a safe place to store application configuration without potential conflicts with hapi. Should not be used by plugins which should use plugins[name]. Note the difference between server.settings.app which is used to store configuration value and server.app which is meant for storing run-time state.

  • cache - sets up server-side caching. Every server includes a default cache for storing application state. By default, a simple memory-based cache is created which has limited capacity and capabilities. hapi uses catbox for its cache which includes support for Redis, MongoDB, Memcached, and Riak. Caching is only utilized if methods and plugins explicitly store their state in the cache. The server cache configuration only defines the storage container itself. cache can be assigned:

    • a prototype function (usually obtained by calling require() on a catbox strategy such as require('catbox-redis')).
    • a configuration object with the following options:
      • engine - a prototype function or catbox engine object.
      • name - an identifier used later when provisioning or configuring caching for routes, methods, or plugins. Each connection name must be unique. A single item may omit the name option which defines the default cache. If every connection includes a name, a default memory cache is provisions as well as the default.
      • shared - if true, allows multiple cache users to share the same segment (e.g. multiple servers in a pack using the same route and cache. Default to not shared.
      • other options required by the catbox strategy used.
    • an array of the above object for configuring multiple cache instances, each with a unique name. When an array of objects is provided, multiple cache connections are established and each array item (except one) must include a name.
  • cors - the Cross-Origin Resource Sharing protocol allows browsers to make cross-origin API calls. CORS is required by web applications running inside a browser which are loaded from a different domain than the API server. CORS headers are disabled by default. To enable, set cors to true, or to an object with the following options:

    • origin - a strings array of allowed origin servers ('Access-Control-Allow-Origin'). The array can contain any combination of fully qualified origins along with origin strings containing a wilcard '*' character, or a single '*' origin string. Defaults to any origin ['*'].
    • isOriginExposed - if false, prevents the server from returning the full list of non-wildcard origin values if the incoming origin header does not match any of the values. Has no impact if matchOrigin is set to false. Defaults to true.
    • matchOrigin - if false, returns the list of origin values without attempting to match the incoming origin value. Cannot be used with wildcard origin values. Defaults to true.
    • maxAge - number of seconds the browser should cache the CORS response ('Access-Control-Max-Age'). The greater the value, the longer it will take before the browser checks for changes in policy. Defaults to 86400 (one day).
    • headers - a strings array of allowed headers ('Access-Control-Allow-Headers'). Defaults to ['Authorization', 'Content-Type', 'If-None-Match'].
    • additionalHeaders - a strings array of additional headers to headers. Use this to keep the default headers in place.
    • methods - a strings array of allowed HTTP methods ('Access-Control-Allow-Methods'). Defaults to ['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'OPTIONS'].
    • additionalMethods - a strings array of additional methods to methods. Use this to keep the default methods in place.
    • exposedHeaders - a strings array of exposed headers ('Access-Control-Expose-Headers'). Defaults to ['WWW-Authenticate', 'Server-Authorization'].
    • additionalExposedHeaders - a strings array of additional headers to exposedHeaders. Use this to keep the default headers in place.
    • credentials - if true, allows user credentials to be sent ('Access-Control-Allow-Credentials'). Defaults to false.
  • security - sets some common security related headers. All headers are disabled by default. To enable set security to true or to an object with the following options:

    • hsts - controls the 'Strict-Transport-Security' header. If set to true the header will be set to max-age=15768000, if specified as a number the maxAge parameter will be set to that number. Defaults to true. You may also specify an object with the following fields:
      • maxAge - the max-age portion of the header, as a number. Default is 15768000.
      • includeSubdomains - a boolean specifying whether to add the includeSubdomains flag to the header.
    • xframe - controls the 'X-Frame-Options' header. When set to true the header will be set to DENY, you may also specify a string value of 'deny' or 'sameorigin'. To use the 'allow-from' rule, you must set this to an object with the following fields:
      • rule - either 'deny', 'sameorigin', or 'allow-from'
      • source - when rule is 'allow-from' this is used to form the rest of the header, otherwise this field is ignored. If rule is 'allow-from' but source is unset, the rule will be automatically changed to 'sameorigin'.
    • xss - boolean that controls the 'X-XSS-PROTECTION' header for IE. Defaults to true which sets the header to equal '1; mode=block'. NOTE: This setting can create a security vulnerability in versions of IE below 8, as well as unpatched versions of IE8. See here and here for more information. If you actively support old versions of IE, it may be wise to explicitly set this flag to false.
    • noOpen - boolean controlling the 'X-Download-Options' header for IE, preventing downloads from executing in your context. Defaults to true setting the header to 'noopen'.
    • noSniff - boolean controlling the 'X-Content-Type-Options' header. Defaults to true setting the header to its only and default option, 'nosniff'.
  • debug - controls the error types sent to the console:

    • request - a string array of request log tags to be displayed via console.error() when the events are logged via request.log(). Defaults to uncaught errors thrown in external code (these errors are handled automatically and result in an Internal Server Error (500) error response) or runtime errors due to incorrect implementation of the hapi API. For example, to display all errors, change the option to ['error']. To turn off all console debug messages set it to false.
  • files - defines the behavior for serving static resources using the built-in route handlers for files and directories:

    • relativeTo - determines the folder relative paths are resolved against when using the file and directory handlers.
    • etagsCacheMaxSize - sets the maximum number of file etag hash values stored in the cache. Defaults to 10000.
  • json - optional arguments passed to JSON.stringify() when converting an object or error response to a string payload. Supports the following:

    • replacer - the replacer function or array. Defaults to no action.
    • space - number of spaces to indent nested object keys. Defaults to no indentation.
  • labels - a string array of labels used when registering plugins to plugin.select() matching server labels. Defaults to an empty array [] (no labels).

  • load - server load monitoring and limits configuration (stored under server.load when enabled) where:

    • maxHeapUsedBytes - maximum V8 heap size over which incoming requests are rejected with an HTTP Server Timeout (503) response. Defaults to 0 (no limit).
    • maxRssBytes - maximum process RSS size over which incoming requests are rejected with an HTTP Server Timeout (503) response. Defaults to 0 (no limit).
    • maxEventLoopDelay - maximum event loop delay duration in milliseconds over which incoming requests are rejected with an HTTP Server Timeout (503) response. Defaults to 0 (no limit).
    • sampleInterval - the frequency of sampling in milliseconds. Defaults to 0 (no sampling).
  • location - used to convert relative 'Location' header URIs to absolute, by adding this value as prefix. Value must not contain a trailing '/'. Defaults to the host received in the request HTTP 'Host' header and if missing, to server.info.uri.

  • cacheControlStatus - an array of HTTP response status codes (e.g. 200) which are allowed to include a valid caching directive. Defaults to [200].

  • payload - controls how incoming payloads (request body) are processed:

    • maxBytes - limits the size of incoming payloads to the specified byte count. Allowing very large payloads may cause the server to run out of memory. Defaults to 1048576 (1MB).
    • uploads - the directory used for writing file uploads. Defaults to os.tmpDir().
  • plugins - plugin-specific configuration which can later be accessed by server.plugins. Provides a place to store and pass plugin configuration that is at server-level. The plugins is an object where each key is a plugin name and the value is the configuration. Note the difference between server.settings.plugins which is used to store configuration value and server.plugins which is meant for storing run-time state.

  • router - controls how incoming request URIs are matched against the routing table:

    • isCaseSensitive - determines whether the paths '/example' and '/EXAMPLE' are considered different resources. Defaults to true.
    • stripTrailingSlash - removes trailing slashes on incoming paths. Defaults to false.
  • state - HTTP state management (cookies) allows the server to store information on the client which is sent back to the server with every request (as defined in RFC 6265).

    • cookies - The server automatically parses incoming cookies based on these options:
      • parse - determines if incoming 'Cookie' headers are parsed and stored in the request.state object. Defaults to true.
      • failAction - determines how to handle cookie parsing errors. Allowed values are:
        • 'error' - return a Bad Request (400) error response. This is the default value.
        • 'log' - report the error but continue processing the request.
        • 'ignore' - take no action.
      • clearInvalid - if true, automatically instruct the client to remove invalid cookies. Defaults to false.
      • strictHeader - if false, allows any cookie value including values in violation of RFC 6265. Defaults to true.
  • timeout - define timeouts for processing durations:

    • server - response timeout in milliseconds. Sets the maximum time allowed for the server to respond to an incoming client request before giving up and responding with a Service Unavailable (503) error response. Disabled by default (false).
    • client - request timeout in milliseconds. Sets the maximum time allowed for the client to transmit the request payload (body) before giving up and responding with a Request Timeout (408) error response. Set to false to disable. Can be customized on a per-route basis using the route payload.timeout configuration. Defaults to 10000 (10 seconds).
    • socket - by default, node sockets automatically timeout after 2 minutes. Use this option to override this behavior. Defaults to undefined which leaves the node default unchanged. Set to false to disable socket timeouts.
  • tls - used to create an HTTPS server. The tls object is passed unchanged as options to the node.js HTTPS server as described in the node.js HTTPS documentation.

  • maxSockets - sets the number of sockets available per outgoing proxy host connection. false means use the wreck default value (Infinity). Does not affect non-proxy outgoing client connections. Defaults to Infinity.

  • validation - options to pass to Joi. Useful to set global options such as stripUnknown or abortEarly (the complete list is available here). Defaults to no options.

  • views - enables support for view rendering (using templates to generate responses). Disabled by default. To enable, set to an object with the following options:

    • engines - (required) an object where each key is a file extension (e.g. 'html', 'jade'), mapped to the npm module used for rendering the templates. Alternatively, the extension can be mapped to an object with the following options:
      • module - the npm module used for rendering the templates. The module object must contain:
        • compile() - the rendering function. The required function signature depends on the compileMode settings. If the compileMode is 'sync', the signature is compile(template, options), the return value is a function with signature function(context, options), and the method is allowed to throw errors. If the compileMode is 'async', the signature is compile(template, options, callback) where callback has the signature function(err, compiled) where compiled is a function with signature function(context, options, callback) and callback has the signature function(err, rendered).
      • any of the views options listed below (except defaultExtension) to override the defaults for a specific engine.
    • defaultExtension - defines the default filename extension to append to template names when multiple engines are configured and not explicit extension is provided for a given template. No default value.
    • path - the root file path used to resolve and load the templates identified when calling reply.view(). Defaults to current working directory.
    • partialsPath - the root file path where partials are located. Partials are small segments of template code that can be nested and reused throughout other templates. Defaults to no partials support (empty path).
    • helpersPath - the directory path where helpers are located. Helpers are functions used within templates to perform transformations and other data manipulations using the template context or other inputs. Each '.js' file in the helpers directory is loaded and the file name is used as the helper name. The files must export a single method with the signature function(context) and return a string. Sub-folders are not supported and are ignored. Defaults to no helpers support (empty path). Note that jade does not support loading helpers this way.
    • basePath - a base path used as prefix for path and partialsPath. No default.
    • layout - if set to true or a layout filename, layout support is enabled. A layout is a single template file used as the parent template for other view templates in the same engine. If true, the layout template name must be 'layout.ext' where 'ext' is the engine's extension. Otherwise, the provided filename is suffixed with the engine's extension and loaded. Disable layout when using Jade as it will handle including any layout files independently. Defaults to false.
    • layoutPath - the root file path where layout templates are located (relative to basePath if present). Defaults to path.
    • layoutKeyword - the key used by the template engine to denote where primary template content should go. Defaults to 'content'.
    • encoding - the text encoding used by the templates when reading the files and outputting the result. Defaults to 'utf8'.
    • isCached - if set to false, templates will not be cached (thus will be read from file on every use). Defaults to true.
    • allowAbsolutePaths - if set to true, allows absolute template paths passed to reply.view(). Defaults to false.
    • allowInsecureAccess - if set to true, allows template paths passed to reply.view() to contain '../'. Defaults to false.
    • compileOptions - options object passed to the engine's compile function. Defaults to empty options {}.
    • runtimeOptions - options object passed to the returned function from the compile operation. Defaults to empty options {}.
    • contentType - the content type of the engine results. Defaults to 'text/html'.
    • compileMode - specify whether the engine compile() method is 'sync' or 'async'. Defaults to 'sync'.

Server properties

Each instance of the Server object have the following properties:

  • app - application-specific state. Provides a safe place to store application data without potential conflicts with hapi. Should not be used by plugins which should use plugins[name].
  • methods - methods registered with server.method().
  • info - server information:
    • port - the port the server was configured to (before start()) or bound to (after start()).
    • host - the hostname the server was configured to (defaults to '0.0.0.0' if no host was provided).
    • protocol - the protocol used (e.g. 'http' or 'https').
    • uri - a string with the following format: 'protocol://host:port' (e.g. 'http://example.com:8080').
  • listener - the node HTTP server object.
  • load - server load metrics (when server.load.sampleInterval is enabled):
    • eventLoopDelay - event loop delay milliseconds.
    • heapUsed - V8 heap usage.
    • rss - RSS memory usage.
  • pack - the Pack object the server belongs to (automatically assigned when creating a server instance directly).
  • plugins - an object where each key is a plugin name and the value are the exposed properties by that plugin using plugin.expose().
  • settings - an object containing the server options after applying the defaults.

Server methods

server.start([callback])

Starts the server by listening for incoming connections on the configured port. If provided, callback() is called once the server is ready for new connections. If the server is already started, the callback() is called on the next tick.

var Hapi = require('hapi');
var server = new Hapi.Server();
server.start(function () {

    console.log('Server started at: ' + server.info.uri);
});

server.stop([options], [callback])

Stops the server by refusing to accept any new connections. Existing connections will continue until closed or timeout (defaults to 5 seconds). Once the server stopped, all the connections have ended, and it is safe to exit the process, the callback (if provided) is called. If the server is already stopped, the callback() is called on the next tick.

The optional options object supports:

  • timeout - overrides the timeout in millisecond before forcefully terminating a connection. Defaults to 5000 (5 seconds).
server.stop({ timeout: 60 * 1000 }, function () {

    console.log('Server stopped');
});

server.route(options)

Adds a new route to the server where:

  • options - the route configuration as described in route options.
Route options

The following options are available when adding a route:

  • path - (required) the absolute path used to match incoming requests (must begin with '/'). Incoming requests are compared to the configured paths based on the server router configuration option. The path can include named parameters enclosed in {} which will be matched against literal values in the request as described in Path parameters.

  • method - (required) the HTTP method. Typically one of 'GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'. Any HTTP method is allowed, except for 'HEAD'. Use '*' to match against any HTTP method (only when an exact match was not found, and any match with a specific method will be given a higher priority over a wildcard match). Can be assigned an array of methods which has the same result as adding the same route with different methods manually.

  • vhost - an optional domain string or an array of domain strings for limiting the route to only requests with a matching host header field. Matching is done against the hostname part of the header only (excluding the port). Defaults to all hosts.

  • handler - (required) the function called to generate the response after successful authentication and validation. The handler function is described in Route handler. If set to a string, the value is parsed the same way a prerequisite server method string shortcut is processed. Alternatively, handler can be assigned an object with one of:

    • file - generates a static file endpoint for serving a single file. file can be set to:

      • a relative or absolute file path string (relative paths are resolved based on the server files configuration).
      • a function with the signature function(request) which returns the relative or absolute file path.
      • an object with the following options:
        • path - a path string or function as described above.
        • filename - an optional filename to specify if sending a 'Content-Disposition' header, defaults to the basename of path
        • mode - specifies whether to include the 'Content-Disposition' header with the response. Available values:
          • false - header is not included. This is the default value.
          • 'attachment'
          • 'inline'
        • lookupCompressed - if true, looks for the same filename with the '.gz' suffix for a precompressed version of the file to serve if the request supports content encoding. Defaults to false.
    • directory - generates a directory endpoint for serving static content from a directory. Routes using the directory handler must include a path parameter at the end of the path string (e.g. /path/to/somewhere/{param} where the parameter name does not matter). The path parameter can use any of the parameter options (e.g. {param} for one level files only, {param?} for one level files or the directory root, {param*} for any level, or {param*3} for a specific level). If additional path parameters are present, they are ignored for the purpose of selecting the file system resource. The directory handler is an object with the following options:

      • path - (required) the directory root path (relative paths are resolved based on the server files configuration). Value can be:
        • a single path string used as the prefix for any resources requested by appending the request path parameter to the provided string.
        • an array of path strings. Each path will be attempted in order until a match is found (by following the same process as the single path string).
        • a function with the signature function(request) which returns the path string or an array of path strings. If the function returns an error, the error is passed back to the client in the response.
      • index - optional boolean, determines if 'index.html' will be served if found in the folder when requesting a directory. Defaults to true.
      • listing - optional boolean, determines if directory listing is generated when a directory is requested without an index document. Defaults to false.
      • showHidden - optional boolean, determines if hidden files will be shown and served. Defaults to false.
      • redirectToSlash - optional boolean, determines if requests for a directory without a trailing slash are redirected to the same path with the missing slash. Useful for ensuring relative links inside the response are resolved correctly. Disabled when the server config router.stripTrailingSlash is true. Defaults to true.
      • lookupCompressed - optional boolean, instructs the file processor to look for the same filename with the '.gz' suffix for a precompressed version of the file to serve if the request supports content encoding. Defaults to false.
      • defaultExtension - optional string, appended to file requests if the requested file is not found. Defaults to no extension.
    • proxy - generates a reverse proxy handler with the following options:

      • host - the upstream service host to proxy requests to. The same path on the client request will be used as the path on the host.
      • port - the upstream service port.
      • protocol - The protocol to use when making a request to the proxied host:
        • 'http'
        • 'https'
      • uri - an absolute URI used instead of the incoming host, port, protocol, path, and query. Cannot be used with host, port, protocol, or mapUri.
      • passThrough - if true, forwards the headers sent from the client to the upstream service being proxied to. Defaults to false.
      • localStatePassThrough - if false, any locally defined state is removed from incoming requests before being passed upstream. This is a security feature to prevent local state (e.g. authentication cookies) from leaking upstream to other servers along with the cookies intended for those servers. This value can be overridden on a per state basis via the server.state() passThrough option. Defaults to true (for backwards compatibility; will be changed in the next major release).
      • acceptEncoding - if false, does not pass-through the 'Accept-Encoding' HTTP header which is useful when using an onResponse post-processing to avoid receiving an encoded response (e.g. gzipped). Can only be used together with passThrough. Defaults to true (passing header).
      • rejectUnauthorized - sets the rejectUnauthorized property on the https agent making the request. This value is only used when the proxied server uses TLS/SSL. When set it will override the node.js rejectUnauthorized property. If false then ssl errors will be ignored. When true the server certificate is verified and an 500 response will be sent when verification fails. This shouldn't be used alongside the agent setting as the agent will be used instead. Defaults to the https agent default value of true.
      • xforward - if true, sets the 'X-Forwarded-For', 'X-Forwarded-Port', 'X-Forwarded-Proto' headers when making a request to the proxied upstream endpoint. Defaults to false.
      • redirects - the maximum number of HTTP redirections allowed, to be followed automatically by the handler. Set to false or 0 to disable all redirections (the response will contain the redirection received from the upstream service). If redirections are enabled, no redirections (301, 302, 307, 308) will be passed along to the client, and reaching the maximum allowed redirections will return an error response. Defaults to false.
      • timeout - number of milliseconds before aborting the upstream request. Defaults to 180000 (3 minutes).
      • mapUri - a function used to map the request URI to the proxied URI. Cannot be used together with host, port, protocol, or uri. The function signature is function(request, callback) where:
        • request - is the incoming request object
        • callback - is function(err, uri, headers) where:
          • err - internal error condition.
          • uri - the absolute proxy URI.
          • headers - optional object where each key is an HTTP request header and the value is the header content.
      • onResponse - a custom function for processing the response from the upstream service before sending to the client. Useful for custom error handling of responses from the proxied endpoint or other payload manipulation. Function signature is function(err, res, request, reply, settings, ttl) where: - err - internal or upstream error returned from attempting to contact the upstream proxy. - res - the node response object received from the upstream service. res is a readable stream (use the wreck module read method to easily convert it to a Buffer or string). - request - is the incoming request object. - reply() - the continuation function. - settings - the proxy handler configuration. - ttl - the upstream TTL in milliseconds if proxy.ttl it set to 'upstream' and the upstream response included a valid 'Cache-Control' header with 'max-age'.
      • ttl - if set to 'upstream', applies the upstream response caching policy to the response using the response.ttl() method (or passed as an argument to the onResponse method if provided).
      • agent - a node http(s) agent to be used for connections to upstream server.
    • view - generates a template-based response. The view option can be set to one of:

      • a string with the template file name.
      • an object with the following keys:
        • template - a string with the template file name.
        • context - an optional template context object. Defaults to an object with the following key:
          • payload - maps to request.payload.
          • params - maps to request.params.
          • query - maps to request.query.
          • pre - maps to request.pre.
        • options - optional object used to override the server's views configuration.
  • config - additional route configuration (the config options allows splitting the route information from its implementation):

    • handler - an alternative location for the route handler function. Same as the handler option in the parent level. Can only include one handler per route.

    • bind - an object passed back to the provided handler (via this) when called.

    • app - application-specific configuration. Provides a safe place to pass application configuration without potential conflicts with hapi. Should not be used by plugins which should use plugins[name].

    • plugins - plugin-specific configuration. Provides a place to pass route-level plugin configuration. The plugins is an object where each key is a plugin name and the value is the state.

    • pre - an array with prerequisites methods which are executed in serial or in parallel before the handler is called and are described in Route prerequisites.

    • validate - request input validation rules for various request components. When using a Joi validation object, the values of the other inputs (e.g. headers, query, and params when validating payload) are made available under the validation context (accessible in rules as Joi.ref('$query.key')). Note that validation is performed in order (i.e. headers, params, query, payload) and if type casting is used (converting a string to number), the value of inputs not yet validated will reflect the raw, unvalidated and unmodified values. The validate object supports:

      • headers - validation rules for incoming request headers. Values allowed:

        • true - any headers allowed (no validation performed). This is the default.
        • false - no headers allowed (this will cause all valid HTTP requests to fail).
        • a Joi validation object.
        • a validation function using the signature function(value, options, next) where:
          • value - the object containing the request headers.
          • options - the server validation options.
          • next(err, value) - the callback function called when validation is completed.
      • params - validation rules for incoming request path parameters, after matching the path against the route and extracting any parameters then stored in request.params. Values allowed:

        • true - any path parameters allowed (no validation performed). This is the default.
        • false - no path variables allowed.
        • a Joi validation object.
        • a validation function using the signature function(value, options, next) where:
          • value - the object containing the path parameters.
          • options - the server validation options.
          • next(err, value) - the callback function called when validation is completed.
      • query - validation rules for an incoming request URI query component (the key-value part of the URI between '?' and '#'). The query is parsed into its individual key-value pairs (see Query String) and stored in request.query prior to validation. Values allowed:

        • true - any query parameters allowed (no validation performed). This is the default.
        • false - no query parameters allowed.
        • a Joi validation object.
        • a validation function using the signature function(value, options, next) where:
          • value - the object containing the query parameters.
          • options - the server validation options.
          • next(err, value) - the callback function called when validation is completed.
      • payload - validation rules for an incoming request payload (request body). Values allowed:

        • true - any payload allowed (no validation performed). This is the default.
        • false - no payload allowed.
        • a Joi validation object.
        • a validation function using the signature function(value, options, next) where:
          • value - the object containing the payload object.
          • options - the server validation options.
          • next(err, value) - the callback function called when validation is completed.
      • errorFields - an optional object with error fields copied into every validation error response.

      • failAction - determines how to handle invalid requests. Allowed values are:

        • 'error' - return a Bad Request (400) error response. This is the default value.
        • 'log' - log the error but continue processing the request.
        • 'ignore' - take no action.
        • a custom error handler function with the signature function(source, error, next) where:
          • source - the source of the invalid field (e.g. 'path', 'query', 'payload').
          • error - the error object prepared for the client response (including the validation function error under error.data).
          • next - the continuation method called to resume route processing or return an error response. The function signature is function(exit) where:
            • exit - optional client response. If set to a non-falsy value, the request lifecycle process will jump to the "send response" step, skipping all other steps in between, and using the exit value as the new response. exit can be any result value accepted by reply().
    • payload - determines how the request payload is processed:

      • output - the type of payload representation requested where:
        • data - the incoming payload is read fully into memory. If parse is true, the payload is parsed (JSON, form-decoded, multipart) based on the 'Content-Type' header. If parse is false, the raw Buffer is returned. This is the default value except when a proxy handler is used.
        • stream - the incoming payload is made available via a Stream.Readable interface. If the payload is 'multipart/form-data' and parse is true, fields values are presented as text while files are provided as streams. File streams from a 'multipart/form-data' upload will also have a property hapi containing filename and headers properties.
        • file - the incoming payload in written to temporary file in the directory specified by the server's payload.uploads settings. If the payload is 'multipart/form-data' and parse is true, fields values are presented as text while files are saved.
      • parse - can be true, false, or gunzip; determines if the incoming payload is processed or presented raw. true and gunzip includes gunzipping when the appropriate 'Content-Encoding' is specified on the received request. If parsing is enabled and the 'Content-Type' is known (for the whole payload as well as parts), the payload is converted into an object when possible. If the format is unknown, a Bad Request (400) error response is sent. Defaults to true, except when a proxy handler is used. The supported mime types are:
        • 'application/json'
        • 'application/x-www-form-urlencoded'
        • 'application/octet-stream'
        • 'text/*'
        • 'multipart/form-data'
      • allow - a string or an array of strings with the allowed mime types for the endpoint. Defaults to any of the supported mime types listed above. Note that allowing other mime types not listed will not enable them to be parsed, and that if parsing mode is 'parse', the request will result in an error response.
      • override - a mime type string overriding the 'Content-Type' header value received. Defaults to no override.
      • maxBytes - overrides the server default value for this route.
      • timeout - payload processing timeout in milliseconds. Sets the maximum time allowed for the client to transmit the request payload (body) before giving up and responding with a Request Timeout (408) error response. Set to false to disable. Defaults to the server timeout.client configuration.
      • uploads - overrides the server default value for this route.
      • failAction - determines how to handle payload parsing errors. Allowed values are:
        • 'error' - return a Bad Request (400) error response. This is the default value.
        • 'log' - report the error but continue processing the request.
        • 'ignore' - take no action and continue processing the request.
    • response - validation rules for the outgoing response payload (response body). Can only validate object response:

      • schema - the response object validation rules expressed as one of:
        • true - any payload allowed (no validation performed). This is the default.
        • false - no payload allowed.
        • a Joi validation object.
        • a validation function using the signature function(value, options, next) where:
          • value - the object containing the response object.
          • options - the server validation options.
          • next(err) - the callback function called when validation is completed.
      • sample - the percent of responses validated (0 - 100). Set to 0 to disable all validation. Defaults to 100 (all responses).
      • failAction - defines what to do when a response fails validation. Options are:
        • error - return an Internal Server Error (500) error response. This is the default value.
        • log - log the error but send the response.
    • cache - if the route method is 'GET', the route can be configured to include caching directives in the response using the following options:

      • privacy - determines the privacy flag included in client-side caching using the 'Cache-Control' header. Values are:
        • 'default' - no privacy flag. This is the default setting.
        • 'public' - mark the response as suitable for public caching.
        • 'private' - mark the response as suitable only for private caching.
      • expiresIn - relative expiration expressed in the number of milliseconds since the item was saved in the cache. Cannot be used together with expiresAt.
      • expiresAt - time of day expressed in 24h notation using the 'MM:HH' format, at which point all cache records for the route expire. Cannot be used together with expiresIn.
    • auth - authentication configuration. Value can be:

      • false to disable authentication if a default strategy is set.
      • a string with the name of an authentication strategy registered with server.auth.strategy().
      • an object with:
        • mode - the authentication mode. Defaults to 'required' if a server authentication strategy is configured, otherwise defaults to no authentication. Available values:
          • 'required' - authentication is required.
          • 'optional' - authentication is optional (must be valid if present).
          • 'try' - same as 'optional' but allows for invalid authentication.
        • strategies - a string array of strategy names in order they should be attempted. If only one strategy is used, strategy can be used instead with the single string value. Defaults to the default authentication strategy which is available only when a single strategy is configured.
        • payload - if set, the payload (in requests other than 'GET' and 'HEAD') is authenticated after it is processed. Requires a strategy with payload authentication support (e.g. Hawk). Available values:
          • false - no payload authentication. This is the default value.
          • 'required' - payload authentication required.
          • 'optional' - payload authentication performed only when the client includes payload authentication information (e.g. hash attribute in Hawk).
        • tos - minimum terms-of-service version required (uses the semver module). If defined, the authentication credentials object must include a tos key which satisfies this requirement. Defaults to false which means no validation.
        • scope - the application scope required to access the route. Value can be a scope string or an array of scope strings. The authenticated credentials object scope property must contain at least one of the scopes defined to access the route. Defaults to no scope required.
        • entity - the required authenticated entity type. If set, must match the entity value of the authentication credentials. Available values:
          • any - the authentication can be on behalf of a user or application. This is the default value.
          • user - the authentication must be on behalf of a user.
          • app - the authentication must be on behalf of an application.
    • cors - when false, the server's CORS headers are disabled for the route. Defaults to using the server's settings.

    • jsonp - enables JSONP support by setting the value to the query parameter name containing the function name used to wrap the response payload. For example, if the value is 'callback', a request comes in with 'callback=me', and the JSON response is '{ "a":"b" }', the payload will be: 'me({ "a":"b" });'. Does not work with stream responses.

    • description - route description used for generating documentation (string).

    • notes - route notes used for generating documentation (string or array of strings).

    • tags - route tags used for generating documentation (array of strings).

var Hapi = require('hapi');
var server = new Hapi.Server();

// Handler in top level

var status = function (request, reply) {

    reply('ok');
};

server.route({ method: 'GET', path: '/status', handler: status });

// Handler in config

var user = {
    cache: { expiresIn: 5000 },
    handler: function (request, reply) {

        reply({ name: 'John' });
    }
};

server.route({ method: 'GET', path: '/user', config: user });
Path processing

The router iterates through the routing table on each incoming request and executes the first (and only the first) matching route. Route matching is done on a combination of the request path and the HTTP verb. The query is excluded from the routing logic. Requests are matched in a deterministic order where the order in which routes are added does not matter. The routes are sorted from the most specific to the most generic. The specificity of a route is a combination of the HTTP verb and the route path. The more specific a route definition is, the higher up in the routing table it will appear. For example, the following path array shows the order in which an incoming request path will be matched against the routes:

var paths = [
    '/',
    '/a',
    '/b',
    '/ab',
    '/a{p}b',
    '/a{p}',
    '/{p}b',
    '/{p}',
    '/a/b',
    '/a/{p}',
    '/b/',
    '/a1{p}/a',
    '/xx{p}/b',
    '/x{p}/a',
    '/x{p}/b',
    '/y{p}/b',
    '/{p}xx/b',
    '/{p}x/b',
    '/{p}y/b',
    '/a/b/c',
    '/a/b/{p}',
    '/a/d{p}c/b',
    '/a/d{p}/b',
    '/a/{p}d/b',
    '/a/{p}/b',
    '/a/{p}/c',
    '/a/{p*2}',
    '/a/b/c/d',
    '/a/b/{p*2}',
    '/a/{p}/b/{x}',
    '/{p*5}',
    '/a/b/{p*}',
    '/{a}/b/{p*}',
    '/{p*}'
];
Path parameters

Parameterized paths are processed by matching the named parameters to the content of the incoming request path at that path segment. For example, '/book/{id}/cover' will match '/book/123/cover' and request.params.id will be set to '123'. Each path segment (everything between the opening '/' and the closing '/' unless it is the end of the path) can only include one named parameter. A parameter can cover the entire segment ('/{param}') or part of the segment ('/file.{ext}').

An optional '?' suffix following the parameter name indicates an optional parameter (only allowed if the parameter is at the ends of the path or only covers part of the segment as in '/a{param?}/b'). For example, the route '/book/{id?}' matches '/book/' with the value of request.params.id set to an empty string ''.

var getAlbum = function (request, reply) {

    reply('You asked for ' +
          (request.params.song ? request.params.song + ' from ' : '') +
          request.params.album);
};

server.route({
    path: '/{album}/{song?}',
    method: 'GET',
    handler: getAlbum
});

In addition to the optional ? suffix, a parameter name can also specify the number of matching segments using the * suffix, followed by a number greater than 1. If the number of expected parts can be anything, then use * without a number (matching any number of segments can only be used in the last path segment).

var getPerson = function (request, reply) {

    var nameParts = request.params.name.split('/');
    reply({ first: nameParts[0], last: nameParts[1] });
};

server.route({
    path: '/person/{name*2}',   // Matches '/person/john/doe'
    method: 'GET',
    handler: getPerson
});
Route handler

When a route is matched against an incoming request, the route handler is called and passed a reference to the request object. The handler method must call reply() or one of its sub-methods to return control back to the router.

var handler = function (request, reply) {

    reply('success');
};
Route prerequisites

It is often necessary to perform prerequisite actions before the handler is called (e.g. load required reference data from a database). The route pre option allows defining such pre-handler methods. The methods are called in order. If the pre array contains another array, those methods are called in parallel. pre can be assigned a mixed array of:

  • arrays containing the elements listed below, which are executed in parallel.
  • objects with:
    • method - the function to call (or short-hand method string as described below). the function signature is identical to a route handler as describer in Route handler.
    • assign - key name to assign the result of the function to within request.pre.
    • failAction - determines how to handle errors returned by the method. Allowed values are:
      • 'error' - returns the error response back to the client. This is the default value.
      • 'log' - logs the error but continues processing the request. If assign is used, the error will be assigned.
      • 'ignore' - takes no special action. If assign is used, the error will be assigned.
  • functions - same as including an object with a single method key.
  • strings - special short-hand notation for registered server methods using the format 'name(args)' (e.g. 'user(params.id)') where:
    • 'name' - the method name. The name is also used as the default value of assign.
    • 'args' - the method arguments (excluding next) where each argument is a property of request.
var Hapi = require('hapi');
var server = new Hapi.Server();

var pre1 = function (request, reply) {

    reply('Hello');
};

var pre2 = function (request, reply) {

    reply('World');
};

var pre3 = function (request, reply) {

    reply(request.pre.m1 + ' ' + request.pre.m2);
};

server.route({
    method: 'GET',
    path: '/',
    config: {
        pre: [
            [
                // m1 and m2 executed in parallel
                { method: pre1, assign: 'm1' },
                { method: pre2, assign: 'm2' }
            ],
            { method: pre3, assign: 'm3' },
        ],
        handler: function (request, reply) {

            reply(request.pre.m3 + '\n');
        }
    }
});
Route not found

If the application needs to override the default Not Found (404) error response, it can add a catch-all route for a specific method or all methods. Only one catch-all route can be defined per server instance.

var Hapi = require('hapi');
var server = new Hapi.Server();

var handler = function (request, reply) {

    reply('The page was not found').code(404);
};

server.route({ method: '*', path: '/{p*}', handler: handler });

server.route(routes)

Same as server.route(options) where routes is an array of route options.

server.route([
    { method: 'GET', path: '/status', handler: status },
    { method: 'GET', path: '/user', config: user }
]);

server.table([host])

Returns a copy of the routing table where:

  • host - optional host to filter routes matching a specific virtual host. Defaults to all virtual hosts.

The return value is an array of routes where each route contains:

  • settings - the route config with defaults applied.
  • method - the HTTP method in lower case.
  • path - the route path.
var table = server.table()
console.log(table);

/*  Output:

    [{
        method: 'get',
        path: '/test/{p}/end',
        settings: {
            handler: [Function],
            method: 'get',
            plugins: {},
            app: {},
            validate: {},
            payload: { output: 'stream' },
            auth: undefined,
            cache: [Object] }
    }] */

server.log(tags, [data, [timestamp]])

The server.log() method is used for logging server events that cannot be associated with a specific request. When called the server emits a 'log' event which can be used by other listeners or plugins to record the information or output to the console. The arguments are:

  • tags - a string or an array of strings (e.g. ['error', 'database', 'read']) used to identify the event. Tags are used instead of log levels and provide a much more expressive mechanism for describing and filtering events. Any logs generated by the server internally include the 'hapi' tag along with event-specific information.
  • data - an optional message string or object with the application data being logged.
  • timestamp - an optional timestamp expressed in milliseconds. Defaults to Date.now() (now).
var Hapi = require('hapi');
var server = new Hapi.Server();

server.on('log', function (event, tags) {

    if (tags.error) {
        console.log(event);
    }
});

server.log(['test', 'error'], 'Test event');

server.state(name, [options])

HTTP state management uses client cookies to persist a state across multiple requests. Cookie definitions can be registered with the server using the server.state() method, where:

  • name - is the cookie name.
  • options - are the optional cookie settings:
    • ttl - time-to-live in milliseconds. Defaults to null (session time-life - cookies are deleted when the browser is closed).
    • isSecure - sets the 'Secure' flag. Defaults to false.
    • isHttpOnly - sets the 'HttpOnly' flag. Defaults to false.
    • path - the path scope. Defaults to null (no path).
    • domain - the domain scope. Defaults to null (no domain).
    • autoValue - if present and the cookie was not received from the client or explicitly set by the route handler, the cookie is automatically added to the response with the provided value. The value can be a function with signature function(request, next) where:
      • request - the request object.
      • next - the continuation function using the function(err, value) signature.
    • encoding - encoding performs on the provided value before serialization. Options are:
      • 'none' - no encoding. When used, the cookie value must be a string. This is the default value.
      • 'base64' - string value is encoded using Base64.
      • 'base64json' - object value is JSON-stringified than encoded using Base64.
      • 'form' - object value is encoded using the x-www-form-urlencoded method.
      • 'iron' - Encrypts and sign the value using iron.
    • sign - an object used to calculate an HMAC for cookie integrity validation. This does not provide privacy, only a mean to verify that the cookie value was generated by the server. Redundant when 'iron' encoding is used. Options are:
    • password - password used for 'iron' encoding.
    • iron - options for 'iron' encoding. Defaults to require('iron').defaults.
    • failAction - overrides the default server state.cookies.failAction setting.
    • clearInvalid - overrides the default server state.cookies.clearInvalid setting.
    • strictHeader - overrides the default server state.cookies.strictHeader setting.
    • passThrough - overrides the default proxy localStatePassThrough setting.
// Set cookie definition

server.state('session', {
    ttl: 24 * 60 * 60 * 1000,     // One day
    isSecure: true,
    path: '/',
    encoding: 'base64json'
});

// Set state in route handler

var handler = function (request, reply) {

    var session = request.state.session;
    if (!session) {
        session = { user: 'joe' };
    }

    session.last = Date.now();

    reply('Success').state('session', session);
};

Registered cookies are automatically parsed when received. Parsing rules depends on the server state.cookies configuration. If an incoming registered cookie fails parsing, it is not included in request.state, regardless of the state.cookies.failAction setting. When state.cookies.failAction is set to 'log' and an invalid cookie value is received, the server will emit a 'request' event. To capture these errors subscribe to the 'request' events and filter on 'error' and 'state' tags:

server.on('request', function (request, event, tags) {

    if (tags.error && tags.state) {
        console.error(event);
    }
});

server.views(options)

Initializes the server views manager programmatically instead of via the server views configuration option. The options object is the same as the server views config object.

server.views({
    engines: {
        html: require('handlebars'),
        jade: require('jade')
    },
    path: '/static/templates'
});

server.cache(name, options)

Provisions a server cache segment within the common caching facility where:

  • options - cache configuration as described in catbox module documentation:
    • expiresIn - relative expiration expressed in the number of milliseconds since the item was saved in the cache. Cannot be used together with expiresAt.
    • expiresAt - time of day expressed in 24h notation using the 'MM:HH' format, at which point all cache records for the route expire. Cannot be used together with expiresIn.
    • staleIn - number of milliseconds to mark an item stored in cache as stale and reload it. Must be less than expiresIn.
    • staleTimeout - number of milliseconds to wait before checking if an item is stale.
    • generateTimeout - number of milliseconds to wait before returning a timeout error when an item is not in the cache and the generate method is taking too long.
    • cache - the name of the cache connection configured in the 'server.cache` option. Defaults to the default cache.
var cache = server.cache('countries', { expiresIn: 60 * 60 * 1000 });

server.auth.scheme(name, scheme)

Registers an authentication scheme where:

  • name - the scheme name.
  • scheme - the method implementing the scheme with signature function(server, options) where:
    • server - a reference to the server object the scheme is added to.
    • options - optional scheme settings used to instantiate a strategy.

The scheme method must return an object with the following keys:

  • authenticate(request, reply) - required function called on each incoming request configured with the authentication scheme where:
    • request - the request object.
    • reply(err, result) - the interface the authentication method must call when done where:
      • err - if not null, indicates failed authentication.
      • result - an object containing:
        • credentials - the authenticated credentials. Required if err is null.
        • artifacts - optional authentication artifacts.
        • log - optional object used to customize the request authentication log which supports:
          • data - log data.
          • tags - additional tags.
  • payload(request, next) - optional function called to authenticate the request payload where:
    • request - the request object.
    • next(err) - the continuation function the method must called when done where:
      • err - if null, payload successfully authenticated. If false, indicates that authentication could not be performed (e.g. missing payload hash). If set to any other value, it is used as an error response.
  • response(request, next) - optional function called to decorate the response with authentication headers before the response headers or payload is written where:
    • request - the request object.
    • next(err) - the continuation function the method must called when done where:
      • err - if null, successfully applied. If set to any other value, it is used as an error response.

server.auth.strategy(name, scheme, [mode], [options])

Registers an authentication strategy where:

  • name - the strategy name.
  • scheme - the scheme name (must be previously registered using server.auth.scheme()).
  • mode - if true, the scheme is automatically assigned as a required strategy to any route without an auth config. Can only be assigned to a single server strategy. Value must be true (which is the same as 'required') or a valid authentication mode ('required', 'optional', 'try'). Defaults to false.
  • options - scheme options based on the scheme requirements.

server.auth.default(options)

Sets a default startegy which is applied to every route. The default does not apply when the route config specifies auth as false, or has an authentication strategy configured. Otherwise, the route authentication config is applied to the defaults. Note that the default only applies at time of route configuration, not at runtime. Calling default() after adding a route will have no impact on that route. The function requires:

  • options - a string with the default strategy name or an object with a specified strategy or strategies using the same format as the route auth handler options.

server.auth.test(strategy, request, next)

Tests a request against an authentication strategy where:

  • strategy - the strategy name registered with server.auth.strategy().
  • request - the request object. The request route authentication configuration is not used.
  • next - the callback function with signature function(err, credentials) where:
    • err - the error if authentication failed.
    • credentials - the authentication credentials object if authentication was successful.

server.ext(event, method, [options])

Registers an extension function in one of the available extension points where:

  • event - the event name.
  • method - a function or an array of functions to be executed at a specified point during request processing. The required extension function signature is function(request, next) where:
    • request - the incoming request object.
    • next - the callback function the extension method must call to return control over to the router with signature function(exit) where:
      • exit - optional request processing exit response. If set to a non-falsy value, the request lifecycle process will jump to the "send response" step, skipping all other steps in between, and using the exit value as the new response. exit can be any result value accepted by reply().
    • this - the object provided via options.bind.
  • options - an optional object with the following:
    • before - a string or array of strings of plugin names this method must execute before (on the same event). Otherwise, extension methods are executed in the order added.
    • after - a string or array of strings of plugin names this method must execute after (on the same event). Otherwise, extension methods are executed in the order added.
    • bind - any value passed back to the provided method (via this) when called.
var Hapi = require('hapi');
var server = new Hapi.Server();

server.ext('onRequest', function (request, next) {

    // Change all requests to '/test'
    request.setUrl('/test');
    next();
});

var handler = function (request, reply) {

    reply({ status: 'ok' });
};

server.route({ method: 'GET', path: '/test', handler: handler });
server.start();

// All requests will get routed to '/test'
Request lifecycle

Each incoming request passes through a pre-defined set of steps, along with optional extensions:

  • 'onRequest' extension point
    • always called
    • the request object passed to the extension functions is decorated with the request.setUrl(url) and request.setMethod(verb) methods. Calls to these methods will impact how the request is routed and can be used for rewrite rules.
    • request.route is not yet populated as the router only looks at the request after this point.
  • Lookup route using request path
  • Parse cookies
  • 'onPreAuth' extension point
  • Authenticate request
  • Read and parse payload
  • Authenticate request payload
  • 'onPostAuth' extension point
  • Validate path parameters
  • Process query extensions (e.g. JSONP)
  • Validate query
  • Validate payload
  • 'onPreHandler' extension point
  • Route prerequisites
  • Route handler
  • 'onPostHandler' extension point
    • The response object contained in request.response may be modified (but not assigned a new value). To return a different response type (for example, replace an error with an HTML response), return a new response via next(response).
  • Validate response payload
  • 'onPreResponse' extension point
    • always called.
    • The response contained in request.response may be modified (but not assigned a new value). To return a different response type (for example, replace an error with an HTML response), return a new response via next(response). Note that any errors generated after next(response) is called will not be passed back to the 'onPreResponse' extension method to prevent an infinite loop.
  • Send response (may emit 'internalError' event)
  • Emits 'response' event
  • Wait for tails
  • Emits 'tail' event

server.method(name, fn, [options])

Registers a server method function. Server methods are functions registered with the server and used throughout the application as a common utility. Their advantage is in the ability to configure them to use the built-in cache and shared across multiple request handlers without having to create a common module.

Methods are registered via server.method(name, fn, [options]) where:

  • name - a unique method name used to invoke the method via server.methods[name]. When configured with caching enabled, server.methods[name].cache.drop(arg1, arg2, ..., argn, callback) can be used to clear the cache for a given key. Supports using nested names such as utils.users.get which will automatically create the missing path under server.methods and can be accessed for the previous example via server.methods.utils.users.get.
  • fn - the method function with the signature is function(arg1, arg2, ..., argn, next) where:
    • arg1, arg2, etc. - the method function arguments.
    • next - the function called when the method is done with the signature function(err, result, ttl) where:
      • err - error response if the method failed.
      • result - the return value.
      • ttl - 0 if result is valid but cannot be cached. Defaults to cache policy.
  • options - optional configuration:
    • bind - an object passed back to the provided method function (via this) when called. Defaults to null unless added via a plugin, in which case it defaults to the plugin bind object.
    • cache - cache configuration as described in catbox module documentation with a few additions:
      • expiresIn - relative expiration expressed in the number of milliseconds since the item was saved in the cache. Cannot be used together with expiresAt.
      • expiresAt - time of day expressed in 24h notation using the 'MM:HH' format, at which point all cache records for the route expire. Cannot be used together with expiresIn.
      • staleIn - number of milliseconds to mark an item stored in cache as stale and reload it. Must be less than expiresIn.
      • staleTimeout - number of milliseconds to wait before checking if an item is stale.
      • generateTimeout - number of milliseconds to wait before returning a timeout error when an item is not in the cache and the generate method is taking too long.
      • segment - optional segment name, used to isolate cached items within the cache partition. Defaults to '#name' where 'name' is the method name. When setting segment manually, it must begin with '##'.
      • cache - the name of the cache connection configured in the 'server.cache` option. Defaults to the default cache.
    • generateKey - a function used to generate a unique key (for caching) from the arguments passed to the method function (with the exception of the last 'next' argument). The server will automatically generate a unique key if the function's arguments are all of types 'string', 'number', or 'boolean'. However if the method uses other types of arguments, a key generation function must be provided which takes the same arguments as the function and returns a unique string (or null if no key can be generated). Note that when the generateKey method is invoked, the arguments list will include the next argument which must not be used in calculation of the key.
var Hapi = require('hapi');
var server = new Hapi.Server();

// Simple arguments

var add = function (a, b, next) {

    next(null, a + b);
};

server.method('sum', add, { cache: { expiresIn: 2000 } });

server.methods.sum(4, 5, function (err, result) {

    console.log(result);
});

// Object argument

var addArray = function (array, next) {

    var sum = 0;
    array.forEach(function (item) {

        sum += item;
    });

    next(null, sum);
};

server.method('sumObj', addArray, {
    cache: { expiresIn: 2000 },
    generateKey: function (array) {

        return array.join(',');
    }
});

server.methods.sumObj([5, 6], function (err, result) {

    console.log(result);
});

server.method(method)

Registers a server method function as described in server.method() using a method object or an array of objects where each has:

  • name - the method name.
  • fn - the method function.
  • options - optional settings.
var add = function (a, b, next) {

    next(null, a + b);
};

server.method({ name: 'sum', fn: add, options: { cache: { expiresIn: 2000 } } });

server.method([{ name: 'also', fn: add }]);

server.inject(options, callback)

Injects a request into the server simulating an incoming HTTP request without making an actual socket connection. Injection is useful for testing purposes as well as for invoking routing logic internally without the overhead or limitations of the network stack. Utilizes the shot module for performing injections, with some additional options and response properties:

  • options - can be assign a string with the requested URI, or an object with:
    • method - the request HTTP method (e.g. 'POST'). Defaults to 'GET'.
    • url - the request URL. If the URI includes an authority (e.g. 'example.com:8080'), it is used to automatically set an HTTP 'Host' header, unless one was specified in headers.
    • headers - an object with optional request headers where each key is the header name and the value is the header content. Defaults to no additions to the default Shot headers.
    • payload - an optional string or buffer containing the request payload (object must be manually converted to a string first). Defaults to no payload. Note that payload processing defaults to 'application/json' if no 'Content-Type' header provided.
    • credentials - an optional credentials object containing authentication information. The credentials are used to bypass the default authentication strategies, and are validated directly as if they were received via an authentication scheme. Defaults to no credentials.
    • simulate - an object with options used to simulate client request stream conditions for testing:
      • error - if true, emits an 'error' event after payload transmission (if any). Defaults to false.
      • close - if true, emits a 'close' event after payload transmission (if any). Defaults to false.
      • end - if false, does not end the stream. Defaults to true.
  • callback - the callback function with signature function(res) where:
    • res - the response object where:
      • statusCode - the HTTP status code.
      • headers - an object containing the headers set.
      • payload - the response payload string.
      • rawPayload - the raw response payload buffer.
      • raw - an object with the injection request and response objects:
        • req - the request object.
        • res - the response object.
      • result - the raw handler response (e.g. when not a stream) before it is serialized for transmission. If not available, set to payload. Useful for inspection and reuse of the internal objects returned (instead of parsing the response string).
var Hapi = require('hapi');
var server = new Hapi.Server();

var get = function (request, reply) {

    reply('Success!');
};

server.route({ method: 'GET', path: '/', handler: get });

server.inject('/', function (res) {

    console.log(res.result);
});

server.handler(name, method)

Registers a new handler type which can then be used in routes. Overriding the built in handler types (directory, file, proxy, and view), or any previously registered types is not allowed.

  • name - string name for the handler being registered.
  • method - the function used to generate the route handler using the signature function(route, options) where:
    • route - the internal route object.
    • options - the configuration object provided in the handler config.

The method function can have a defaults property of an object or function. If the property is set to an object, that object is used as the default route config for routes using this handler. If the property is set to a function, the function uses the signature function(method) and returns the route default configuration.

var Hapi = require('hapi');
var server = Hapi.createServer('localhost', 8000);

// Defines new handler for routes on this server
server.handler('test', function (route, options) {

    return function (request, reply) {

        reply('new handler: ' + options.msg);
    }
});

server.route({
    method: 'GET',
    path: '/',
    handler: { test: { msg: 'test' } }
});

server.start();

server.location(uri, [request])

Converts the provided URI to an absolute URI using the server or request configuration where:

  • uri - the relative URI.
  • request - an optional request object for using the request host header if no server location has been configured.
var Hapi = require('hapi');
var server = Hapi.createServer('localhost', 8000);

console.log(server.location('/relative'));

server.render(template, context, [options], callback)

Utilizes the server views engine configured to render a template where:

  • template - the template filename and path, relative to the templates path configured via the server views.path.
  • context - optional object used by the template to render context-specific result. Defaults to no context {}.
  • options - optional object used to override the server's views configuration.
  • callback - the callback function with signature function (err, rendered, config) where:
    • err - the rendering error if any.
    • rendered - the result view string.
    • config - the configuration used to render the template.
var Hapi = require('hapi');
var server = new Hapi.Server({
    views: {
        engines: { html: require('handlebars') },
        path: __dirname + '/templates'
    }
});

var context = {
    title: 'Views Example',
    message: 'Hello, World'
};

server.render('hello', context, function (err, rendered, config) {

    console.log(rendered);
});

Server events

The server object inherits from Events.EventEmitter and emits the following events:

  • 'log' - events logged with server.log().
  • 'request' - events generated by request.log() or internally (multiple events per request).
  • 'response' - emitted after a response to a client request is sent back. Single event per request.
  • 'tail' - emitted when a request finished processing, including any registered tails. Single event per request.
  • 'internalError' - emitted whenever an Internal Server Error (500) error response is sent. Single event per request.

When provided (as listed below) the event object include:

  • timestamp - the event timestamp.
  • request - if the event relates to a request, the request id.
  • server - if the event relates to a server, the server.info.uri.
  • tags - an array of tags (e.g. ['error', 'http']). Includes the 'hapi' tag is the event was generated internally.
  • data - optional event-specific information.

The 'log' event includes the event object and a tags object (where each tag is a key with the value true):

server.on('log', function (event, tags) {

    if (tags.error) {
        console.log('Server error: ' + (event.data || 'unspecified'));
    }
});

The 'request' event includes the request object, the event object, and a tags object (where each tag is a key with the value true):

server.on('request', function (request, event, tags) {

    if (tags.received) {
        console.log('New request: ' + event.id);
    }
});

The 'response' and 'tail' events include the request object:

server.on('response', function (request) {

    console.log('Response sent for request: ' + request.id);
});

The 'internalError' event includes the request object and the causing error err object:

server.on('internalError', function (request, err) {

    console.log('Error response (500) sent for request: ' + request.id + ' because: ' + err.message);
});

Request object

The request object is created internally for each incoming request. It is not the node request object received from the HTTP server callback (which is available in request.raw.req). The request object methods and properties change through the request lifecycle.

request properties

Each request object has the following properties:

  • app - application-specific state. Provides a safe place to store application data without potential conflicts with hapi. Should not be used by plugins which should use plugins[name].
  • auth - authentication information:
    • isAuthenticated - true is the request has been successfully authenticated, otherwise false.
    • credentials - the credential object received during the authentication process. The presence of an object does not mean successful authentication.
    • artifacts - an artifact object received from the authentication strategy and used in authentication-related actions.
    • mode - the route authentication mode.
    • error - the authentication error is failed and mode set to 'try'.
    • session - an object used by the 'cookie' authentication scheme.
  • domain - the node domain object used to protect against exceptions thrown in extensions, handlers and prerequisites. Can be used to manually bind callback functions otherwise bound to other domains.
  • headers - the raw request headers (references request.raw.headers).
  • id - a unique request identifier.
  • info - request information:
    • received - request reception timestamp.
    • remoteAddress - remote client IP address.
    • remotePort - remote client port.
    • referrer - content of the HTTP 'Referrer' (or 'Referer') header.
    • host - content of the HTTP 'Host' header (e.g. 'example.com:8080').
    • hostname - the hostname part of the 'Host' header (e.g. 'example.com').
  • method - the request method in lower case (e.g. 'get', 'post').
  • mime - the parsed content-type header. Only available when payload parsing enabled and no payload error occurred.
  • orig - an object containing the values of params, query, and payload before any validation modifications made. Only set when input validation is performed.
  • params - an object where each key is a path parameter name with matching value as described in Path parameters.
  • path - the request URI's path component.
  • payload - the request payload based on the route payload.output and payload.parse settings.
  • plugins - plugin-specific state. Provides a place to store and pass request-level plugin data. The plugins is an object where each key is a plugin name and the value is the state.
  • pre - an object where each key is the name assigned by a route prerequisites function. The values are the raw values provided to the continuation function as argument. For the wrapped response object, use responses.
  • response - the response object when set. The object can be modified but must not be assigned another object. To replace the response with another from within an extension point, use next(response) to override with a different response.
  • responses - same as pre but represented as the response object created by the pre method.
  • query - an object containing the query parameters.
  • raw - an object containing the Node HTTP server objects. Direct interaction with these raw objects is not recommended.
    • req - the request object.
    • res - the response object.
  • route - the route configuration object after defaults are applied.
  • server - the server object.
  • session - Special key reserved for plugins implementing session support. Plugins utilizing this key must check for null value to ensure there is no conflict with another similar plugin.
  • state - an object containing parsed HTTP state information (cookies) where each key is the cookie name and value is the matching cookie content after processing using any registered cookie definition.
  • url - the parsed request URI.

request methods

request.setUrl(url)

Available only in 'onRequest' extension methods.

Changes the request URI before the router begins processing the request where:

  • url - the new request path value.
var Hapi = require('hapi');
var server = new Hapi.Server();

server.ext('onRequest', function (request, next) {

    // Change all requests to '/test'
    request.setUrl('/test');
    next();
});

request.setMethod(method)

Available only in 'onRequest' extension methods.

Changes the request method before the router begins processing the request where:

  • method - is the request HTTP method (e.g. 'GET').
var Hapi = require('hapi');
var server = new Hapi.Server();

server.ext('onRequest', function (request, next) {

    // Change all requests to 'GET'
    request.setMethod('GET');
    next();
});

request.log(tags, [data, [timestamp]])

Always available.

Logs request-specific events. When called, the server emits a 'request' event which can be used by other listeners or plugins. The arguments are:

  • tags - a string or an array of strings (e.g. ['error', 'database', 'read']) used to identify the event. Tags are used instead of log levels and provide a much more expressive mechanism for describing and filtering events. Any logs generated by the server internally include the 'hapi' tag along with event-specific information.
  • data - an optional message string or object with the application data being logged.
  • timestamp - an optional timestamp expressed in milliseconds. Defaults to Date.now() (now).
var Hapi = require('hapi');
var server = new Hapi.Server();

server.on('request', function (request, event, tags) {

    if (tags.error) {
        console.log(event);
    }
});

var handler = function (request, reply) {

    request.log(['test', 'error'], 'Test event');
};

request.getLog([tags])

Always available.

Returns an array containing the events matching any of the tags specified (logical OR) where:

  • tags - is a single tag string or array of tag strings. If no tags specified, returns all events.
request.getLog();
request.getLog('error');
request.getLog(['hapi', 'error']);

request.tail([name])

Available until immediately after the 'response' event is emitted.

Adds a request tail which has to complete before the request lifecycle is complete where:

  • name - an optional tail name used for logging purposes.

Returns a tail function which must be called when the tail activity is completed.

Tails are actions performed throughout the request lifecycle, but which may end after a response is sent back to the client. For example, a request may trigger a database update which should not delay sending back a response. However, it is still desirable to associate the activity with the request when logging it (or an error associated with it).

When all tails completed, the server emits a 'tail' event.

var Hapi = require('hapi');
var server = new Hapi.Server();

var get = function (request, reply) {

    var dbTail = request.tail('write to database');

    db.save('key', 'value', function () {

        dbTail();
    });

    reply('Success!');
};

server.route({ method: 'GET', path: '/', handler: get });

server.on('tail', function (request) {

    console.log('Request completed including db activity');
});

Request events

The request object supports the following events:

  • 'peek' - emitted for each chunk of payload data read from the client connection. The event method signature is function(chunk, encoding).
  • 'finish' - emitted when the request payload finished reading. The event method signature is function ().
  • 'disconnect' - emitted when a request errors or aborts unexpectedly.
var Crypto = require('crypto');
var Hapi = require('hapi');
var server = new Hapi.Server();

server.ext('onRequest', function (request, reply) {

    var hash = Crypto.createHash('sha1');
    request.on('peek', function (chunk) {

        hash.update(chunk);
    });

    request.once('finish', function () {

        console.log(hash.digest('hex'));
    });

    request.once('disconnect', function () {

        console.error('request aborted');
    });
});

Reply interface

Flow control

When calling reply(), the router waits until process.nextTick() to continue processing the request and transmit the response. This enables making changes to the returned response object before the response is sent. This means the router will resume as soon as the handler method exits. To suspend this behavior, the returned response object includes:

  • response.hold() - puts the response on hold until response.send() is called. Available only after reply() is called and until response.hold() is invoked once.
  • response.send() - resume the response which will be transmitted in the next tick. Available only after response.hold() is called and until response.send() is invoked once.
var handler = function (request, reply) {

    var response = reply('success').hold();

    setTimeout(function () {

        response.send();
    }, 1000);
};

When calling reply() in a prerequisite, it is sometimes necessary to take over the handler execution and return a non-error response back to the client. The response object provides the takeover() method to indicate the value provided via reply() should be used as the final response and skip any other prerequisites and the handler.

var pre = function (request, reply) {

    if (!request.auth.isAuthenticated) {
        return reply('You need to login first!').takeover();
    }

    reply({ account: request.auth.credentials });   // Used in the handler later
};

reply([result])

Available only within the handler method and only before one of reply(), reply.file(), reply.view(), reply.close(), reply.proxy(), or reply.redirect() is called.

Concludes the handler activity by returning control over to the router where:

  • result - an optional response payload.

Returns a response object based on the value of result:

  • null, undefined, or empty string '' - Empty response.
  • string - Text response.
  • Buffer object - Buffer response.
  • Error object (generated via error or new Error()) - Boom object.
  • Stream object - Stream response.
  • any other object - Obj response.
var handler = function (request, reply) {

    reply('success');
};

The returned response object provides a set of methods to customize the response (e.g. HTTP status code, custom headers, etc.). The methods are response-type-specific and listed in response.

The response flow control rules apply.

var handler = function (request, reply) {

    reply('success')
        .type('text/plain')
        .header('X-Custom', 'some-value');
};

Note that if result is a Stream with a statusCode property, that status code will be used as the default response code.

reply.file(path, [options])

Available only within the handler method and only before one of reply(), reply.file(), reply.view(), reply.close(), reply.proxy(), or reply.redirect() is called.

Transmits a file from the file system. The 'Content-Type' header defaults to the matching mime type based on filename extension.:

  • path - the file path.
  • options - optional settings:
    • filename - an optional filename to specify if sending a 'Content-Disposition' header, defaults to the basename of path
    • mode - specifies whether to include the 'Content-Disposition' header with the response. Available values:
      • false - header is not included. This is the default value.
      • 'attachment'
      • 'inline'
    • lookupCompressed - if true, looks for the same filename with the '.gz' suffix for a precompressed version of the file to serve if the request supports content encoding. Defaults to false.

No return value.

The response flow control rules do not apply.

var handler = function (request, reply) {

    reply.file('./hello.txt');
};

reply.view(template, [context, [options]])

Available only within the handler method and only before one of reply(), reply.file(), reply.view(), reply.close(), reply.proxy(), or reply.redirect() is called.

Concludes the handler activity by returning control over to the router with a templatized view response where:

  • template - the template filename and path, relative to the templates path configured via the server views.path.
  • context - optional object used by the template to render context-specific result. Defaults to no context {}.
  • options - optional object used to override the server's views configuration for this response. Cannot override isCached, partialsPath, or helpersPath which are only loaded at initialization.

Returns a response object.

The response flow control rules apply.

var Hapi = require('hapi');
var server = new Hapi.Server({
    views: {
        engines: { html: require('handlebars') },
        path: __dirname + '/templates'
    }
});

var handler = function (request, reply) {

    var context = {
        title: 'Views Example',
        message: 'Hello, World'
    };

    reply.view('hello', context);
};

server.route({ method: 'GET', path: '/', handler: handler });

templates/hello.html

<!DOCTYPE html>
<html>
    <head>
        <title>{{title}}</title>
    </head>
    <body>
        <div>
            <h1>{{message}}</h1>
        </div>
    </body>
</html>

reply.close([options])

Available only within the handler method and only before one of reply(), reply.file(), reply.view(), reply.close(), reply.proxy(), or reply.redirect() is called.

Concludes the handler activity by returning control over to the router and informing the router that a response has already been sent back directly via request.raw.res and that no further response action is needed. Supports the following optional options:

  • end - if false, the router will not call request.raw.res.end()) to ensure the response was ended. Defaults to true.

No return value.

The response flow control rules do not apply.

reply.proxy(options)

Available only within the handler method and only before one of reply(), reply.file(), reply.view(), reply.close(), reply.proxy(), or reply.redirect() is called.

Proxies the request to an upstream endpoint where:

No return value.

The response flow control rules do not apply.

var handler = function (request, reply) {

    reply.proxy({ host: 'example.com', port: 80, protocol: 'http' });
};

reply.redirect(location)

Available only within the handler method and only before one of reply(), reply.file(), reply.view(), reply.close(), reply.proxy(), or reply.redirect() is called.

Redirects the client to the specified location. Same as calling reply().redirect(location).

Returns a response object.

The response flow control rules apply.

var handler = function (request, reply) {

    reply.redirect('http://example.com');
};

Changing to a permanent or non-rewriterable redirect is also available see response object redirect for more information.

Response object

Every response includes the following properties:

  • statusCode - the HTTP response status code. Defaults to 200 (except for errors).
  • headers - an object containing the response headers where each key is a header field name. Note that this is an incomplete list of headers to be included with the response. Additional headers will be added once the response is prepare for transmission (e.g. 'Location', 'Cache-Control').
  • source - the value provided using the reply() interface.
  • variety - a string indicating the type of source with available values:
    • 'plain' - a plain response such as string, number, null, or simple object (e.g. not a Stream, Buffer, or view).
    • 'buffer' - a Buffer.
    • 'view' - a view generated with reply.view().
    • 'file' - a file generated with reply.file() of via the directory handler.
    • 'stream' - a Stream.
  • app - application-specific state. Provides a safe place to store application data without potential conflicts with hapi. Should not be used by plugins which should use plugins[name].
  • plugins - plugin-specific state. Provides a place to store and pass request-level plugin data. The plugins is an object where each key is a plugin name and the value is the state.
  • settings - response handling flags:
    • charset - the 'Content-Type' HTTP header 'charset' property. Defaults to 'utf-8'.
    • encoding - the string encoding scheme used to serial data into the HTTP payload when source is a string or marshalls into a string. Defaults to 'utf8'.
    • location - the raw value used to set the HTTP 'Location' header (actual value set depends on the server location configuration option). Defaults to no header.
    • passThrough - if true and source is a Stream, copies the statusCode and headers of the stream to the outbound response. Defaults to true.
    • stringify - options used for source value requiring stringification. Defaults to no replacer and no space padding.
    • ttl - if set, overrides the route cache expiration milliseconds value set in the route config. Defaults to no override.
    • varyEtag - if true, a suffix will be automatically added to the 'ETag' header at transmission time (separated by a '-' character) when the HTTP 'Vary' header is present.

It provides the following methods:

  • bytes(length) - sets the HTTP 'Content-Length' header (to avoid chunked transfer encoding) where:
    • length - the header value. Must match the actual payload size.
  • charset(charset) - sets the 'Content-Type' HTTP header 'charset' property where: charset - the charset property value.
  • code(statusCode) - sets the HTTP status code where:
    • statusCode - the HTTP status code.
  • created(location) - sets the HTTP status code to Created (201) and the HTTP 'Location' header where: location - an absolute or relative URI used as the 'Location' header value. If a relative URI is provided, the value of the server location configuration option is used as prefix. Not available for methods other than PUT and POST.
  • encoding(encoding) - sets the string encoding scheme used to serial data into the HTTP payload where: encoding - the encoding property value (see node Buffer encoding).
  • etag(tag, options) - sets the representation entity tag where:
    • tag - the entity tag string without the double-quote.
    • options - optional settings where:
      • weak - if true, the tag will be prefixed with the 'W/' weak signifier. Weak tags will fail to match identical tags for the purpose of determining 304 response status. Defaults to false.
      • vary - if true, a suffix will be automatically added to the tag at transmission time (separated by a '-' character) when the HTTP 'Vary' header is present. Ignored when weak is true. Defaults to true when a tag is set using this method and when using the internal file or directory handlers, otherwise false.
  • header(name, value, options) - sets an HTTP header where:
    • name - the header name.
    • value - the header value.
    • options - optional settings where:
      • append - if true, the value is appended to any existing header value using separator. Defaults to false.
      • separator - string used as separator when appending to an exiting value. Defaults to ','.
      • override - if false, the header value is not set if an existing value present. Defaults to true.
  • location(location) - sets the HTTP 'Location' header where:
    • uri - an absolute or relative URI used as the 'Location' header value. If a relative URI is provided, the value of the server location configuration option is used as prefix.
  • redirect(location) - sets an HTTP redirection response (302) and decorates the response with additional methods listed below, where:
    • location - an absolute or relative URI used to redirect the client to another resource. If a relative URI is provided, the value of the server location configuration option is used as prefix.
  • state(name, value, [options]) - sets an HTTP cookie where:
    • name - the cookie name.
    • value - the cookie value. If no encoding is defined, must be a string.
    • options - optional configuration. If the state was previously registered with the server using server.state(), the specified keys in options override those same keys in the server definition (but not others).
  • ttl(msec) - overrides the default route cache expiration rule for this response instance where:
    • msec - the time-to-live value in milliseconds.
  • type(mimeType) - sets the HTTP 'Content-Type' header where:
    • value - is the mime type. Should only be used to override the built-in default for each response type.
  • unstate(name) - clears the HTTP cookie by setting an expired value where:
    • name - the cookie name.
  • vary(header) - adds the provided header to the list of inputs affected the response generation via the HTTP 'Vary' header where:
    • header - the HTTP request header name.

When the value provided by reply() requires stringification before transmission, the following methods are provided:

  • replacer(method) - sets the JSON.stringify() replacer argument where:
    • method - the replacer function or array. Defaults to none.
  • spaces(count) - sets the JSON.stringify() space argument where:
    • count - the number of spaces to indent nested object keys. Defaults to no indentation.

Response Object Redirect Methods

When using the redirect() method, the response object provides these additional methods:

  • temporary(isTemporary) - sets the status code to 302 or 307 (based on the rewritable() setting) where:
    • isTemporary - if false, sets status to permanent. Defaults to true.
  • permanent(isPermanent) - sets the status code to 301 or 308 (based on the rewritable() setting) where:
    • isPermanent - if true, sets status to temporary. Defaults to false.
  • rewritable(isRewritable) - sets the status code to 301/302 for rewritable (allows changing the request method from 'POST' to 'GET') or 307/308 for non-rewritable (does not allow changing the request method from 'POST' to 'GET'). Exact code based on the temporary() or permanent() setting. Arguments:
    • isRewritable - if false, sets to non-rewritable. Defaults to true.
Permanent Temporary
Rewritable 301 302(1)
Non-rewritable 308(2) 307

Notes:

  1. Default value.
  2. Proposed code, not supported by all clients.

Response events

The response object supports the following events:

  • 'peek' - emitted for each chunk of data written back to the client connection. The event method signature is function(chunk, encoding).
  • 'finish' - emitted when the response finished writing but before the client response connection is ended. The event method signature is function ().
var Crypto = require('crypto');
var Hapi = require('hapi');
var server = new Hapi.Server();

server.ext('onPreResponse', function (request, reply) {

    var response = request.response;
    if (response.isBoom) {
        return reply();
    }

    var hash = Crypto.createHash('sha1');
    response.on('peek', function (chunk) {

        hash.update(chunk);
    });

    response.once('finish', function () {

        console.log(hash.digest('hex'));
    });
});

Hapi.error

Provides a set of utilities for returning HTTP errors. An alias of the boom module (can be also accessed Hapi.boom). Each utility returns a Boom error response object (instance of Error) which includes the following properties:

  • isBoom - if true, indicates this is a Boom object instance.
  • message - the error message.
  • output - the formatted response. Can be directly manipulated after object construction to return a custom error response. Allowed root keys:
    • statusCode - the HTTP status code (typically 4xx or 5xx).
    • headers - an object containing any HTTP headers where each key is a header name and value is the header content.
    • payload - the formatted object used as the response payload (stringified). Can be directly manipulated but any changes will be lost if reformat() is called. Any content allowed and by default includes the following content:
      • statusCode - the HTTP status code, derived from error.output.statusCode.
      • error - the HTTP status message (e.g. 'Bad Request', 'Internal Server Error') derived from statusCode.
      • message - the error message derived from error.message.
  • inherited Error properties.

It also supports the following method:

  • reformat() - rebuilds error.output using the other object properties.
var Hapi = require('hapi');

var handler = function (request, reply) {

    var error = Hapi.error.badRequest('Cannot feed after midnight');
    error.output.statusCode = 499;    // Assign a custom error code
    error.reformat();

    error.output.payload.custom = 'abc_123'; // Add custom key

    reply(error);
});

Error transformation

Error responses return a JSON object with the statusCode, error, and message keys. When a different error representation is desired, such as an HTML page or using another format, the 'onPreResponse' extension point may be used to identify errors and replace them with a different response object.

var Hapi = require('hapi');
var server = new Hapi.Server({ views: { engines: { html: require('handlebars') } } });

server.ext('onPreResponse', function (request, reply) {

    var response = request.response;
    if (!response.isBoom) {
        return reply();
    }

    // Replace error with friendly HTML

      var error = response;
      var ctx = {
          message: (error.output.statusCode === 404 ? 'page not found' : 'something went wrong')
      };

      reply.view('error', ctx);
});

badRequest([message])

Returns an HTTP Bad Request (400) error response object with the provided message.

var Hapi = require('hapi');
Hapi.error.badRequest('Invalid parameter value');

unauthorized(message, [scheme, [attributes]])

Returns an HTTP Unauthorized (401) error response object where:

  • message - the error message.
  • scheme - optional HTTP authentication scheme name (e.g. 'Basic', 'Hawk'). If provided, includes the HTTP 'WWW-Authenticate' response header with the scheme and any provided attributes.
  • attributes - an object where each key is an HTTP header attribute and value is the attribute content.
var Hapi = require('hapi');
Hapi.error.unauthorized('Stale timestamp', 'Hawk', { ts: fresh, tsm: tsm });

unauthorized(message, wwwAuthenticate)

Returns an HTTP Unauthorized (401) error response object where:

  • message - the error message.
  • wwwAuthenticate - an array of HTTP 'WWW-Authenticate' header responses for multiple challenges.
var Hapi = require('hapi');
Hapi.error.unauthorized('Missing authentication', ['Hawk', 'Basic']);

clientTimeout([message])

Returns an HTTP Request Timeout (408) error response object with the provided message.

var Hapi = require('hapi');
Hapi.error.clientTimeout('This is taking too long');

serverTimeout([message])

Returns an HTTP Service Unavailable (503) error response object with the provided message.

var Hapi = require('hapi');
Hapi.error.serverTimeout('Too busy, come back later');

forbidden([message])

Returns an HTTP Forbidden (403) error response object with the provided message.

var Hapi = require('hapi');
Hapi.error.forbidden('Missing permissions');

notFound([message])

Returns an HTTP Not Found (404) error response object with the provided message.

var Hapi = require('hapi');
Hapi.error.notFound('Wrong number');

internal([message, [data]])

Returns an HTTP Internal Server Error (500) error response object where:

  • message - the error message.
  • data - optional data used for error logging. If data is an Error, the returned object is data decorated with the boom properties. Otherwise, the returned Error has a data property with the provided value.

Note that the error.output.payload.message is overridden with 'An internal server error occurred' to hide any internal details from the client. error.message remains unchanged.

var Hapi = require('hapi');

var handler = function (request, reply) {

    var result;
    try {
        result = JSON.parse(request.query.value);
    }
    catch (err) {
        result = Hapi.error.internal('Failed parsing JSON input', err);
    }

    reply(result);
};

Hapi.Pack

Pack is a collection of servers grouped together to form a single logical unit. The pack's primary purpose is to provide a unified object interface when working with plugins. Grouping multiple servers into a single pack enables treating them as a single entity which can start and stop in sync, as well as enable sharing routes and other facilities. For example, a Single Page Application (SPA) often requires a web component and an API component running as two servers using distinct ports. Another common example is when plugins register both public routes as well as internal admin routes, each on a different port but setup in a single plugin.

The servers in a pack share the same cache. Every server belongs to a pack, even if created directed via new Server(), in which case the server.pack object is automatically assigned a single-server pack.

new Pack([options])

Creates a new Pack object instance where:

  • options - optional configuration:
    • app - an object used to initialize the application-specific data stored in pack.app.
    • cache - cache configuration as described in the server cache option.
    • debug - same as the server debug config option but applied to the entire pack.
var Hapi = require('hapi');
var pack = new Hapi.Pack();

Pack properties

Each Pack object instance has the following properties:

  • app - application-specific state. Provides a safe place to store application data without potential conflicts with hapi. Initialized via the pack app configuration option. Defaults to {}.
  • events - an Events.EventEmitter providing a consolidate emitter of all the events emitted from all member pack servers as well as the 'start' and 'stop' pack events.
  • plugins - an object where each key is a plugin name and the value are the exposed properties by that plugin using plugin.expose().

Pack methods

pack.server([host], [port], [options])

Creates a Server instance and adds it to the pack, where host, port, options are the same as described in new Server() with the exception that the cache option is not allowed and must be configured via the pack cache option.

var Hapi = require('hapi');
var pack = new Hapi.Pack();

pack.server(8000, { labels: ['web'] });
pack.server(8001, { labels: ['admin'] });

pack.start([callback])

Starts all the servers in the pack and used as described in server.start([callback]).

var Hapi = require('hapi');
var pack = new Hapi.Pack();

pack.server(8000, { labels: ['web'] });
pack.server(8001, { labels: ['admin'] });

pack.start(function () {

    console.log('All servers started');
});

pack.stop([options], [callback])

Stops all the servers in the pack and used as described in server.stop([options], [callback]).

pack.stop({ timeout: 60 * 1000 }, function () {

    console.log('All servers stopped');
});

pack.register(plugins, [options], callback)

Registers a plugin where:

  • plugins - a plugin object or array of plugin objects. The objects can use one of two formats:
    • a module plugin object.
    • a manually constructed plugin object.
  • options - optional registration options (used by hapi and is not passed to the plugin):
    • select - string or array of strings of labels to pre-select for plugin registration.
    • route - apply modifiers to any routes added by the plugin:
      • prefix - string added as prefix to any route path (must begin with '/'). If a plugin registers a child plugin the prefix is passed on to the child or is added in front of the child-specific prefix.
      • vhost - virtual host string (or array of strings) applied to every route. The outter-most vhost overrides the any nested configuration.
  • callback - the callback function with signature function(err) where:
    • err - an error returned from exports.register(). Note that incorrect usage, bad configuration, or namespace conflicts (e.g. among routes, methods, state) will throw an error and will not return a callback.

Module plugin is registered by passing the following object (or array of object) as plugins:

  • plugin - an object (usually obtained by calling node's require()) with:
    • register - the exports.register() function. The function must have an attributes property with either name (and optional version) keys or pkg with the content of the module's 'package.json'.
  • options - optional configuration object which is passed to the plugin via the options argument in exports.register().
server.pack.register({
    plugin: require('plugin_name'),
    options: {
        message: 'hello'
    }
 }, function (err) {

     if (err) {
         console.log('Failed loading plugin');
     }
 });

Manually constructed plugin is an object containing:

  • name - plugin name.
  • version - an optional plugin version. Defaults to '0.0.0'.
  • multiple - an optional boolean indicating if the plugin is safe to register multiple time with the same server. Defaults to false.
  • register - the register() function.
  • options - optional configuration object which is passed to the plugin via the options argument in exports.register().
server.pack.register({
    name: 'test',
    version: '2.0.0',
    register: function (plugin, options, next) {

        plugin.route({ method: 'GET', path: '/special', handler: function (request, reply) { reply(options.message); } });
        next();
    },
    options: {
        message: 'hello'
    }
}, function (err) {

    if (err) {
        console.log('Failed loading plugin');
    }
});

Pack.compose(manifest, [options], callback)

Provides a simple way to construct a Pack from a single configuration object, including configuring servers and registering plugins where:

  • manifest - an object with the following keys:
    • pack - the pack options as described in new Pack(). In order to support loading JSON documents, The compose() function supports passing a module name string as the value of pack.cache or pack.cache.engine. These strings are resolved the same way the plugins keys are (using options.relativeTo).
    • servers - an array of server configuration objects where:
      • host, port, options - the same as described in new Server() with the exception that the cache option is not allowed and must be configured via the pack cache option. The host and port keys can be set to an environment variable by prefixing the variable name with '$env.'.
    • plugins - an object where each key is a plugin name, and each value is one of:
      • the options object passed to the plugin on registration.
      • an array of object where:
        • options - the object passed to the plugin on registration.
        • any key supported by the pack.register() options used for registration (e.g. select).
  • options - optional compose configuration:
    • relativeTo - path prefix used when loading plugins using node's require(). The relativeTo path prefix is added to any relative plugin name (i.e. beings with './'). All other module names are required as-is and will be looked up from the location of the hapi module path (e.g. if hapi resides outside of your project node_modules path, it will not find your project dependencies - you should specify them as relative and use the relativeTo option).
  • callback - the callback method, called when all packs and servers have been created and plugins registered has the signature function(err, pack) where:
    • err - an error returned from exports.register(). Note that incorrect usage, bad configuration, or namespace conflicts (e.g. among routes, methods, state) will throw an error and will not return a callback.
    • pack - the composed Pack object.
var Hapi = require('hapi');

var manifest = {
    pack: {
        cache: 'catbox-memory'
    },
    servers: [
        {
            port: 8000,
            options: {
                labels: ['web']
            }
        },
        {
            host: 'localhost',
            port: 8001,
            options: {
                labels: ['admin']
            }
        }
    ],
    plugins: {
        'yar': {
            cookieOptions: {
                password: 'secret'
            }
        },
        'furball': [
            {
                select: 'web',
                options: {
                    version: '/v'
                }
            }
        ]
    }
};

Hapi.Pack.compose(manifest, function (err, pack) {

    pack.start();
});

Plugin interface

Plugins provide an extensibility platform for both general purpose utilities such as batch requests and for application business logic. Instead of thinking about a web server as a single entity with a unified routing table, plugins enable developers to break their application into logical units, assembled together in different combinations to fit the development, testing, and deployment needs.

A plugin is constructed with the following:

  • name - the plugin name is used as a unique key. Public plugins should be published in the npm registry and derive their name from the registry name to ensure uniqueness. Private plugin names should be picked carefully to avoid conflicts with both private and public names.
  • registration function - the function described in exports.register() is the plugin's core. The function is called when the plugin is registered and it performs all the activities required by the plugin to operate. It is the single entry point into the plugin's functionality.
  • version - the optional plugin version is only used informatively to enable other plugins to find out the versions loaded. The version should be the same as the one specified in the plugin's 'package.json' file.

The name and versions are included by attaching an attributes property to the exports.register() function:

exports.register = function (plugin, options, next) {

    plugin.route({
        method: 'GET',
        path: '/version',
        handler: function (request, reply) {

            reply('1.0.0');
        }
    });

    next();
};

exports.register.attributes = {
    name: 'example',
    version: '1.0.0'
};

Alternatively, the name and version can be included via the pkg attribute containing the 'package.json' file for the module which already has the name and version included:

exports.register.attributes = {
    pkg: require('./package.json')
};

The multiple attributes specifies that a plugin is safe to register multiple times with the same server.

exports.register.attributes = {
    multiple: true,
    pkg: require('./package.json')
};

exports.register(plugin, options, next)

Registers the plugin where:

  • plugin - the registration interface representing the pack the plugin is being registered into. Provides the properties and methods listed below.
  • options - the options object provided by the pack registration methods.
  • next - the callback function the plugin must call to return control over to the application and complete the registration process. The function signature is function(err) where:
    • err - internal plugin error condition, which is returned back via the registration methods' callback. A plugin registration error is considered an unrecoverable event which should terminate the application.
exports.register = function (plugin, options, next) {

    plugin.route({ method: 'GET', path: '/', handler: function (request, reply) { reply('hello world') } });
    next();
};

Root methods and properties

The plugin interface root methods and properties are those available only on the plugin object received via the exports.register() interface. They are not available on the object received by calling plugin.select().

plugin.hapi

A reference to the hapi module used to create the pack and server instances. Removes the need to add a dependency on hapi within the plugin.

exports.register = function (plugin, options, next) {

    var Hapi = plugin.hapi;

    var handler = function (request, reply) {

        reply(Hapi.error.internal('Not implemented yet'));
    };

    plugin.route({ method: 'GET', path: '/', handler: handler });
    next();
};

plugin.version

The hapi version used to load the plugin.

exports.register = function (plugin, options, next) {

    console.log(plugin.version);
    next();
};

plugin.config

The registration options provided to the pack.register() method. Contains:

  • route - route path prefix and virtual host settings.
exports.register = function (plugin, options, next) {

    console.log(plugin.config.route.prefix);
    next();
};

plugin.app

Provides access to the common pack application-specific state.

exports.register = function (plugin, options, next) {

    plugin.app.hapi = 'joi';
    next();
};

plugin.plugins

An object where each key is a plugin name and the value are the exposed properties by that plugin using plugin.expose() when called at the plugin root level (without calling plugin.select()).

exports.register = function (plugin, options, next) {

    console.log(plugin.plugins.example.key);
    next();
};

plugin.path(path)

Sets the path prefix used to locate static resources (files and view templates) when relative paths are used by the plugin:

  • path - the path prefix added to any relative file path starting with '.'. The value has the same effect as using the server's configuration files.relativeTo option but only within the plugin.
exports.register = function (plugin, options, next) {

    plugin.path(__dirname + '../static');
    plugin.route({ path: '/file', method: 'GET', handler: { file: './test.html' } });
    next();
};

plugin.log(tags, [data, [timestamp]])

Emits a 'log' event on the pack.events emitter using the same interface as server.log().

exports.register = function (plugin, options, next) {

    plugin.log(['plugin', 'info'], 'Plugin registered');
    next();
};

plugin.after(method)

Add a method to be called after all the required plugins have been registered and before the servers start. The function is only called if the pack servers are started. Arguments:

  • after - the method with signature function(plugin, next) where:
    • plugin - the plugin interface object.
    • next - the callback function the method must call to return control over to the application and complete the registration process. The function signature is function(err) where:
      • err - internal plugin error condition, which is returned back via the pack.start(callback) callback. A plugin registration error is considered an unrecoverable event which should terminate the application.
exports.register = function (plugin, options, next) {

    plugin.after(after);
    next();
};

var after = function (plugin, next) {

    // Additional plugin registration logic
    next();
};

plugin.views(options)

Generates a plugin-specific views manager for rendering templates where:

  • options - the views configuration as described in the server's views option. Note that due to the way node require() operates, plugins must require rendering engines directly and pass the engine using the engines.module option.

Note that relative paths are relative to the plugin root, not the working directory or the application registering the plugin. This allows plugin the specify their own static resources without having to require external configuration.

exports.register = function (plugin, options, next) {

    plugin.views({
        engines: {
            html: {
              module: Handlebars.create()
            }
        },
        path: './templates'
    });

    next();
};

plugin.method(name, fn, [options])

Registers a server method function with all the pack's servers as described in server.method()

exports.register = function (plugin, options, next) {

    plugin.method('user', function (id, next) {

        next(null, { id: id });
    });

    next();
};

plugin.method(method)

Registers a server method function with all the pack's servers as described in server.method()

exports.register = function (plugin, options, next) {

    plugin.method({
        name: 'user',
        fn: function (id, next) {

            next(null, { id: id });
        }
    });

    next();
};

plugin.methods

Provides access to the method methods registered with plugin.method()

exports.register = function (plugin, options, next) {

    plugin.method('user', function (id, next) {

        next(null, { id: id });
    });

    plugin.methods.user(5, function (err, result) {

        // Do something with result

        next();
    });
};

plugin.cache(options)

Provisions a plugin cache segment within the pack's common caching facility where:

  • options - cache configuration as described in catbox module documentation with a few additions:
    • expiresIn - relative expiration expressed in the number of milliseconds since the item was saved in the cache. Cannot be used together with expiresAt.
    • expiresAt - time of day expressed in 24h notation using the 'MM:HH' format, at which point all cache records for the route expire. Cannot be used together with expiresIn.
    • staleIn - number of milliseconds to mark an item stored in cache as stale and reload it. Must be less than expiresIn.
    • staleTimeout - number of milliseconds to wait before checking if an item is stale.
    • generateTimeout - number of milliseconds to wait before returning a timeout error when an item is not in the cache and the generate method is taking too long.
    • segment - optional segment name, used to isolate cached items within the cache partition. Defaults to '!name' where 'name' is the plugin name. When setting segment manually, it must begin with '!!'.
    • cache - the name of the cache connection configured in the 'server.cache` option. Defaults to the default cache.
    • shared - if true, allows multiple cache users to share the same segment (e.g. multiple servers in a pack using the same cache. Default to not shared.
exports.register = function (plugin, options, next) {

    var cache = plugin.cache({ expiresIn: 60 * 60 * 1000 });
    next();
};

plugin.bind(bind)

Sets a global plugin bind used as the default bind when adding a route or an extension using the plugin interface (if no explicit bind is provided as an option). The bind object is made available within the handler and extension methods via this.

var handler = function (request, reply) {

    request.reply(this.message);
};

exports.register = function (plugin, options, next) {

    var bind = {
        message: 'hello'
    };

    plugin.bind(bind);
    plugin.route({ method: 'GET', path: '/', handler: handler });
    next();
};

plugin.handler(name, method)

Registers a new handler type as describe in server.handler(name, method).

exports.register = function (plugin, options, next) {

    var handlerFunc = function (route, options) {

        return function (request, reply) {

            reply('Message from plugin handler: ' + options.msg);
        }
    };

    plugin.handler('testHandler', handlerFunc);
    next();
}

plugin.render(template, context, [options], callback)

Utilizes the plugin views engine configured to render a template where:

  • template - the template filename and path, relative to the templates path configured via 'plugin.views()`.
  • context - optional object used by the template to render context-specific result. Defaults to no context {}.
  • options - optional object used to override the plugin's 'plugin.views()` configuration.
  • callback - the callback function with signature function (err, rendered, config) where:
    • err - the rendering error if any.
    • rendered - the result view string.
    • config - the configuration used to render the template.
exports.register = function (plugin, options, next) {

    plugin.views({
        engines: {
            html: {
              module: Handlebars.create()
            }
        },
        path: './templates'
    });

    plugin.render('hello', context, function (err, rendered, config) {

        console.log(rendered);
        next();
    });
};

Selectable methods and properties

The plugin interface selectable methods and properties are those available both on the plugin object received via the exports.register() interface and the objects received by calling plugin.select(). However, unlike the root methods, they operate only on the selected subset of servers.

plugin.select(labels)

Selects a subset of pack servers using the servers' labels configuration option where:

  • labels - a single string or array of strings of labels used as a logical OR statement to select all the servers with matching labels in their configuration.

Returns a new plugin interface with only access to the selectable methods and properties. Selecting again on a selection operates as a logic AND statement between the individual selections.

exports.register = function (plugin, options, next) {

    var selection = plugin.select('web');
    selection.route({ method: 'GET', path: '/', handler: function (request, reply) { reply('ok'); } });
    next();
};

plugin.length

The number of selected servers.

exports.register = function (plugin, options, next) {

    var count = plugin.length;
    var selectedCount = plugin.select('web').length;
    next();
};

plugin.servers

The selected servers array.

exports.register = function (plugin, options, next) {

    var selection = plugin.select('web');
    selection.servers.forEach(function (server) {

        server.route({ method: 'GET', path: '/', handler: function (request, reply) { reply('ok'); } });
    });

    next();
};

plugin.events

An emitter containing the events of all the selected servers.

exports.register = function (plugin, options, next) {

    plugin.events.on('internalError', function (request, err) {

        console.log(err);
    });

    next();
};

plugin.expose(key, value)

Exposes a property via plugin.plugins[name] (if added to the plugin root without first calling plugin.select()) and server.plugins[name] ('name' of plugin) object of each selected pack server where:

  • key - the key assigned (server.plugins[name][key] or plugin.plugins[name][key]).
  • value - the value assigned.
exports.register = function (plugin, options, next) {

    plugin.expose('util', function () { console.log('something'); });
    next();
};

plugin.expose(obj)

Merges a deep copy of an object into to the existing content of plugin.plugins[name] (if added to the plugin root without first calling plugin.select()) and server.plugins[name] ('name' of plugin) object of each selected pack server where:

  • obj - the object merged into the exposed properties container.
exports.register = function (plugin, options, next) {

    plugin.expose({ util: function () { console.log('something'); } });
    next();
};

plugin.route(options)

Adds a server route to the selected pack's servers as described in server.route(options).

exports.register = function (plugin, options, next) {

    var selection = plugin.select('web');
    selection.route({ method: 'GET', path: '/', handler: function (request, reply) { reply('ok'); } });
    next();
};

plugin.route(routes)

Adds multiple server routes to the selected pack's servers as described in server.route(routes).

exports.register = function (plugin, options, next) {

    var selection = plugin.select('admin');
    selection.route([
        { method: 'GET', path: '/1', handler: function (request, reply) { reply('ok'); } },
        { method: 'GET', path: '/2', handler: function (request, reply) { reply('ok'); } }
    ]);

    next();
};

plugin.state(name, [options])

Adds a state definition to the selected pack's servers as described in server.state().

exports.register = function (plugin, options, next) {

    plugin.state('example', { encoding: 'base64' });
    next();
};

plugin.auth.scheme(name, scheme)

Adds an authentication scheme to the selected pack's servers as described in server.auth.scheme().

plugin.auth.strategy(name, scheme, [mode], [options])

Adds an authentication strategy to the selected pack's servers as described in server.auth.strategy().

plugin.ext(event, method, [options])

Adds an extension point method to the selected pack's servers as described in server.ext().

exports.register = function (plugin, options, next) {

    plugin.ext('onRequest', function (request, extNext) {

        console.log('Received request: ' + request.path);
        extNext();
    });

    next();
};

plugin.register(plugins, [options], callback)

Adds a plugin to the selected pack's servers as described in pack.register().

exports.register = function (plugin, options, next) {

    plugin.register({
        plugin: require('plugin_name'),
        options: {
            message: 'hello'
        }
    }, next);
};

plugin.dependency(deps, [after])

Declares a required dependency upon other plugins where:

  • deps - a single string or array of strings of plugin names which must be registered in order for this plugin to operate. Plugins listed must be registered in the same pack transaction to allow validation of the dependency requirements. Does not provide version dependency which should be implemented using npm peer dependencies.
  • after - an optional function called after all the specified dependencies have been registered and before the servers start. The function is only called if the pack servers are started. If a circular dependency is created, the call will assert (e.g. two plugins each has an after function to be called after the other). The function signature is function(plugin, next) where:
    • plugin - the plugin interface object.
    • next - the callback function the method must call to return control over to the application and complete the registration process. The function signature is function(err) where:
      • err - internal plugin error condition, which is returned back via the pack.start(callback) callback. A plugin registration error is considered an unrecoverable event which should terminate the application.
exports.register = function (plugin, options, next) {

    plugin.dependency('yar', after);
    next();
};

var after = function (plugin, next) {

    // Additional plugin registration logic
    next();
};

Hapi.state

prepareValue(name, value, options, callback)

Prepares a cookie value manually outside of the normal outgoing cookies processing flow. Used when decisions have to be made about the use of cookie values when certain conditions are met (e.g. stringified object string too long). Arguments:

  • name - the cookie name.
  • value - the cookie value. If no encoding is defined, must be a string.
  • options - configuration override. If the state was previously registered with the server using server.state(), the specified keys in options override those same keys in the server definition (but not others).
  • callback - the callback function with signature function(err, value) where:
    • err - internal error condition.
    • value - the prepared cookie value.

Returns the cookie value via callback without making any changes to the response.

var Hapi = require('hapi');

var handler = function (request, reply) {

    var maxCookieSize = 512;

    var cookieOptions = {
        encoding: 'iron',
        password: 'secret'
    };

    var content = request.pre.user;

    Hapi.state.prepareValue('user', content, cookieOptions, function (err, value) {

        if (err) {
            return reply(err);
        }

        if (value.length < maxCookieSize) {
            reply.state('user', value, { encoding: 'none' } );   // Already encoded
        }

        reply('success');
    });
};

Hapi.version

The hapi module version number.

var Hapi = require('hapi');
console.log(Hapi.version);

hapi CLI

The hapi command line interface allows a pack of servers to be composed and started from a configuration file only from the command line. When installing hapi with the global flag the hapi binary script will be installed in the path. The following arguments are available to the hapi CLI:

  • '-c' - the path to configuration json file (required)
  • '-p' - the path to the node_modules folder to load plugins from (optional)
  • '--require' - a module the cli will require before hapi is required (optional) ex. loading a metrics library

Note that --require will require from node_modules, an absolute path, a relative path, or from the node_modules set by -p if available.

In order to help with A/B testing there is confidence. Confidence is a configuration document format, an API, and a foundation for A/B testing. The configuration format is designed to work with any existing JSON-based configuration, serving values based on object path ('/a/b/c' translates to a.b.c). In addition, confidence defines special $-prefixed keys used to filter values for a given criteria.

Modules

API

Bell

Notes

Testing third-party authorization is often a painful process. They are hard to test, tidious to configure, and tend to break when running on local servers. If you are having issues running bell locally, you might want to look at the isSecure and isSameSite options. Since most people don't run TLS on their local test server, isSecure must be set to false to remove the TLS requirement. isSameSite might need to be set to 'Lax' in some cases.

You should also review the default scope set for each provider early in your implementation. The default scope is meant to get the minimal permissions needed to perform simple user login. In most cases, you would want to ask for more permissions as the default often does not provide access to most API calls provided by the third-party services.

Usage

bell works by adding a login endpoint and setting it to use a bell-based authentication strategy. bell will manage the third-party authentication flow and will only call the handler if the user successfully authenticated. The handler function is then used to examine the third-party credentials (e.g. lookup an existing account or offer a registration page), setup an active session, and redirect to the actual application.

bell does not maintain a session beyond a temporary state between the authorization flow. If a user authenticated once when accessing the endpoint, they will have to authenticate again. This means bell cannot be used alone as a login system except for single-page applications that require loading a single resource. Once the handler is called, the application must set its own session management. A common solution is to combine bell with the hapi-auth-cookie authentication scheme plugin.

// Load modules

const Bell = require('@hapi/bell');
const Hapi = require('@hapi/hapi');


// Declare internals

const internals = {};


internals.start = async function () {

    const server = Hapi.server({ port: 8000 });

    // Register bell with the server

    await server.register(Bell);

    // Declare an authentication strategy using the bell scheme
    // with the name of the provider, cookie encryption password,
    // and the OAuth client credentials.

    server.auth.strategy('twitter', 'bell', {
        provider: 'twitter',
        password: 'cookie_encryption_password_secure',
        clientId: 'my_twitter_client_id',
        clientSecret: 'my_twitter_client_secret',
        isSecure: false     // Terrible idea but required if not using HTTPS especially if developing locally
    });

    // Use the 'twitter' authentication strategy to protect the
    // endpoint handling the incoming authentication credentials.
    // This endpoints usually looks up the third party account in
    // the database and sets some application state (cookie) with
    // the local application account information.

    server.route({
        method: ['GET', 'POST'],    // Must handle both GET and POST
        path: '/login',             // The callback endpoint registered with the provider
        options: {
            auth: 'twitter',
            handler: function (request, h) {

                if (!request.auth.isAuthenticated) {
                    return `Authentication failed due to: ${request.auth.error.message}`;
                }

                // Perform any account lookup or registration, setup local session,
                // and redirect to the application. The third-party credentials are
                // stored in request.auth.credentials. Any query parameters from
                // the initial request are passed back via request.auth.credentials.query.

                return h.redirect('/home');
            }
        }
    });

    await server.start();
};

internals.start();

Options

The server.auth.strategy() method requires the following strategy options:

  • provider - the name of the third-party provider ('auth0', 'azuread', 'bitbucket', 'dropbox', 'facebook', 'fitbit', 'foursquare', 'github', 'google', 'googleplus', 'instagram', 'linkedin', 'live', 'twitter', 'vk', 'arcgisonline', 'yahoo', 'nest', 'phabricator', 'office365', 'pinterest') or an object containing a custom provider with the following:

    • protocol - the authorization protocol used. Must be one of:
      • 'oauth' - OAuth 1.0a
      • 'oauth2' - OAuth 2.0
    • signatureMethod - the OAuth signature method (OAuth 1.0a only). Must be one of:
      • 'HMAC-SHA1' - default
      • 'RSA-SHA1' - in that case, the clientSecret is your RSA private key
    • temporary - the temporary credentials (request token) endpoint (OAuth 1.0a only).
    • useParamsAuth - boolean that determines if OAuth client id and client secret will be sent as parameters as opposed to an Authorization header (OAuth 2.0 only). Defaults to false.
    • auth - the authorization endpoint URI.
    • token - the access token endpoint URI.
    • scope - an array of scope strings (OAuth 2.0 only).
    • scopeSeparator - the scope separator character (OAuth 2.0 only). Only required when a provider has a broken OAuth 2.0 implementation. Defaults to space (Facebook and GitHub default to comma).
    • headers - a headers object with additional headers required by the provider (e.g. GitHub required the 'User-Agent' header which is set by default).
    • profileMethod - get or post for obtaining user profile by profile function. Default is get.
    • profile - a function used to obtain user profile information and normalize it. The function signature is async function(credentials, params, get) where:
      • credentials - the credentials object. Change the object directly within the function (profile information is typically stored under credentials.profile).
      • params - the parsed information received from the provider (e.g. token, secret, and other custom fields).
      • get - an OAuth helper function to make authenticated requests using the credentials received. The get function signature is async function(uri, params) where:
        • uri - the requested resource URI (bell will add the token or authentication header as needed).
        • params - any URI query parameters (cannot include them in the URI due to signature requirements).
        • returns the parsed profile response object.
  • password - the cookie encryption password. Used to encrypt the temporary state cookie used by the module in between the authorization protocol steps.

  • clientId - the OAuth client identifier (consumer key).

  • clientSecret - the OAuth client secret (consumer secret). This is usually a client password formatted as a string, but to allow OAuth2 custom client authentication (e.g. client certificate-based authentication), this option can be passed as an object. This object will be merged with the Wreck request object used to call the token endpoint. Such an object can contain custom HTTP headers or TLS options (e.g. { agent: new Https.Agent({ cert: myClientCert, key: myClientKey}) }).

  • forceHttps - A boolean indicating whether or not you want the redirect_uri to be forced to https. Useful if your hapi application runs as http, but is accessed through https.

  • location - Set the base redirect_uri manually if it cannot be inferred properly from server settings. Useful to override port, protocol, and host if proxied or forwarded. It may be passed either as a string (in which case request.path is appended for you), or a function which takes the client's request and returns a non-empty string, which is used as provided. In both cases, an empty string will result in default processing just as if the location option had not been specified.

Each strategy accepts the following optional settings:

  • cookie - the name of the cookie used to manage the temporary state. Defaults to 'bell-provider' where 'provider' is the provider name (or 'custom' for custom providers). For example, the Twitter cookie name defaults to 'bell-twitter'.
  • isSameSite - sets the cookie same site option. Defaults to Strict.
  • isSecure - sets the cookie secure flag. Defaults to true.
  • isHttpOnly - sets the cookie HTTP only flag. Defaults to true.
  • ttl - cookie time-to-live in milliseconds. Defaults to null (session time-life - cookies are deleted when the browser is closed).
  • domain - the domain scope. Defaults to null (no domain).
  • providerParams - provider-specific query parameters for the authentication endpoint. It may be passed either as an object to merge into the query string, or a function which takes the client's request and returns an object. Each provider supports its own set of parameters which customize the user's login experience. For example:
    • Facebook supports display ('page', 'popup', or 'touch'), auth_type, auth_nonce.
    • Google supports access_type, approval_prompt, prompt, login_hint, user_id, hd.
    • Twitter supports force_login, screen_name.
    • Linkedin supports fields.
  • allowRuntimeProviderParams - allows passing query parameters from a bell protected endpoint to the auth request. It will merge the query params you pass along with the providerParams and any other predefined ones. Be aware that this will override predefined query parameters! Default to false.
  • scope - Each built-in vendor comes with the required scope for basic profile information. Use scope to specify a different scope as required by your application. It may be passed either as an object to merge into the query string, or a function which takes the client's request and returns an object. Consult the provider for their specific supported scopes.
  • skipProfile - skips obtaining a user profile from the provider. Useful if you need specific scopes, but not the user profile. Defaults to false.
  • config - a configuration object used to customize the provider settings:
    • Twitter:
      • extendedProfile
      • getMethod
    • GitHub and Phabricator:
      • uri - allows pointing to a private enterprise installation (e.g. 'https://vpn.example.com'). See Providers documentation for more information.
  • profileParams - an object of key-value pairs that specify additional URL query parameters to send with the profile request to the provider. The built-in facebook provider, for example, could have fields specified to determine the fields returned from the user's graph, which would then be available to you in the auth.credentials.profile.raw object.
  • runtimeStateCallback - allows passing additional OAuth state from initial request. This must be a function returning a string, which will be appended to the bell internal state parameter for OAuth code flow.

Advanced Usage

Configuration via Environment Variables

The server.auth.strategy() method supports string representations of its boolean and number typed options. For example, forceHttps can be set to 'true', 'false', 'yes', or 'no'. In effect, this allows you to configure any strategy option using environment variables.

Handling Errors

By default, bell will reply back with an internal error (500) on most authentication errors due to the nature of the OAuth protocol. There is little that can be done to recover from errors as almost all of them are caused by implementation or deployment issues.

If you would like to display a useful error page instead of the default JSON response, use the hapi onPreResponse extension point to transform the error into a useful page or to redirect the user to another destination.

Another way to handle authentication errors is within the route handler. By default, an authentication error will cause the handler to be skipped. However, if the authentication mode is set to 'try' instead of 'required', the handler will still be called. In this case, the request.auth.isAuthenticated must be checked to test if authentication failed. In that case, request.auth.error will contain the error.

Token Refresh

To keep track of the token expiry time, request.auth.credentials.expiresIn provides you the duration (in seconds) after which you could send a refresh token request using the request.auth.credentials.refreshToken to get a new token.

Simulated authentication

Testing applications using third-party login can be challenging given the lack of user interaction to perform the third-party login flow as well as the multiple steps required. To assist in testing such application without having to modify the application with custom code, Bell provides an override method Bell.simulate() which puts the module into simulation mode and any strategies created while it is in this mode will return the simulated credentials.

The Bell.simulate(credentialsFunc) takes a single argument:

  • credentialsFunc - a function called for each incoming request to the protected resource that should return the credentials object to be set in request.auth.credentials. Note that bell will set the default keys automatically if not present except for the provider-specific values.

    has the signature function(request) where:

    • request - the hapi request object.

Note that you must call Bell.simulate() before the module is registered by your application and need to call Bell.simulate(false) to stop it from simulating authentication.

Usage without a strategy

Sometimes, you want to use bell without using specifying a Hapi strategy. This can be the case when combining the auth logic together with another module.

bell exposes an oauth object in its plugin. Therefore, server.plugins.bell.oauth now has all that's needed. For example, calling the v2 method with all the settings documented above, will handle the oauth2 flow.

Customized Scope and Params

You can pass a function, rather than an object, into the providerParams and scope config options to allow you to customize the scope or parameters based on the user's request. For example, this may be used you want people to be able to log in with a provider (and only need some basic user information) but also want to let users authorize your application to post messages or status updates on their behalf.

server.auth.strategy('twitter', 'bell', {
    provider: 'twitter',
    password: 'some cookie password',
    location: 'http://example.com/oauth',
    scope(request) {

        const scopes = ['public_profile', 'email'];
        if (request.query.wantsSharePermission) {
          scopes.push('publish_actions');
        }
        return scopes;
    }
});

Table of Contents

boom

Boom

boom provides a set of utilities for returning HTTP errors. Each utility returns a Boom error response object which includes the following properties:

  • isBoom - if true, indicates this is a Boom object instance. Note that this boolean should only be used if the error is an instance of Error. If it is not certain, use Boom.isBoom() instead.
  • isServer - convenience bool indicating status code >= 500.
  • message - the error message.
  • typeof - the constructor used to create the error (e.g. Boom.badRequest).
  • output - the formatted response. Can be directly manipulated after object construction to return a custom error response. Allowed root keys:
    • statusCode - the HTTP status code (typically 4xx or 5xx).
    • headers - an object containing any HTTP headers where each key is a header name and value is the header content.
    • payload - the formatted object used as the response payload (stringified). Can be directly manipulated but any changes will be lost if reformat() is called. Any content allowed and by default includes the following content:
      • statusCode - the HTTP status code, derived from error.output.statusCode.
      • error - the HTTP status message (e.g. 'Bad Request', 'Internal Server Error') derived from statusCode.
      • message - the error message derived from error.message.
  • inherited Error properties.

The Boom object also supports the following method:

reformat(debug)

Rebuilds error.output using the other object properties where:

  • debug - a Boolean that, when true, causes Internal Server Error messages to be left in tact. Defaults to false, meaning that Internal Server Error messages are redacted.

Note that Boom object will return true when used with instanceof Boom, but do not use the Boom prototype (they are either plain Error or the error prototype passed in). This means Boom objects should only be tested using instanceof Boom or Boom.isBoom() but not by looking at the prototype or contructor information. This limitation is to avoid manipulating the prototype chain which is very slow.

Helper Methods

new Boom(message, [options])

Creates a new Boom object using the provided message and then calling boomify() to decorate the error with the Boom properties, where:

  • message - the error message. If message is an error, it is the same as calling boomify() directly.
  • options - and optional object where:
    • statusCode - the HTTP status code. Defaults to 500 if no status code is already set.
    • data - additional error information (assigned to error.data).
    • decorate - an option with extra properties to set on the error object.
    • ctor - constructor reference used to crop the exception call stack output.
    • if message is an error object, also supports the other boomify() options.
boomify(err, [options])

Decorates an error with the Boom properties where:

  • err - the Error object to decorate.
  • options - optional object with the following optional settings:
    • statusCode - the HTTP status code. Defaults to 500 if no status code is already set and err is not a Boom object.
    • message - error message string. If the error already has a message, the provided message is added as a prefix. Defaults to no message.
    • decorate - an option with extra properties to set on the error object.
    • override - if false, the err provided is a Boom object, and a statusCode or message are provided, the values are ignored. Defaults to true (apply the provided statusCode and message options to the error regardless of its type, Error or Boom object).
var error = new Error('Unexpected input');
Boom.boomify(error, { statusCode: 400 });
isBoom(err)

Identifies whether an error is a Boom object. Same as calling instanceof Boom.

HTTP 4xx Errors

Boom.badRequest([message], [data])

Returns a 400 Bad Request error where:

  • message - optional message.
  • data - optional additional error data.
Boom.badRequest('invalid query');

Generates the following response payload:

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": "invalid query"
}
Boom.unauthorized([message], [scheme], [attributes])

Returns a 401 Unauthorized error where:

  • message - optional message.
  • scheme can be one of the following:
    • an authentication scheme name
    • an array of string values. These values will be separated by ', ' and set to the 'WWW-Authenticate' header.
  • attributes - an object of values to use while setting the 'WWW-Authenticate' header. This value is only used when scheme is a string, otherwise it is ignored. Every key/value pair will be included in the 'WWW-Authenticate' in the format of 'key="value"' as well as in the response payload under the attributes key. Alternatively value can be a string which is use to set the value of the scheme, for example setting the token value for negotiate header. If string is used message parameter must be null. null and undefined will be replaced with an empty string. If attributes is set, message will be used as the 'error' segment of the 'WWW-Authenticate' header. If message is unset, the 'error' segment of the header will not be present and isMissing will be true on the error object.

If either scheme or attributes are set, the resultant Boom object will have the 'WWW-Authenticate' header set for the response.

Boom.unauthorized('invalid password');

Generates the following response:

"payload": {
    "statusCode": 401,
    "error": "Unauthorized",
    "message": "invalid password"
},
"headers" {}
Boom.unauthorized('invalid password', 'sample');

Generates the following response:

"payload": {
    "statusCode": 401,
    "error": "Unauthorized",
    "message": "invalid password",
    "attributes": {
        "error": "invalid password"
    }
},
"headers" {
  "WWW-Authenticate": "sample error=\"invalid password\""
}
Boom.unauthorized(null, 'Negotiate', 'VGhpcyBpcyBhIHRlc3QgdG9rZW4=');

Generates the following response:

"payload": {
    "statusCode": 401,
    "error": "Unauthorized",
    "attributes": "VGhpcyBpcyBhIHRlc3QgdG9rZW4="
},
"headers" {
  "WWW-Authenticate": "Negotiate VGhpcyBpcyBhIHRlc3QgdG9rZW4="
}
Boom.unauthorized('invalid password', 'sample', { ttl: 0, cache: null, foo: 'bar' });

Generates the following response:

"payload": {
    "statusCode": 401,
    "error": "Unauthorized",
    "message": "invalid password",
    "attributes": {
        "error": "invalid password",
        "ttl": 0,
        "cache": "",
        "foo": "bar"
    }
},
"headers" {
  "WWW-Authenticate": "sample ttl=\"0\", cache=\"\", foo=\"bar\", error=\"invalid password\""
}
Boom.paymentRequired([message], [data])

Returns a 402 Payment Required error where:

  • message - optional message.
  • data - optional additional error data.
Boom.paymentRequired('bandwidth used');

Generates the following response payload:

{
    "statusCode": 402,
    "error": "Payment Required",
    "message": "bandwidth used"
}
Boom.forbidden([message], [data])

Returns a 403 Forbidden error where:

  • message - optional message.
  • data - optional additional error data.
Boom.forbidden('try again some time');

Generates the following response payload:

{
    "statusCode": 403,
    "error": "Forbidden",
    "message": "try again some time"
}
Boom.notFound([message], [data])

Returns a 404 Not Found error where:

  • message - optional message.
  • data - optional additional error data.
Boom.notFound('missing');

Generates the following response payload:

{
    "statusCode": 404,
    "error": "Not Found",
    "message": "missing"
}
Boom.methodNotAllowed([message], [data], [allow])

Returns a 405 Method Not Allowed error where:

  • message - optional message.
  • data - optional additional error data.
  • allow - optional string or array of strings (to be combined and separated by ', ') which is set to the 'Allow' header.
Boom.methodNotAllowed('that method is not allowed');

Generates the following response payload:

{
    "statusCode": 405,
    "error": "Method Not Allowed",
    "message": "that method is not allowed"
}
Boom.notAcceptable([message], [data])

Returns a 406 Not Acceptable error where:

  • message - optional message.
  • data - optional additional error data.
Boom.notAcceptable('unacceptable');

Generates the following response payload:

{
    "statusCode": 406,
    "error": "Not Acceptable",
    "message": "unacceptable"
}
Boom.proxyAuthRequired([message], [data])

Returns a 407 Proxy Authentication Required error where:

  • message - optional message.
  • data - optional additional error data.
Boom.proxyAuthRequired('auth missing');

Generates the following response payload:

{
    "statusCode": 407,
    "error": "Proxy Authentication Required",
    "message": "auth missing"
}
Boom.clientTimeout([message], [data])

Returns a 408 Request Time-out error where:

  • message - optional message.
  • data - optional additional error data.
Boom.clientTimeout('timed out');

Generates the following response payload:

{
    "statusCode": 408,
    "error": "Request Time-out",
    "message": "timed out"
}
Boom.conflict([message], [data])

Returns a 409 Conflict error where:

  • message - optional message.
  • data - optional additional error data.
Boom.conflict('there was a conflict');

Generates the following response payload:

{
    "statusCode": 409,
    "error": "Conflict",
    "message": "there was a conflict"
}
Boom.resourceGone([message], [data])

Returns a 410 Gone error where:

  • message - optional message.
  • data - optional additional error data.
Boom.resourceGone('it is gone');

Generates the following response payload:

{
    "statusCode": 410,
    "error": "Gone",
    "message": "it is gone"
}
Boom.lengthRequired([message], [data])

Returns a 411 Length Required error where:

  • message - optional message.
  • data - optional additional error data.
Boom.lengthRequired('length needed');

Generates the following response payload:

{
    "statusCode": 411,
    "error": "Length Required",
    "message": "length needed"
}
Boom.preconditionFailed([message], [data])

Returns a 412 Precondition Failed error where:

  • message - optional message.
  • data - optional additional error data.
Boom.preconditionFailed();

Generates the following response payload:

{
    "statusCode": 412,
    "error": "Precondition Failed"
}
Boom.entityTooLarge([message], [data])

Returns a 413 Request Entity Too Large error where:

  • message - optional message.
  • data - optional additional error data.
Boom.entityTooLarge('too big');

Generates the following response payload:

{
    "statusCode": 413,
    "error": "Request Entity Too Large",
    "message": "too big"
}
Boom.uriTooLong([message], [data])

Returns a 414 Request-URI Too Large error where:

  • message - optional message.
  • data - optional additional error data.
Boom.uriTooLong('uri is too long');

Generates the following response payload:

{
    "statusCode": 414,
    "error": "Request-URI Too Large",
    "message": "uri is too long"
}
Boom.unsupportedMediaType([message], [data])

Returns a 415 Unsupported Media Type error where:

  • message - optional message.
  • data - optional additional error data.
Boom.unsupportedMediaType('that media is not supported');

Generates the following response payload:

{
    "statusCode": 415,
    "error": "Unsupported Media Type",
    "message": "that media is not supported"
}
Boom.rangeNotSatisfiable([message], [data])

Returns a 416 Requested Range Not Satisfiable error where:

  • message - optional message.
  • data - optional additional error data.
Boom.rangeNotSatisfiable();

Generates the following response payload:

{
    "statusCode": 416,
    "error": "Requested Range Not Satisfiable"
}
Boom.expectationFailed([message], [data])

Returns a 417 Expectation Failed error where:

  • message - optional message.
  • data - optional additional error data.
Boom.expectationFailed('expected this to work');

Generates the following response payload:

{
    "statusCode": 417,
    "error": "Expectation Failed",
    "message": "expected this to work"
}
Boom.teapot([message], [data])

Returns a 418 I'm a Teapot error where:

  • message - optional message.
  • data - optional additional error data.
Boom.teapot('sorry, no coffee...');

Generates the following response payload:

{
    "statusCode": 418,
    "error": "I'm a Teapot",
    "message": "Sorry, no coffee..."
}
Boom.badData([message], [data])

Returns a 422 Unprocessable Entity error where:

  • message - optional message.
  • data - optional additional error data.
Boom.badData('your data is bad and you should feel bad');

Generates the following response payload:

{
    "statusCode": 422,
    "error": "Unprocessable Entity",
    "message": "your data is bad and you should feel bad"
}
Boom.locked([message], [data])

Returns a 423 Locked error where:

  • message - optional message.
  • data - optional additional error data.
Boom.locked('this resource has been locked');

Generates the following response payload:

{
    "statusCode": 423,
    "error": "Locked",
    "message": "this resource has been locked"
}
Boom.failedDependency([message], [data])

Returns a 424 Failed Dependency error where:

  • message - optional message.
  • data - optional additional error data.
Boom.failedDependency('an external resource failed');

Generates the following response payload:

{
    "statusCode": 424,
    "error": "Failed Dependency",
    "message": "an external resource failed"
}
Boom.preconditionRequired([message], [data])

Returns a 428 Precondition Required error where:

  • message - optional message.
  • data - optional additional error data.
Boom.preconditionRequired('you must supply an If-Match header');

Generates the following response payload:

{
    "statusCode": 428,
    "error": "Precondition Required",
    "message": "you must supply an If-Match header"
}
Boom.tooManyRequests([message], [data])

Returns a 429 Too Many Requests error where:

  • message - optional message.
  • data - optional additional error data.
Boom.tooManyRequests('you have exceeded your request limit');

Generates the following response payload:

{
    "statusCode": 429,
    "error": "Too Many Requests",
    "message": "you have exceeded your request limit"
}
Boom.illegal([message], [data])

Returns a 451 Unavailable For Legal Reasons error where:

  • message - optional message.
  • data - optional additional error data.
Boom.illegal('you are not permitted to view this resource for legal reasons');

Generates the following response payload:

{
    "statusCode": 451,
    "error": "Unavailable For Legal Reasons",
    "message": "you are not permitted to view this resource for legal reasons"
}

HTTP 5xx Errors

All 500 errors hide your message from the end user. Your message is recorded in the server log.

Boom.badImplementation([message], [data]) - (alias: internal)

Returns a 500 Internal Server Error error where:

  • message - optional message.
  • data - optional additional error data.
Boom.badImplementation('terrible implementation');

Generates the following response payload:

{
    "statusCode": 500,
    "error": "Internal Server Error",
    "message": "An internal server error occurred"
}
Boom.notImplemented([message], [data])

Returns a 501 Not Implemented error where:

  • message - optional message.
  • data - optional additional error data.
Boom.notImplemented('method not implemented');

Generates the following response payload:

{
    "statusCode": 501,
    "error": "Not Implemented",
    "message": "method not implemented"
}
Boom.badGateway([message], [data])

Returns a 502 Bad Gateway error where:

  • message - optional message.
  • data - optional additional error data.
Boom.badGateway('that is a bad gateway');

Generates the following response payload:

{
    "statusCode": 502,
    "error": "Bad Gateway",
    "message": "that is a bad gateway"
}
Boom.serverUnavailable([message], [data])

Returns a 503 Service Unavailable error where:

  • message - optional message.
  • data - optional additional error data.
Boom.serverUnavailable('unavailable');

Generates the following response payload:

{
    "statusCode": 503,
    "error": "Service Unavailable",
    "message": "unavailable"
}
Boom.gatewayTimeout([message], [data])

Returns a 504 Gateway Time-out error where:

  • message - optional message.
  • data - optional additional error data.
Boom.gatewayTimeout();

Generates the following response payload:

{
    "statusCode": 504,
    "error": "Gateway Time-out"
}

F.A.Q.

Q How do I include extra information in my responses? output.payload is missing data, what gives?

A There is a reason the values passed back in the response payloads are pretty locked down. It's mostly for security and to not leak any important information back to the client. This means you will need to put in a little more effort to include extra information about your custom error. Check out the "Error transformation" section in the hapi documentation.

5.0.x API Reference

Call

new Router([options])

Constructor to create a new router instance where:

  • options - an optional configuration object with the following fields:
    • isCaseSensitive - specifies if the paths should case sensitive. If set to true, /users and /USERS are considered as two different paths. Defaults to true.
const router = new Call.Router();

add(options, [data])

Adds a new route to the router where:

  • options - a configuration object with the following fields:
    • method - the HTTP method ('get', 'put', 'post', 'delete', etc.) or the wildcard character ('*') to match any methods.
    • path - the URL path to be used for route matching. The path segment can be static like '/users/1234' or it can be a dynamic path.
  • data - the application data to retrieve when a route match is found during lookup. This is typically the route handler or other metadata about what to do when a route is matched.

Throws on invalid route configuration or on a conflict with existing routes.

Dynamic Paths

Exact match

{param}: If path contains /users/{user} then it matches /users/john or /users/1234 but not /users.

Optional parameters

{param?}: ? means parameter is optional . If path contains /users/{user?} It matches /users/john as well as /users.

It is important to be aware that only the last named parameter in a path can be optional. That means that /{one?}/{two}/ is an invalid path, since in this case there is another parameter after the optional one. You may also have a named parameter covering only part of a segment of the path, but you may only have one named parameter per segment. That means that /{filename}.jpg is valid while /{filename}.{ext} is not.

Multi-segment parameters

{params*n}: With path configuration /users/{user*2}, it matches /users/john/doe or /users/harshal/patil but not /users/john. Number n after asterisk sign specifies the multiplier.

Like the optional parameters, a wildcard parameter (for example /{users*}) may only appear as the last parameter in your path.

Catch all

{params*}: Using this option, it matches anything. So /users/{user*} with match /users/, /users/john, /users/john/doe, /users/john/doe/smith

For more details about path parameters, read hapi.js docs.

Routing order

When determining what handler to use for a particular request, router searches paths in order from most specific to least specific. That means if you have two routes, one with the path /filename.jpg and a second route /filename.{ext} a request to /filename.jpg will match the first route, and not the second. This also means that a route with the path /{files*} will be the last route tested, and will only match if all other routes fail.

Call router has deterministic order than other routers and because of this deterministic order, call is able to detect conflicting routes and throw exception accordingly. In comparison, Express.js has different routing mechanism based on simple RegEx pattern matching making it faster (probably it only matters in theory) but unable to catch route conflicts. Read more about this at Eran Hammer's comments.

route(method, path)

Finds a matching route where:

  • method - the requested route method.
  • path - the requested route path.

Returns an object with the following when a match is found:

  • params - an object containing all path parameters where each key is path name and value is the corresponding parameter value in the requested path.
  • paramsArray - an array of the parameter values in order.
  • route - the data value provided when the route was added.

If no match is found, returns (not throws) an error.

API Reference

Good

good is a process monitor that listens for one or more of the below 'event types'. All of these events, except 'ops' map to a hapi event documented here.

Applications with multiple server instances, each with its own monitor should only include one log subscription per destination as general events are a process-wide facility and will result in duplicated log events.

Options

  • [includes] - optional configuration object
    • [request] - array of extra hapi request object fields to supply to reporters on "request", "response", and "error" events. Valid values ['headers', 'payload']. Defaults to [].
    • [response] - array of extra hapi response object fields to supply to reporters on "response" events. Valid values ['headers', 'payload']. Defaults to [].
  • [ops] - options for controlling the ops reporting from good. Set to false to disable ops monitoring completely.
    • config - options passed directly into the Oppsy constructor as the config value. Defaults to {}
    • interval - interval used when calling Oppsy.start(). Defaults to 15000.
  • [extensions] - an array of hapi event names to listen for and report via the good reporting mechanism. Can not be any of ['log', 'ops', 'request', 'response', 'tail']. Disclaimer This option should be used with caution. This option will allow users to listen to internal events that are not meant for public consumption. The list of available events can change with any changes to the hapi event system. Also, none of the official hapijs reporters have been tested against these custom events. The schema for these events can not be guaranteed because they vary from version to version of hapi.
  • [reporters] - Defaults to {}. reporters is an object of key, value pairs where the key is a reporter name and the value is an array of mixed value types. Valid values for the array items are:
    • streams specifications object with the following keys
      • module - can be :
        • a string that will be used to import a module from node_modules or a local file. Should export a single constructor function that can be invoked with new.
        • a function that is the constructor of your stream. It's a safer alternative to the string version when you risk having module conflicts.
      • [name] - if the imported module exports more than one constructor function, use name to specify which one to use.
      • [args] - an array of arguments to pass to the constructor when this stream object is created via new.
    • instantiated stream objects
    • string name of a built in process stream. Valid values are 'stdout' and 'stderr'.

Reporter Interface

The reporter interface uses the standard stream-and-pipe interface found commonly in the node ecosystem. Each item in the array of streams will be piped together in the array order. Any stream described using a stream specification object will be constructed with new to prevent any cross contamination from one reporter to another. For example, when passing the following specification for an "ops-console" reporter:

{
    'ops-console': [{
        module: 'good-squeeze',
        name: 'Squeeze',
        args: [{ ops: '*' }]
    }, {
        module: 'good-squeeze',
        name: 'SafeJson'
    }, 'stdout']
}

Internally, this would create an array (streams), import good-squeeze from node_modules, and then create a new "Squeeze" transform stream via new Squeeze({ ops: '*' }) and push that result into streams. Then it would create a "SafeJson" transform stream via new SafeJson() and push that into streams. Finally, since 'stdout' is an existing process stream, it gets pushed directly into streams. Once all of the streams have been created and collected, the algorithm does essentially the following:

const result = streams[0].pipe(streams[1]).pipe(streams[2]);

Any time one of the "good events" occurs, a unique copy of the event is pushed into each reporter stream pipeline. It is up to the developer to filter events they don't care about on a per pipeline basis. The "Squeeze" transform stream provides the basic event type and tag filtering used in previous versions of good which should meet many filtering needs.

It is also up to the developer to manage objectMode in each pipeline from one stream to the next. The first stream will always receive an object. After that, it's up to the developer to manage the message type throughout the pipeline. In the above example, because we want to write to stdout, we needed to add a transform stream to convert the payload coming out of "Squeeze" to a string using "SafeJson" before sending it to process.stdout. Objects can not be written directly to process.stdout, so "SafeJson" was used to safely stringify the message coming from the "Squeeze" stream.

Finally, the developer must make sure the reporting pipeline makes sense. In the above example, we pipe through two transform streams, convert the object to a string, and then write send it to process.stdout which is a write stream. If the developer mixes up the order, this pipeline would crash the process.

Each reporter pipeline receives it's own copy of the message from good. That means the payload can be freely modified without worrying about impacting other reporters. Just add more and more transform streams into the pipeline to fine-tune any reporting needs. Need a different filtering mechanism? Write a new transform stream to filter based on IP, request route, payload type... Want to add extra data about events? Just add a transform stream into the mix to add the current date, something specific to your company, filter out sensitive information before logging it... the sky is the limit.

These changes address the two most common requests; "how do I filter on X?" and "how do I add Y to the message payload?". Now developers are empowered to customize the reporting pipeline to suit their needs. While there is far less hand-holding with this interface, developers have much more control of reporting coming out of good.

This change also allows user to leverage any existing transform or write stream in the node ecosystem to be used with good.

Stream Transforms Using Plugin Configs

To drive route or request level behavior in your stream transform one option is to use the plugin config feature of hapi. Here is an example where a plugin config is used to drive a stream transform that will suppress "response" events when suppressResponseEvent === true.

Setting plugin config at the route level:

var routeConfig = {
    plugins: {
        good: {
            suppressResponseEvent: true
        }
    }
};

server.route({ method: 'GET', path: '/user', config: routeConfig });

Setting plugin config at the request level:

const handler = function (request, reply) {

    request.plugins.good = {
        suppressResponseEvent: true
    };

    reply.continue();
}

Consuming the plugin config in the stream transform:

_transform(data, enc, next) {

    if (data.event === 'response' && data.config.suppressResponseEvent === true) {
        return next();
    }

    return next(null, data);
}

Reporter Lifecycle

Startup

  1. When "onPreStart" is emitted from the hapi server, the monitoring operation starts.
  2. All of the streams are created via new (if needed) and collected into a temporary internal array.
  3. All of the streams in the temporary array are piped together. This will cause any standard Node stream events to occur that instances can listen for.

At this point, data will start flowing to each of the reporters through the pipe interface. Data can be accessed in individual instances though any of the standard stream methods and events.

Shutdown

  1. When "onPostStop" is emitted from the hapi server, the shutdown sequence starts.
  2. null is pushed through each reporter pipeline. Any synchronous teardown can happen on stream instances in "end" or "finish" events. See Node stream for more information about end-of-stream events. The callback signaling to hapi that our logic is done executing will happen on the next tick.

Event Types

  • ops - System and process performance - CPU, memory, disk, and other metrics.
  • response - Information about incoming requests and the response. This maps to either the "response" or "tail" event emitted from hapi servers.
  • log - logging information not bound to a specific request such as system errors, background processing, configuration errors, etc. Maps to the "log" event emitted from hapi servers.
  • error - request responses that have a status code of 500. This maps to the "request" hapi event on the "error" channel.
  • request - Request logging information. This maps to the hapi 'request' event that is emitted via request.log().

Event Payloads

Each event emitted from Good has a unique object representing the payload. This is useful for three reasons:

  1. It provides a predictable interface.
  2. It makes tracking down issues with MDB much easier because the payloads aren't just generic objects.
  3. It is more likely to be optimized because the V8 runtime has a better idea of what the structure of each object is going to be much sooner.

ServerLog

Event object associated with 'log' events.

  • event - 'log'
  • timestamp - JavaScript timestamp indicating when the 'log' event occurred.
  • tags - array of strings representing any tags associated with the 'log' event.
  • data - string or object passed via server.log() calls.
  • error - error object, replacing data if only an error object is passed to server.log()
  • pid - the current process id.

RequestError

Event object associated with 'error' events.

  • event - 'error'
  • timestamp - JavaScript timestamp indicating when the 'log' event occurred.
  • id - request id. Maps to request.id.
  • url - url of the request that originated the error. Maps to request.url.
  • method - method of the request that originated the error. Maps to request.method.
  • pid - the current process id.
  • error - the raw error object.
  • config - plugin-specific config object combining request.route.settings.plugins.good and request.plugins.good. Request-level overrides route-level. Reporters could use config for additional filtering logic.
  • headers - the request headers if includes.request includes "headers"

The toJSON method of GreatError has been overwritten because Error objects can not be stringified directly. A stringified GreatError will have error.message and error.stack in place of the raw Error object.

RequestSent

Event object associated with the response event option into Good.

  • event - 'response'
  • timestamp - JavaScript timestamp that maps to request.info.received.
  • id - id of the request, maps to request.id.
  • instance - maps to server.info.uri.
  • labels - maps to server.settings.labels
  • method - method used by the request. Maps to request.method.
  • path - incoming path requested. Maps to request.path.
  • query - query object used by request. Maps to request.query.
  • responseTime - calculated value of request.info.responded - request.info.received.
  • statusCode - the status code of the response.
  • pid - the current process id.
  • httpVersion - the http protocol information from the request.
  • source - object with the following values:
    • remoteAddress - information about the remote address. maps to request.info.remoteAddress
    • userAgent - the user agent of the incoming request.
    • referer - the referer headed of the incoming request.
  • route - route path used by request. Maps to request.route.path.
  • log - maps to request.logs of the hapi request object.
  • tags - array of strings representing any tags from route config. Maps to request.route.settings.tags.
  • config - plugin-specific config object combining request.route.settings.plugins.good and request.plugins.good. Request-level overrides route-level. Reporters could use config for additional filtering logic.
  • headers - the request headers if includes.request includes "headers"
  • requestPayload - the request payload if includes.request includes "payload"
  • responsePayload - the response payload if includes.response includes "payload"

Ops

Event object associated with the 'ops' event emitted from Oppsy.

  • event - 'ops'
  • timestamp - current time when the object is created.
  • host - the host name of the current machine.
  • pid - the current process id.
  • os - object with the following values:
    • load - array containing the 1, 5, and 15 minute load averages.
    • mem - object with the following values:
      • total - total system memory in bytes.
      • free - total free system memory in bytes.
    • uptime - system uptime in seconds.
  • proc - object with the following values:
    • uptime - uptime of the running process in seconds
    • mem - returns result of process.memoryUsage()
      • rss - 'resident set size' which is the amount of the process held in memory.
      • heapTotal - V8 heap total
      • heapUsed - V8 heap used
    • delay - the calculated Node event loop delay in milliseconds.
  • load - object with the following values:
    • requests - object containing information about all the requests passing through the server.
    • concurrents - object containing information about the number of concurrent connections associated with each listener object associated with the hapi server.
    • responseTimes - object with calculated average and max response times for requests.
    • sockets - object with the following values:
      • http - socket information http connections. Each value contains the name of the socket used and the number of open connections on the socket. It also includes a total for total number of open http sockets.
      • https - socket information https connections. Each value contains the name of the socket used and the number of open connections on the socket. It also includes a total for total number of open https sockets.

RequestLog

Event object associated with the "request" event. This is the hapi event emitter via request.log().

  • event - 'request'
  • timestamp - timestamp of the incoming event object.
  • tags - array of strings representing any tags associated with the 'log' event.
  • data - the string or object mapped to event.data.
  • error - the error instance mapped to event.error.
  • pid - the current process id.
  • id - id of the request, maps to request.id.
  • method - method used by the request. Maps to request.method.
  • path - incoming path requested. Maps to request.path.
  • config - plugin-specific config object combining request.route.settings.plugins.good and request.plugins.good. Request-level overrides route-level. Reporters could use config for additional filtering logic.
  • headers - the request headers if includes.request includes "headers"

Extension Payloads

Because the extension payloads from hapi can vary from one version to another and one event to another, the payload is only loosely defined.

  • event - the event name.
  • timestamp - the time the event occurred.
  • payload - array of arguments hapi passed to our event handler function

Table of Contents

hoek

Object

hoek provides several helpful methods for objects and arrays.

clone(obj, [options])

Clones an object or an array. A deep copy is made (duplicates everything, including values that are objects, as well as non-enumerable properties) where:

  • obj - the object to be cloned.
  • options - optional settings:
    • symbols - clone symbol properties. Defaults to false.
var nestedObj = {
        w: /^something$/ig,
        x: {
            a: [1, 2, 3],
            b: 123456,
            c: new Date()
        },
        y: 'y',
        z: new Date()
    };

var copy = Hoek.clone(nestedObj);

copy.x.b = 100;

console.log(copy.y);        // results in 'y'
console.log(nestedObj.x.b); // results in 123456
console.log(copy.x.b);      // results in 100

cloneWithShallow(obj, keys, [options])

Clones an object or array excluding some keys which are shallow copied where:

  • obj - the object to be cloned.
  • keys - an array of key names to shallow copy.
  • options - optional settings:
    • symbols - clone symbol properties. Defaults to false.
var nestedObj = {
        w: /^something$/ig,
        x: {
            a: [1, 2, 3],
            b: 123456,
            c: new Date()
        },
        y: 'y',
        z: new Date()
    };

var copy = Hoek.cloneWithShallow(nestedObj, ['x']);

copy.x.b = 100;

console.log(copy.y);        // results in 'y'
console.log(nestedObj.x.b); // results in 100
console.log(copy.x.b);      // results in 100

merge(target, source, isNullOverride, isMergeArrays)

isNullOverride, isMergeArrays default to true

Merge all the properties of source into target, source wins in conflict, and by default null and undefined from source are applied. Merge is destructive where the target is modified. For non destructive merge, use applyToDefaults.

var target = {a: 1, b : 2};
var source = {a: 0, c: 5};
var source2 = {a: null, c: 5};

Hoek.merge(target, source);         // results in {a: 0, b: 2, c: 5}
Hoek.merge(target, source2);        // results in {a: null, b: 2, c: 5}
Hoek.merge(target, source2, false); // results in {a: 1, b: 2, c: 5}

var targetArray = [1, 2, 3];
var sourceArray = [4, 5];

Hoek.merge(targetArray, sourceArray);              // results in [1, 2, 3, 4, 5]
Hoek.merge(targetArray, sourceArray, true, false); // results in [4, 5]

applyToDefaults(defaults, options, isNullOverride)

isNullOverride defaults to false

Apply options to a copy of the defaults

var defaults = { host: "localhost", port: 8000 };
var options = { port: 8080 };

var config = Hoek.applyToDefaults(defaults, options); // results in { host: "localhost", port: 8080 }

Apply options with a null value to a copy of the defaults

var defaults = { host: "localhost", port: 8000 };
var options = { host: null, port: 8080 };

var config = Hoek.applyToDefaults(defaults, options, true); // results in { host: null, port: 8080 }

applyToDefaultsWithShallow(defaults, options, keys)

keys is an array of dot-separated, or array-based, key paths to shallow copy

Apply options to a copy of the defaults. Keys specified in the last parameter are shallow copied from options instead of merged.

var defaults = {
    db: {
        server: {
            host: "localhost",
            port: 8000
        },
        name: 'example'
    }
};

var options = { server: { port: 8080 } };

var config = Hoek.applyToDefaultsWithShallow(defaults, options, ['db.server']); // results in { db: { server: { port: 8080 }, name: 'example' } }
var config = Hoek.applyToDefaultsWithShallow(defaults, options, [['db', 'server']]); // results in { db: { server: { port: 8080 }, name: 'example' } }

deepEqual(b, a, [options])

Performs a deep comparison of the two values including support for circular dependencies, prototype, and enumerable properties. To skip prototype comparisons, use options.prototype = false and to include symbols, used options.symbols = true.

Hoek.deepEqual({ a: [1, 2], b: 'string', c: { d: true } }, { a: [1, 2], b: 'string', c: { d: true } }); //results in true
Hoek.deepEqual(Object.create(null), {}, { prototype: false }); //results in true
Hoek.deepEqual(Object.create(null), {}); //results in false

intersect(array1, array2)

Find the common unique items in two arrays

var array1 = [1, 2, 3];
var array2 = [1, 4, 5];

var newArray = Hoek.intersect(array1, array2); // results in [1]

contain(ref, values, [options])

Tests if the reference value contains the provided values where:

  • ref - the reference string, array, or object.
  • values - a single or array of values to find within the ref value. If ref is an object, values can be a key name, an array of key names, or an object with key-value pairs to compare.
  • options - an optional object with the following optional settings:
    • deep - if true, performed a deep comparison of the values.
    • once - if true, allows only one occurrence of each value.
    • only - if true, does not allow values not explicitly listed.
    • part - if true, allows partial match of the values (at least one must always match).

Note: comparing a string to overlapping values will result in failed comparison (e.g. contain('abc', ['ab', 'bc'])). Also, if an object key's value does not match the provided value, false is returned even when part is specified.

Hoek.contain('aaa', 'a', { only: true });							// true
Hoek.contain([{ a: 1 }], [{ a: 1 }], { deep: true });				// true
Hoek.contain([1, 2, 2], [1, 2], { once: true });					// false
Hoek.contain({ a: 1, b: 2, c: 3 }, { a: 1, d: 4 }, { part: true }); // true

flatten(array, [target])

Flatten an array

var array = [1, [2, 3]];

var flattenedArray = Hoek.flatten(array); // results in [1, 2, 3]

array = [1, [2, 3]];
target = [4, [5]];

flattenedArray = Hoek.flatten(array, target); // results in [4, [5], 1, 2, 3]

reach(obj, chain, [options])

Converts an object key chain string or array to reference

  • options - optional settings
    • separator - string to split chain path on, defaults to '.'
    • default - value to return if the path or value is not present, default is undefined
    • strict - if true, will throw an error on missing member, default is false
    • functions - if true allow traversing functions for properties. false will throw an error if a function is part of the chain.

A chain can be a string that will be split into key names using separator, or an array containing each individual key name.

A chain including negative numbers will work like negative indices on an array.

If chain is null, undefined or false, the object itself will be returned.

var chain = 'a.b.c';
var obj = {a : {b : { c : 1}}};

Hoek.reach(obj, chain); // returns 1

var chain = ['a', 'b', -1];
var obj = {a : {b : [2,3,6]}};

Hoek.reach(obj, chain); // returns 6

reachTemplate(obj, template, [options])

Replaces string parameters ({name}) with their corresponding object key values by applying the reach() method where:

  • obj - the context object used for key lookup.
  • template - a string containing {} parameters.
  • options - optional reach() options.
var chain = 'a.b.c';
var obj = {a : {b : { c : 1}}};

Hoek.reachTemplate(obj, '1+{a.b.c}=2'); // returns '1+1=2'

stringify(obj)

Converts an object to string using the built-in JSON.stringify() method with the difference that any errors are caught and reported back in the form of the returned string. Used as a shortcut for displaying information to the console (e.g. in error message) without the need to worry about invalid conversion.

var a = {};
a.b = a;
Hoek.stringify(a);		// Returns '[Cannot display object: Converting circular structure to JSON]'

Bench

Same as Timer with the exception that ts stores the internal node clock which is not related to Date.now() and cannot be used to display human-readable timestamps. More accurate for benchmarking or internal timers.

Escaping Characters

hoek provides convenient methods for escaping html characters. The escaped characters are as followed:

internals.htmlEscaped = {
    '&': '&amp;',
    '<': '&lt;',
    '>': '&gt;',
    '"': '&quot;',
    "'": '&#x27;',
    '`': '&#x60;'
};

escapeHtml(string)

var string = '<html> hey </html>';
var escapedString = Hoek.escapeHtml(string); // returns &lt;html&gt; hey &lt;/html&gt;

escapeHeaderAttribute(attribute)

Escape attribute value for use in HTTP header

var a = Hoek.escapeHeaderAttribute('I said "go w\\o me"');  //returns I said \"go w\\o me\"

escapeJson(string)

Unicode escapes the characters <, >, and & to prevent mime-sniffing older browsers mistaking JSON as HTML, and escapes line and paragraph separators for JSONP and script contexts.

var lineSeparator = String.fromCharCode(0x2028);
var a = Hoek.escapeJson('I said <script>confirm(&).' + lineSeparator);  //returns I said \\u003cscript\\u003econfirm(\\u0026).\\u2028

escapeRegex(string)

Escape string for Regex construction

var a = Hoek.escapeRegex('4^f$s.4*5+-_?%=#!:@|~\\/`"(>)[<]d{}s,');  // returns 4\^f\$s\.4\*5\+\-_\?%\=#\!\:@\|~\\\/`"\(>\)\[<\]d\{\}s\,

Errors

assert(condition, message)

var a = 1, b = 2;

Hoek.assert(a === b, 'a should equal b');  // Throws 'a should equal b'

Note that you may also pass an already created Error object as the second parameter, and assert will throw that object.

var a = 1, b = 2;

Hoek.assert(a === b, new Error('a should equal b')); // Throws the given error object

Function

once(fn)

Returns a new function that can be run multiple times, but makes sure fn is only run once.

var myFn = function () {
    console.log('Ran myFn');
};

var onceFn = Hoek.once(myFn);
onceFn(); // results in "Ran myFn"
onceFn(); // results in undefined

ignore

A simple no-op function. It does nothing at all.

Miscellaneous

uniqueFilename(path, extension)

path to prepend with the randomly generated file name. extension is the optional file extension, defaults to ''.

Returns a randomly generated file name at the specified path. The result is a fully resolved path to a file.

var result = Hoek.uniqueFilename('./test/modules', 'txt'); // results in "full/path/test/modules/{random}.txt"

Promises

wait(timeout)

Resolve the promise after timeout. Provide the timeout in milliseconds.

await Hoek.wait(2000); // waits for 2 seconds

block()

A no-op Promise. Does nothing.

v5.1.x API Reference

Methods

await seal(object, password, options)

Seriealizes, encrypts, and signs objects into an iron protocol string where:

  • object - the data being sealed. Can be any JavaScript value that is serializable via JSON.stringify().

  • password - one of:

    • a password string used to generate a key using the pbkdf2 algorithm.

    • a key buffer used as-is (after validating sufficient length based on the algorithm used).

    • an object with:

      • id - a password identifier (must consist of only letters, numbers, and _).
      • secret - a password string or key buffer used for both encryption and integrity.
    • an object with:

      • id - a password identifier (must consist of only letters, numbers, and _).
      • encryption - a password string or key buffer used for encryption.
      • integrity - a password string or key buffer used for integrity.
  • options - see Options.

Return value: iron sealed string.

Note: assigning the password used an id allows for password rotation to improve the security of your deployment. Passwords should be rotated over time to reduce the risk of compromised security. When providing a password id, the id is included with the iron protocol string and it must match the id used to unseal.

It is recommended to combine password id with the ttl option to generate iron protocol strings of limited time validity which also allow for rotating passwords without the need to keep all previous passwords around (only the number of passwords used within the ttl window).

await unseal(sealed, password, options)

Verifies, decrypts, and reconstruct an iron protocol string into an object where:

  • sealed - the iron protocol string generated with seal().

  • password - must match the password value passed to seal() and be one of:

    • a password string used to generate a key using the pbkdf2 algorithm.

    • a key buffer used as-is (after validating sufficient length based on the algorithm used).

    • an object with id as the key and value is one of:

      • a password string or key buffer used for both encryption and integrity.
      • an object with:
        • encryption - a password string or key buffer used for encryption.
        • integrity - a password string or key buffer used for integrity.
  • options - see Options. Must match the options value passed to seal()

Return value: the verified, decripted object.

Note: In order to enable password rotation, the password argument can accept an object with more than one password, each keyed by its id. Together with the ttl option, the password object only needs to include the passwords used within the ttl window.

await generateKey(password, options)

Generates an key from the password where:

  • password - a password string or buffer key.
  • options - see Options.

Return value: an object with the following keys:

  • key
  • salt
  • iv

await encrypt(password, options, data)

Encrypts data where:

  • password - a password string or buffer key.
  • options - see Options.
  • 'data' - the string to encrypt.

Return value: an object with the following keys:

  • encrypted
  • key:
    • key
    • salt
    • iv

await decrypt(password, options, data)

Decrypts data where:

  • password - a password string or buffer key.
  • options - see Options.
  • 'data' - the string to decrypt.

Return value: the decrypted string.

await hmacWithPassword(password, options, data)

Calculates an HMAC digest where:

  • password - a password string or buffer key.
  • options - see Options.
  • 'data' - the string to calculate the HMAC over.

Return value: an object with the following keys:

  • digest
  • salt

Options

iron provides options for customizing the key deriviation algorithm used to generate encryption and integrity verification keys, as well as the algorithms and salt sizes used.iron methods take an options object with the following keys:

  • encryption - (required) defines the options used by the encryption process.
  • integrity - (required) defines the options used by the HMAC integrity verification process.

Each of these option objects support the following keys:

  • algorithm - (required) the algorithm name ('aes-256-cbc' and 'aes-128-ctr' for encryption and 'sha256' for integrity are the only two supported at this time).
  • iv - (optional) an initialization vector buffer. If no iv is provided, one is generated based on the algorithm ivBits configuration.

When the password argument passed is a string (used for key generation), the following options are used:

  • salt - (optional) a pre-generated salt string (a random buffer used to ensure that two identical objects will generate a different encrypted result).
  • saltBits - (required if salt is not provided, otherwise ignored) the size of the salt.
  • iterations - (required) the number of iterations used to derive a key from the password. Defaults to 1 iteration. The number of ideal iterations to use is dependent on your application's performance requirements. More iterations means it takes longer to generate the key.
  • minPasswordlength - (required) the minimum password string length required for key generation. Defaults to 32 characters.

The 'seal()' and 'unseal()' methods also support the following options:

  • ttl - sealed object lifetime in milliseconds where 0 means forever. Defaults to 0.
  • timestampSkewSec - number of seconds of permitted clock skew for incoming expirations. Defaults to 60 seconds.
  • localtimeOffsetMsec - local clock time offset, expressed in number of milliseconds (positive or negative). Defaults to 0.

Defaults

iron includes a default options object which can be passed to the methods as shown above in the example. The default settings are:

var options = {
    encryption: {
        saltBits: 256,
        algorithm: 'aes-256-cbc',
        iterations: 1
    },
    integrity: {
        saltBits: 256,
        algorithm: 'sha256',
        iterations: 1
    },
    ttl: 0,
    timestampSkewSec: 60,
    localtimeOffsetMsec: 0
};

15.0.0 API Reference

Joi

version

Property showing the current version of joi being used.

validate(value, schema, [options], [callback])

Validates a value using the given schema and options where:

  • value - the value being validated.
  • schema - the validation schema. Can be a joi type object or a plain object where every key is assigned a joi type object using Joi.compile (be careful of the cost of compiling repeatedly the same schemas).
  • options - an optional object with the following optional keys:
    • abortEarly - when true, stops validation on the first error, otherwise returns all the errors found. Defaults to true.
    • convert - when true, attempts to cast values to the required types (e.g. a string to a number). Defaults to true.
    • allowUnknown - when true, allows object to contain unknown keys which are ignored. Defaults to false.
    • skipFunctions - when true, ignores unknown keys with a function value. Defaults to false.
    • stripUnknown - remove unknown elements from objects and arrays. Defaults to false.
      • when an object :
        • arrays - set to true to remove unknown items from arrays.
        • objects - set to true to remove unknown keys from objects.
      • when true, it is equivalent to having { arrays: false, objects: true }.
    • language - overrides individual error messages. Defaults to no override ({}). Messages apply the following rules :
      • variables are put between curly braces like {{var}}, if prefixed by a ! like {{!var}}, it will be html escaped if the option escapeHtml is also set to true
      • strings are always preceeded by the key name, unless a {{label}} is found elsewhere or if the string is prefixed by a !!
      • to better understand the structure of the language, it's advised to have a look at the existing messages you want to override here
    • presence - sets the default presence requirements. Supported modes: 'optional', 'required', and 'forbidden'. Defaults to 'optional'.
    • context - provides an external data set to be used in references. Can only be set as an external option to validate() and not using any.options().
    • noDefaults - when true, do not apply default values. Defaults to false.
    • escapeHtml - when true, error message templates will escape special characters to HTML entities, for security purposes. Defaults to false.
  • callback - the optional synchronous callback method using the signature function(err, value) where:
    • err - if validation failed, the error reason, otherwise null.
    • value - the validated value with any type conversions and other modifiers applied (the input is left unchanged). value can be incomplete if validation failed and abortEarly is true. If callback is not provided, then returns an object with error and value properties.

When used without a callback, this function returns a Promise-like object that can be used as a promise, or as a simple object like in the below examples.

const schema = {
    a: Joi.number()
};

const value = {
    a: '123'
};

Joi.validate(value, schema, (err, value) => { });
// err -> null
// value.a -> 123 (number, not string)

// or
const result = Joi.validate(value, schema);
// result.error -> null
// result.value -> { "a" : 123 }

// or
const promise = Joi.validate(value, schema);
promise.then((value) => {
    // value -> { "a" : 123 }
});

compile(schema)

Converts literal schema definition to joi schema object (or returns the same back if already a joi schema object) where:

  • schema - the schema definition to compile.
const definition = ['key', 5, { a: true, b: [/^a/, 'boom'] }];
const schema = Joi.compile(definition);

// Same as:

const schema = Joi.alternatives().try([
    Joi.string().valid('key'),
    Joi.number().valid(5),
    Joi.object().keys({
        a: Joi.boolean().valid(true),
        b: Joi.alternatives().try([
            Joi.string().regex(/^a/),
            Joi.string().valid('boom')
        ])
    })
]);

describe(schema)

Returns an object that represents the internal configuration of a joi schema. Useful for debugging and exposing a schema's configuration to other systems, like valid values in a user interface.

  • schema - the schema to describe.
const schema = Joi.any().valid([ 'foo', 'bar' ]);

console.log(Joi.describe(schema));

Results in:

{ type: 'any',
  flags: { allowOnly: true },
  valids: [ 'foo', 'bar' ] }

assert(value, schema, [message])

Validates a value against a schema and throws if validation fails where:

  • value - the value to validate.
  • schema - the validation schema. Can be a joi type object or a plain object where every key is assigned a joi type object using Joi.compile (be careful of the cost of compiling repeatedly the same schemas).
  • message - optional message string prefix added in front of the error message. may also be an Error object.
Joi.assert('x', Joi.number());

attempt(value, schema, [message])

Validates a value against a schema, returns valid object, and throws if validation fails where:

  • value - the value to validate.
  • schema - the validation schema. Can be a joi type object or a plain object where every key is assigned a joi type object using Joi.compile (be careful of the cost of compiling repeatedly the same schemas).
  • message - optional message string prefix added in front of the error message. may also be an Error object.
Joi.attempt('x', Joi.number()); // throws error
const result = Joi.attempt('4', Joi.number()); // result -> 4

ref(key, [options])

Generates a reference to the value of the named key. References are resolved at validation time and in order of dependency so that if one key validation depends on another, the dependent key is validated second after the reference is validated. References support the following arguments:

  • key - the reference target. References cannot point up the object tree, only to sibling keys, but they can point to their siblings' children (e.g. 'a.b.c') using the . separator. If a key starts with $ is signifies a context reference which is looked up in the context option object.
  • options - optional settings:
    • separator - overrides the default . hierarchy separator.
    • contextPrefix - overrides the default $ context prefix signifier.
    • Other options can also be passed based on what Hoek.reach supports.

Note that references can only be used where explicitly supported such as in valid() or invalid() rules. If upwards (parents) references are needed, use object.assert().

const schema = Joi.object().keys({
    a: Joi.ref('b.c'),
    b: {
        c: Joi.any()
    },
    c: Joi.ref('$x')
});

Joi.validate({ a: 5, b: { c: 5 } }, schema, { context: { x: 5 } }, (err, value) => {});

isRef(ref)

Checks whether or not the provided argument is a reference. It's especially useful if you want to post-process error messages.

const ref = Joi.ref('a');
Joi.isRef(ref); // returns true

reach(schema, path)

Get a sub-schema of an existing schema based on a path that can be either a string or an array of strings For string values path separator is a dot (.).

const schema = Joi.object({ foo: Joi.object({ bar: Joi.number() }) });
const number = Joi.reach(schema, 'foo.bar');

//or
const result = Joi.reach(schema, ['foo', 'bar']); //same as number

defaults(fn)

Creates a new Joi instance that will apply defaults onto newly created schemas through the use of the fn function that takes exactly one argument, the schema being created.

The function must always return a schema, even if untransformed.

const defaultJoi = Joi.defaults((schema) => {

    switch (schema.schemaType) {
        case 'string':
            return schema.allow('');
        case 'object':
            return schema.min(1);
        default:
            return schema;
    }
});

const schema = defaultJoi.object(); // Equivalent to a Joi.object().min(1)

bind()

By default, some Joi methods to function properly need to rely on the Joi instance they are attached to because they use this internally. So Joi.string() works but if you extract the function from it and call string() it won't. bind() creates a new Joi instance where all the functions relying on this are bound to the Joi instance.

const { object, string } = require('@hapi/joi').bind();

const schema = object({
  property: string().min(4)
});

extend(extension)

Creates a new Joi instance customized with the extension(s) you provide included.

It is important to understand that original Joi library is not modified by this.

Terms

The extension makes use of some common structures that need to be described prior :

  • value - the value being processed by Joi.
  • state - an object containing the current context of validation.
    • key - the key of the current value.
    • path - the full path of the current value.
    • parent - the potential parent of the current value.
  • options - options object provided through any().options() or Joi.validate().

Extension

extension can be :

  • a single extension object
  • a factory function generating an extension object
  • or an array of those

Extension objects use the following parameters :

  • name - name of the new type you are defining, this can be an existing type. Required.
  • base - an existing Joi schema to base your type upon. Defaults to Joi.any().
  • coerce - an optional function that runs before the base, usually serves when you want to coerce values of a different type than your base. It takes 3 arguments value, state and options.
  • pre - an optional function that runs first in the validation chain, usually serves when you need to cast values. It takes 3 arguments value, state and options.
  • language - an optional object to add error definitions. Every key will be prefixed by the type name.
  • describe - an optional function taking the fully formed description to post-process it.
  • rules - an optional array of rules to add.
    • name - name of the new rule. Required.
    • params - an optional object containing Joi schemas of each parameter ordered. You can also pass a single Joi schema as long as it is a Joi.object(), of course some methods such as pattern or rename won't be useful or won't work at all in this given context.
    • setup - an optional function that takes an object with the provided parameters to allow for internals manipulation of the schema when a rule is set, you can optionally return a new Joi schema that will be taken as the new schema instance. At least one of setup or validate must be provided.
    • validate - an optional function to validate values that takes 4 parameters params, value, state and options. At least one of setup or validate must be provided.
    • description - an optional string or function taking the parameters as argument to describe what the rule is doing.

Factory functions are advised if you intend to publish your extensions for others to use, because they are capable of using an extended joi being built, thus avoiding any erasure when using multiple extensions at the same time. See an example of a factory function in the section below.

The params of rules rely on the fact that all engines, even though not stated in the ECMA specifications, preserve the order of object keys, this is a conscious choice to simplify the API for the end-user. If you ever see an engine misbehaving or are uncomfortable relying on this, you can use a single option object to describe your parameters, like:

params: { options: Joi.object({ param1: Joi.number().required(), param2: Joi.string() }) }

Any of the coerce, pre and validate functions should use this.createError(type, context, state, options[, flags]) to create and return errors. This function potentially takes 5 arguments:

  • type - the dotted type of the error matching predefined language elements or the ones defined in your extension. Required.
  • context - a free-form object that can contain anything you want to provide context on regarding the error. This object's properties are inserted in the error message where bracketted placeholders are. Required.
  • state - state that the validation was in, which contains the current key, path, parent if any, or reference if any. Usually you just have to pass the state you were given. Required.
  • options - options that were used for the validation. Usually you just have to pass the options you were given. Required.
  • flags - optional flags that you want to be shown for the error. Defaults to the schema's current flags.

npm note

If you publish your extension on npm, make sure to add joi and extension as keywords so that it's discoverable more easily.

Examples

const Joi = require('@hapi/joi');
const customJoi = Joi.extend((joi) => ({
    base: joi.number(),
    name: 'number',
    language: {
        round: 'needs to be a rounded number', // Used below as 'number.round'
        dividable: 'needs to be dividable by {{q}}'
    },
    pre(value, state, options) {

        if (options.convert && this._flags.round) {
            return Math.round(value); // Change the value
        }

        return value; // Keep the value as it was
    },
    rules: [
        {
            name: 'round',
            setup(params) {

                this._flags.round = true; // Set a flag for later use
            },
            validate(params, value, state, options) {

                if (value % 1 !== 0) {
                    // Generate an error, state and options need to be passed
                    return this.createError('number.round', { v: value }, state, options);
                }

                return value; // Everything is OK
            }
        },
        {
            name: 'dividable',
            params: {
                q: joi.alternatives([joi.number().required(), joi.func().ref()])
            },
            validate(params, value, state, options) {

                if (value % params.q !== 0) {
                    // Generate an error, state and options need to be passed, q is used in the language
                    return this.createError('number.dividable', { v: value, q: params.q }, state, options);
                }

                return value; // Everything is OK
            }
        }
    ]
}));

const schema = customJoi.number().round().dividable(3);

any

Generates a schema object that matches any data type.

const any = Joi.any();
any.validate('a', (err, value) => { });

schemaType

Gets the type of the schema.

const schema = Joi.string();

schema.schemaType === 'string';   // === true

any.validate(value, [options], [callback])

Validates a value using the schema and options where:

const schema = Joi.object({
    a: Joi.number()
});

const value = {
    a: '123'
};

schema.validate(value, (err, value) => { });
// err -> null
// value.a -> 123 (number, not string)

// or
const result = schema.validate(value);
// result.error -> null
// result.value -> { "a" : 123 }

// or
const promise = schema.validate(value);

any.allow(value)

Whitelists a value where:

  • value - the allowed value which can be of any type and will be matched against the validated value before applying any other rules. value can be an array of values, or multiple values can be passed as individual arguments. value supports references.

Note that this whitelist of allowed values is in addition to any other permitted values. To create an exclusive whitelist of values, see any.valid(value).

const schema = {
    a: Joi.any().allow('a'),
    b: Joi.any().allow('b', 'B'),
    c: Joi.any().allow(['c', 'C'])
};

any.valid(value) - aliases: only, equal

Adds the provided values into the allowed whitelist and marks them as the only valid values allowed where:

  • value - the allowed value which can be of any type and will be matched against the validated value before applying any other rules. value can be an array of values, or multiple values can be passed as individual arguments. value supports references.
const schema = {
    a: Joi.any().valid('a'),
    b: Joi.any().valid('b', 'B'),
    c: Joi.any().valid(['c', 'C'])
};

💥 Possible validation errors:any.allowOnly

any.invalid(value) - aliases: disallow, not

Blacklists a value where:

  • value - the forbidden value which can be of any type and will be matched against the validated value before applying any other rules. value can be an array of values, or multiple values can be passed as individual arguments. value supports references.
const schema = {
    a: Joi.any().invalid('a'),
    b: Joi.any().invalid('b', 'B'),
    c: Joi.any().invalid(['c', 'C'])
};

💥 Possible validation errors:any.invalid

any.required() - aliases: exist

Marks a key as required which will not allow undefined as value. All keys are optional by default.

const schema = Joi.any().required();

💥 Possible validation errors:any.required

any.optional()

Marks a key as optional which will allow undefined as values. Used to annotate the schema for readability as all keys are optional by default.

Note: this does not allow a null value. To do that, use any.allow(value). Or both!

const schema = Joi.any().optional();

any.forbidden()

Marks a key as forbidden which will not allow any value except undefined. Used to explicitly forbid keys.

const schema = {
    a: Joi.any().forbidden()
};

💥 Possible validation errors:any.unknown

any.strip()

Marks a key to be removed from a resulting object or array after validation. Used to sanitize output.

const schema = Joi.object({
    username: Joi.string(),
    password: Joi.string().strip()
});

schema.validate({ username: 'test', password: 'hunter2' }, (err, value) => {
    // value = { username: 'test' }
});

const schema = Joi.array().items(Joi.string(), Joi.any().strip());

schema.validate(['one', 'two', true, false, 1, 2], (err, value) => {
    // value = ['one', 'two']
});

any.description(desc)

Annotates the key where:

  • desc - the description string.
const schema = Joi.any().description('this key will match anything you give it');

any.notes(notes)

Annotates the key where:

  • notes - the notes string or array of strings.
const schema = Joi.any().notes(['this is special', 'this is important']);

any.tags(tags)

Annotates the key where:

  • tags - the tag string or array of strings.
const schema = Joi.any().tags(['api', 'user']);

any.meta(meta)

Attaches metadata to the key where:

  • meta - the meta object to attach.
const schema = Joi.any().meta({ index: true });

any.example(...values)

Adds examples to the schema where:

  • values - each argument is either an example value, or an array of the shape [value, options]:
    • value - single value example.
    • options - optional object argument to pass options to the validation:
      • parent - parent value in case you used normal references in your schema.
      • context - context of the validation in case you used context references in your schema.

If any of the examples fail to pass validation, the function will throw.

Calling this function again will override the previous examples.

// Valid examples
const schema = Joi.string().min(4).example('abcd');

const refSchema = Joi.number().min(Joi.ref('sibling')).example([42, { parent: { sibling: 10 } }]);

const contextSchema = Joi.number().min(Joi.ref('$threshold')).example([42, { context: { $threshold: 10 } }]);

// Invalid examples
const invalidSchema = Joi.string().min(4).example('abc');

const invalidRefSchema = Joi.number().min(Joi.ref('sibling')).example([42, { parent: { sibling: 50 } }]);

const invalidContextSchema = Joi.number().min(Joi.ref('$threshold')).example([42, { context: { $threshold: 50 } }]);

// Multiple examples
const after = Joi.date().min(Joi.ref('before'))
                    .example(
                        ['2016-01-01', { parent: { before: '2015-01-01' } }],
                        ['2016-01-01', { parent: { before: '2015-12-31' } }]
                    )

any.unit(name)

Annotates the key where:

  • name - the unit name of the value.
const schema = Joi.number().unit('milliseconds');

any.options(options)

Overrides the global validate() options for the current key and any sub-key where:

const schema = Joi.any().options({ convert: false });

any.strict(isStrict)

Strict mode sets the options.convert options to false which prevent type casting for the current key and any child keys.

  • isStrict - whether strict mode is enabled or not. Defaults to true.
const schema = Joi.any().strict();

any.default([value, [description]])

Sets a default value if the original value is undefined where:

  • value - the value.
    • value supports references.
    • value may also be a function which returns the default value. If value is specified as a function that accepts a single parameter, that parameter will be a context object that can be used to derive the resulting value.
      • Use a function when setting a dynamic value, such as the current time. Ex: default(Date.now, 'time of creation')
      • Caution: this clones the object, which incurs some overhead so if you don't need access to the context define your method so that it does not accept any parameters.
    • without any value, default has no effect, except for object that will then create nested defaults (applying inner defaults of that object).

Note that if value is an object, any changes to the object after default() is called will change the reference and any future assignment.

Additionally, when specifying a method you must either have a description property on your method or the second parameter is required.

const generateUsername = (context) => {

  return context.firstname.toLowerCase() + '-' + context.lastname.toLowerCase();
};
generateUsername.description = 'generated username';

const schema = {
    username: Joi.string().default(generateUsername),
    firstname: Joi.string(),
    lastname: Joi.string(),
    created: Joi.date().default(Date.now, 'time of creation'),
    status: Joi.string().default('registered')
};

Joi.validate({
    firstname: 'Jane',
    lastname: 'Doe'
}, schema, (err, value) => {

    // value.status === 'registered'
    // value.username === 'jane-doe'
    // value.created will be the time of validation
});

💥 Possible validation errors:any.default

any.concat(schema)

Returns a new type that is the result of adding the rules of one type to another where:

  • schema - a joi type to merge into the current schema. Can only be of the same type as the context type or any. If applied to an any type, the schema can be any other schema.
const a = Joi.string().valid('a');
const b = Joi.string().valid('b');
const ab = a.concat(b);

any.when(condition, options)

Converts the type into an alternatives type where the conditions are merged into the type definition where:

  • condition - the key name or reference, or a schema.
  • options - an object with:
    • is - the required condition joi type. Anything that is not a joi schema will be converted using Joi.compile. Forbidden when condition is a schema.
    • then - the alternative schema type if the condition is true. Required if otherwise is missing.
    • otherwise - the alternative schema type if the condition is false. Required if then is missing.

Note: by default, the is condition schema allows for undefined values. Use .required() to override. For example, use is: Joi.number().required() to guarantee that a joi reference exists and is a number.

const schema = {
    a: Joi.any().valid('x').when('b', { is: Joi.exist(), then: Joi.valid('y'), otherwise: Joi.valid('z') }),
    b: Joi.any()
};

Or with a schema:

const schema = Joi.object({
    a: Joi.any().valid('x'),
    b: Joi.any()
}).when(Joi.object({ b: Joi.exist() }).unknown(), {
    then: Joi.object({
        a: Joi.valid('y')
    }),
    otherwise: Joi.object({
        a: Joi.valid('z')
    })
});

Note that this style is much more useful when your whole schema depends on the value of one of its property, or if you find yourself repeating the check for many keys of an object. For example to validate this logic:

const schema = Joi.object({
    capacity: Joi.string()
        .valid(["A", "B", "C"])
        .required(),
    // required if capacity == "A"
    foo: Joi.when("capacity", {
        is: "A",
        then: Joi.string()
        .valid(["X", "Y", "Z"])
        .required()
    }),
    // required if capacity === "A" and foo !== "Z"
    bar: Joi.string()
}).when(
    Joi.object({
        capacity: Joi.only("A").required(),
        foo: Joi.not("Z")
    }).unknown(),
    {
        then: Joi.object({
            bar: Joi.required()
        })
    }
);

Alternatively, if you want to specify a specific type such as string, array, etc, you can do so like this:

const schema = {
    a: Joi.valid('a', 'b', 'other'),
    other: Joi.string()
        .when('a', { is: 'other', then: Joi.required() }),
};

If you need to validate a child key inside a nested object based on a sibling's value, you can do so like this:

const schema = Joi.object().keys({
    a: Joi.boolean().required(),
    b: Joi.object()
        .keys({
            c: Joi.string(),
            d: Joi.number().required()
        })
        .required()
        .when('a', {
            is: true,
            then: Joi.object({ c: Joi.required() })		// b.c is required only when a is true
        })
});

If you want to validate one key based on the existence of another key, you can do so like the following (notice the use of required()):

const schema = Joi.object().keys({
    min: Joi.number(),
    max: Joi.number().when('min', {
        is: Joi.number().required(),
        then: Joi.number().greater(Joi.ref('min')),
    }),
});

any.label(name)

Overrides the key name in error messages.

  • name - the name of the key.
const schema = {
    first_name: Joi.string().label('First Name')
};

any.raw(isRaw)

Outputs the original untouched value instead of the casted value.

  • isRaw - whether to enable raw mode or not. Defaults to true.
const timestampSchema = Joi.date().timestamp();
timestampSchema.validate('12376834097810'); // { error: null, value: Sat Mar 17 2362 04:28:17 GMT-0500 (CDT) }

const rawTimestampSchema = Joi.date().timestamp().raw();
rawTimestampSchema.validate('12376834097810'); // { error: null, value: '12376834097810' }

any.empty(schema)

Considers anything that matches the schema to be empty (undefined).

  • schema - any object or joi schema to match. An undefined schema unsets that rule.
let schema = Joi.string().empty('');
schema.validate(''); // returns { error: null, value: undefined }
schema = schema.empty();
schema.validate(''); // returns { error: "value" is not allowed to be empty, value: '' }

any.error(err, [options])

Overrides the default joi error with a custom error if the rule fails where:

  • err can be:
    • an instance of Error - the override error.
    • a function(errors), taking an array of errors as argument, where it must either:
      • return a string - substitutes the error message with this text
      • return a single object or an Array of it, where:
        • type - optional parameter providing the type of the error (eg. number.min).
        • message - optional parameter if template is provided, containing the text of the error.
        • template - optional parameter if message is provided, containing a template string, using the same format as usual joi language errors.
        • context - optional parameter, to provide context to your error if you are using the template.
      • return an Error - same as when you directly provide an Error, but you can customize the error message based on the errors.
  • options:
    • self - Boolean value indicating whether the error handler should be used for all errors or only for errors occurring on this property (true value). This concept only makes sense for array or object schemas as other values don't have children. Defaults to false.

Note that if you provide an Error, it will be returned as-is, unmodified and undecorated with any of the normal joi error properties. If validation fails and another error is found before the error override, that error will be returned and the override will be ignored (unless the abortEarly option has been set to false).

let schema = Joi.string().error(new Error('Was REALLY expecting a string'));
schema.validate(3);     // returns error.message === 'Was REALLY expecting a string'

let schema = Joi.object({
    foo: Joi.number().min(0).error(() => '"foo" requires a positive number')
});
schema.validate({ foo: -2 });    // returns error.message === 'child "foo" fails because ["foo" requires a positive number]'

let schema = Joi.object({
    foo: Joi.number().min(0).error(() => '"foo" requires a positive number')
}).required().error(() => 'root object is required', { self: true });
schema.validate();               // returns error.message === 'root object is required'
schema.validate({ foo: -2 });    // returns error.message === 'child "foo" fails because ["foo" requires a positive number]'

let schema = Joi.object({
    foo: Joi.number().min(0).error((errors) => {

        return 'found errors with ' + errors.map((err) => `${err.type}(${err.context.limit}) with value ${err.context.value}`).join(' and ');
    })
});
schema.validate({ foo: -2 });    // returns error.message === 'child "foo" fails because [found errors with number.min(0) with value -2]'

let schema = Joi.object({
    foo: Joi.number().min(0).error((errors) => {

        return {
            template: 'contains {{errors}} errors, here is the list : {{codes}}',
            context: {
                errors: errors.length,
                codes: errors.map((err) => err.type)
            }
        };
    })
});
schema.validate({ foo: -2 });    // returns error.message === 'child "foo" fails because ["foo" contains 1 errors, here is the list : [number.min]]'

Note that if you want to intercept errors on nested structures such as objects and arrays, you will also get a nested structure to explore the children errors, going one level down through the err.context.reason property.

If you want a full substitution of the error system, you can hook at the root and render that errors array with whatever templating system you want, just be aware that you will have to crawl the nested errors for the information you want to actually show.

any.describe()

Behaves the same as describe(schema) and returns an object that represents the internal configuration of the joi schema.

const schema = Joi.any().valid([ 'foo', 'bar' ]);

console.log(schema.describe());

Results in:

{ type: 'any',
  flags: { allowOnly: true },
  valids: [ 'foo', 'bar' ] }

array - inherits from Any

Generates a schema object that matches an array data type. Note that undefined values inside arrays are not allowed by default but can be by using sparse(). If the validation convert option is on (enabled by default), a string will be converted to an array if specified via JSON.parse(). Also, if convert array.single() are both on, then when a single value is specified it will be converted to an array.

Supports the same methods of the any() type.

const array = Joi.array().items(Joi.string().valid('a', 'b'));
array.validate(['a', 'b', 'a'], (err, value) => { });

💥 Possible validation errors:array.base

array.sparse([enabled])

Allows this array to be sparse. enabled can be used with a falsy value to go back to the default behavior.

let schema = Joi.array().sparse(); // undefined values are now allowed
schema = schema.sparse(false); // undefined values are now denied

💥 Possible validation errors:array.sparse

array.single([enabled])

Allows single values to be checked against rules as if it were provided as an array.

enabled can be used with a falsy value to go back to the default behavior.

Note: convert option must be enabled.

const schema = Joi.array().items(Joi.number()).single();
schema.validate([4]); // returns `{ error: null, value: [ 4 ] }`
schema.validate(4); // returns `{ error: null, value: [ 4 ] }`

💥 Possible validation errors:array.excludesSingle, array.includesSingle

array.items(type)

Lists the types allowed for the array values where:

  • type - a joi schema object to validate each array item against. type can be an array of values, or multiple values can be passed as individual arguments.

If a given type is .required() then there must be a matching item in the array. If a type is .forbidden() then it cannot appear in the array. Required items can be added multiple times to signify that multiple items must be found. Errors will contain the number of items that didn't match. Any unmatched item having a label will be mentioned explicitly.

const schema = Joi.array().items(Joi.string(), Joi.number()); // array may contain strings and numbers
const schema = Joi.array().items(Joi.string().required(), Joi.string().required()); // array must contain at least two strings
const schema = Joi.array().items(Joi.string().valid('not allowed').forbidden(), Joi.string()); // array may contain strings, but none of those strings can match 'not allowed'
const schema = Joi.array().items(Joi.string().label('My string').required(), Joi.number().required()); // If this fails it can result in `[ValidationError: "value" does not contain [My string] and 1 other required value(s)]`

💥 Possible validation errors:array.excludes, [array.includesRequiredBoth], [array.includesRequiredKnowns], [array.includesRequiredUnknowns], array.includes

array.ordered(type)

Lists the types in sequence order for the array values where:

  • type - a joi schema object to validate against each array item in sequence order. type can be an array of values, or multiple values can be passed as individual arguments.

If a given type is .required() then there must be a matching item with the same index position in the array. Errors will contain the number of items that didn't match. Any unmatched item having a label will be mentioned explicitly.

const schema = Joi.array().ordered(Joi.string().required(), Joi.number().required()); // array must have first item as string and second item as number
const schema = Joi.array().ordered(Joi.string().required()).items(Joi.number().required()); // array must have first item as string and 1 or more subsequent items as number
const schema = Joi.array().ordered(Joi.string().required(), Joi.number()); // array must have first item as string and optionally second item as number

💥 Possible validation errors:array.excludesSingle, array.includesSingle, array.orderedLength

array.min(limit)

Specifies the minimum number of items in the array where:

  • limit - the lowest number of array items allowed.
const schema = Joi.array().min(2);

It can also be a reference to another field.

const schema = Joi.object({
  limit: Joi.number().integer().required(),
  numbers: Joi.array().min(Joi.ref('limit')).required()
});

💥 Possible validation errors:array.min, array.ref

array.max(limit)

Specifies the maximum number of items in the array where:

  • limit - the highest number of array items allowed.
const schema = Joi.array().max(10);

It can also be a reference to another field.

const schema = Joi.object({
  limit: Joi.number().integer().required(),
  numbers: Joi.array().max(Joi.ref('limit')).required()
});

💥 Possible validation errors:array.max, array.ref

array.length(limit)

Specifies the exact number of items in the array where:

  • limit - the number of array items allowed.
const schema = Joi.array().length(5);

It can also be a reference to another field.

const schema = Joi.object({
  limit: Joi.number().integer().required(),
  numbers: Joi.array().length(Joi.ref('limit')).required()
});

💥 Possible validation errors:array.length, array.ref

array.unique([comparator], [options])

Requires the array values to be unique.

You can provide a custom comparator that is either :

  • a function that takes 2 parameters to compare. This function should return whether the 2 parameters are equal or not, you are also responsible for this function not to fail, any Error would bubble out of Joi.
  • a string in dot notation representing the path of the element to do uniqueness check on. Any missing path will be considered undefined, and can as well only exist once. You can also provide an options object containing:
  • ignoreUndefined. When set to true, undefined values for the dot notation string comparator will not cause the array to fail on uniqueness.

Note: remember that if you provide a custom comparator function, different types can be passed as parameter depending on the rules you set on items.

Be aware that a deep equality is performed on elements of the array having a type of object, a performance penalty is to be expected for this kind of operation.

const schema = Joi.array().unique();
const schema = Joi.array().unique((a, b) => a.property === b.property);
const schema = Joi.array().unique('customer.id');
let schema = Joi.array().unique('identifier');

schema.validate([{}, {}]);
// ValidationError: "value" position 1 contains a duplicate value

schema = Joi.array().unique('identifier', { ignoreUndefined: true });

schema.validate([{}, {}]);
// error: null

💥 Possible validation errors:array.unique

array.has(schema)

Verifies that a schema validates at least one of the values in the array, where:

  • schema - the validation rules required to satisfy the check. If the schema includes references, they are resolved against the array item being tested, not the value of the ref target.
const schema = Joi.array().items(
  Joi.object({
    a: Joi.string(),
    b: Joi.number()
  })
).has(Joi.object({ a: Joi.string().valid('a'), b: Joi.number() }))

💥 Possible validation errors:array.hasKnown, array.hasUnknown

boolean - inherits from Any

Generates a schema object that matches a boolean data type. Can also be called via bool(). If the validation convert option is on (enabled by default), a string (either "true" or "false") will be converted to a boolean if specified.

Supports the same methods of the any() type.

const boolean = Joi.boolean();
boolean.validate(true, (err, value) => { }); // Valid

boolean.validate(1, (err, value) => { }); // Invalid

💥 Possible validation errors:boolean.base

boolean.truthy(value)

Allows for additional values to be considered valid booleans by converting them to true during validation. Accepts a value or an array of values.

String comparisons are by default case insensitive, see boolean.insensitive() to change this behavior.

const boolean = Joi.boolean().truthy('Y');
boolean.validate('Y', (err, value) => { }); // Valid

boolean.falsy(value)

Allows for additional values to be considered valid booleans by converting them to false during validation. Accepts a value or an array of values.

String comparisons are by default case insensitive, see boolean.insensitive() to change this behavior.

const boolean = Joi.boolean().falsy('N');
boolean.validate('N', (err, value) => { }); // Valid

boolean.insensitive([enabled])

Allows the values provided to truthy and falsy as well as the "true" and "false" default conversion (when not in strict() mode) to be matched in a case insensitive manner.

Parameters are:

  • enabled - optional parameter defaulting to true which allows you to reset the behavior of insensitive by providing a falsy value.
const schema = Joi.boolean().truthy('yes').falsy('no').insensitive(false);

binary - inherits from Any

Generates a schema object that matches a Buffer data type. If the validation convert option is on (enabled by default), a string will be converted to a Buffer if specified.

Supports the same methods of the any() type.

const schema = Joi.binary();

💥 Possible validation errors:binary.base

binary.encoding(encoding)

Sets the string encoding format if a string input is converted to a buffer where:

  • encoding - the encoding scheme.
const schema = Joi.binary().encoding('base64');

binary.min(limit)

Specifies the minimum length of the buffer where:

  • limit - the lowest size of the buffer.
const schema = Joi.binary().min(2);

💥 Possible validation errors:binary.min

binary.max(limit)

Specifies the maximum length of the buffer where:

  • limit - the highest size of the buffer.
const schema = Joi.binary().max(10);

💥 Possible validation errors:binary.max

binary.length(limit)

Specifies the exact length of the buffer:

  • limit - the size of buffer allowed.
const schema = Joi.binary().length(5);

💥 Possible validation errors:binary.length

date - inherits from Any

Generates a schema object that matches a date type (as well as a JavaScript date string or number of milliseconds). If the validation convert option is on (enabled by default), a string or number will be converted to a Date if specified.

Supports the same methods of the any() type.

const date = Joi.date();
date.validate('12-21-2012', (err, value) => { });

💥 Possible validation errors:date.base, date.strict

date.min(date)

Specifies the oldest date allowed where:

  • date - the oldest date allowed.
const schema = Joi.date().min('1-1-1974');

Notes: 'now' can be passed in lieu of date so as to always compare relatively to the current date, allowing to explicitly ensure a date is either in the past or in the future.

const schema = Joi.date().min('now');

It can also be a reference to another field.

const schema = Joi.object({
  from: Joi.date().required(),
  to: Joi.date().min(Joi.ref('from')).required()
});

💥 Possible validation errors:date.min, date.ref

date.max(date)

Specifies the latest date allowed where:

  • date - the latest date allowed.
const schema = Joi.date().max('12-31-2020');

Notes: 'now' can be passed in lieu of date so as to always compare relatively to the current date, allowing to explicitly ensure a date is either in the past or in the future.

const schema = Joi.date().max('now');

It can also be a reference to another field.

const schema = Joi.object({
  from: Joi.date().max(Joi.ref('to')).required(),
  to: Joi.date().required()
});

💥 Possible validation errors:date.max, date.ref

date.greater(date)

Specifies that the value must be greater than date.

const schema = Joi.date().greater('1-1-1974');

Notes: 'now' can be passed in lieu of date so as to always compare relatively to the current date, allowing to explicitly ensure a date is either in the past or in the future.

const schema = Joi.date().greater('now');

It can also be a reference to another field.

const schema = Joi.object({
  from: Joi.date().required(),
  to: Joi.date().greater(Joi.ref('from')).required()
});

💥 Possible validation errors:date.greater, date.ref

date.less(date)

Specifies that the value must be less than date.

const schema = Joi.date().less('12-31-2020');

Notes: `'now'` can be passed in lieu of `date` so as to always compare relatively to the current date, allowing to explicitly ensure a date is either in the past or in the future.

```js
const schema = Joi.date().max('now');

It can also be a reference to another field.

const schema = Joi.object({
  from: Joi.date().less(Joi.ref('to')).required(),
  to: Joi.date().required()
});

💥 Possible validation errors:date.less, date.ref

date.iso()

Requires the string value to be in valid ISO 8601 date format.

const schema = Joi.date().iso();

💥 Possible validation errors:date.isoDate

date.timestamp([type])

Requires the value to be a timestamp interval from Unix Time.

  • type - the type of timestamp (allowed values are unix or javascript [default])
const schema = Joi.date().timestamp(); // defaults to javascript timestamp
const schema = Joi.date().timestamp('javascript'); // also, for javascript timestamp (milliseconds)
const schema = Joi.date().timestamp('unix'); // for unix timestamp (seconds)

💥 Possible validation errors:date.timestamp.javascript, date.timestamp.unix

func - inherits from Any

Generates a schema object that matches a function type.

Supports the same methods of the object() type. Note that validating a function keys will cause the function to be cloned. While the function will retain its prototype and closure, it will lose its length property value (will be set to 0).

const func = Joi.func();
func.validate(function () {}, (err, value) => { });

💥 Possible validation errors:function.base

func.arity(n)

Specifies the arity of the function where:

  • n - the arity expected.
const schema = Joi.func().arity(2);

💥 Possible validation errors:function.arity

func.minArity(n)

Specifies the minimal arity of the function where:

  • n - the minimal arity expected.
const schema = Joi.func().minArity(1);

💥 Possible validation errors:function.minArity

func.maxArity(n)

Specifies the maximal arity of the function where:

  • n - the maximum arity expected.
const schema = Joi.func().maxArity(3);

💥 Possible validation errors:function.maxArity

func.class()

Requires the function to be a class.

const schema = Joi.func().class();

💥 Possible validation errors:function.class

func.ref()

Requires the function to be a Joi reference.

const schema = Joi.func().ref();

💥 Possible validation errors:function.ref

number - inherits from Any

Generates a schema object that matches a number data type (as well as strings that can be converted to numbers).

By default, it only allows safe numbers, see number.unsafe().

If the validation convert option is on (enabled by default), a string will be converted to a number if specified. Also, if convert is on and number.precision() is used, the value will be converted to the specified precision as well.

Infinity and -Infinity are invalid by default, you can change that behavior by calling allow(Infinity, -Infinity).

Supports the same methods of the any() type.

const number = Joi.number();
number.validate(5, (err, value) => { });

💥 Possible validation errors:number.base

number.unsafe([enabled])

By default, numbers must be within JavaScript's safety range (Number.MIN_SAFE_INTEGER & Number.MAX_SAFE_INTEGER), and when given a string, should be converted without loss of information. You can allow unsafe numbers at your own risks by calling number.unsafe().

Parameters are:

  • enabled - optional parameter defaulting to true which allows you to reset the behavior of unsafe by providing a falsy value.
const safeNumber = Joi.number();
safeNumber.validate(90071992547409924);
// error -> "value" must be a safe number

const unsafeNumber = Joi.number().unsafe();
unsafeNumber.validate(90071992547409924);
// error -> null
// value -> 90071992547409920

💥 Possible validation errors:number.unsafe

number.min(limit)

Specifies the minimum value where:

  • limit - the minimum value allowed.
const schema = Joi.number().min(2);

It can also be a reference to another field.

const schema = Joi.object({
  min: Joi.number().required(),
  max: Joi.number().min(Joi.ref('min')).required()
});

💥 Possible validation errors:number.min, number.ref

number.max(limit)

Specifies the maximum value where:

  • limit - the maximum value allowed.
const schema = Joi.number().max(10);

It can also be a reference to another field.

const schema = Joi.object({
  min: Joi.number().max(Joi.ref('max')).required(),
  max: Joi.number().required()
});

💥 Possible validation errors:number.max, number.ref

number.greater(limit)

Specifies that the value must be greater than limit.

const schema = Joi.number().greater(5);
const schema = Joi.object({
  min: Joi.number().required(),
  max: Joi.number().greater(Joi.ref('min')).required()
});

💥 Possible validation errors:number.greater, number.ref

number.less(limit)

Specifies that the value must be less than limit.

const schema = Joi.number().less(10);

It can also be a reference to another field.

const schema = Joi.object({
  min: Joi.number().less(Joi.ref('max')).required(),
  max: Joi.number().required()
});

💥 Possible validation errors:number.less, number.ref

number.integer()

Requires the number to be an integer (no floating point).

const schema = Joi.number().integer();

💥 Possible validation errors:number.base

number.precision(limit)

Specifies the maximum number of decimal places where:

  • limit - the maximum number of decimal places allowed.
const schema = Joi.number().precision(2);

💥 Possible validation errors:number.integer

number.multiple(base)

Specifies that the value must be a multiple of base:

const schema = Joi.number().multiple(3);

Notes: Joi.number.multiple(base) uses the modulo operator (%) to determine if a number is multiple of another number. Therefore, it has the normal limitations of Javascript modulo operator. The results with decimal/floats may be incorrect.

💥 Possible validation errors:number.multiple, number.ref

number.positive()

Requires the number to be positive.

const schema = Joi.number().positive();

💥 Possible validation errors:number.positive

number.negative()

Requires the number to be negative.

const schema = Joi.number().negative();

💥 Possible validation errors:number.negative

number.port()

Requires the number to be a TCP port, so between 0 and 65535.

const schema = Joi.number().port();

💥 Possible validation errors:number.port

object - inherits from Any

Generates a schema object that matches an object data type (as well as JSON strings that parsed into objects). Defaults to allowing any child key. If the validation convert option is on (enabled by default), a string will be converted to an object if specified via JSON.parse().

Supports the same methods of the any() type.

const object = Joi.object().keys({
    a: Joi.number().min(1).max(10).integer(),
    b: 'some string'
});

object.validate({ a: 5 }, (err, value) => { });

💥 Possible validation errors:object.base

object.keys([schema])

Sets or extends the allowed object keys where:

  • schema - optional object where each key is assigned a joi type object. If schema is {} no keys allowed. If schema is null or undefined, any key allowed. If schema is an object with keys, the keys are added to any previously defined keys (but narrows the selection if all keys previously allowed). Defaults to 'undefined' which allows any child key.
const base = Joi.object().keys({
    a: Joi.number(),
    b: Joi.string()
});
// Validate keys a, b and c.
const extended = base.keys({
    c: Joi.boolean()
});

Notes: We have three different ways to define a schema for performing a validation

  • Using the plain JS object notation:
const schema = {
    a: Joi.string(),
    b: Joi.number()
};
  • Using the Joi.object([schema]) notation
const schema = Joi.object({
    a: Joi.string(),
    b: Joi.number()
});
  • Using the Joi.object().keys([schema]) notation
const schema = Joi.object().keys({
    a: Joi.string(),
    b: Joi.number()
});

💥 Possible validation errors:object.allowUnknown

While all these three objects defined above will result in the same validation object, there are some differences in using one or another:

{} notation

When using the {} notation, you are just defining a plain JS object, which isn't a schema object. You can pass it to the validation method but you can't call validate() method of the object because it's just a plain JS object.

Besides, passing the {} object to the validate() method each time, will perform an expensive schema compilation operation on every validation.

Joi.object([schema]) notation

Using Joi.object([schema]) will return a schema object, so you can call the validate() method directly, e.g:

const schema = Joi.object({
    a: Joi.boolean()
});

schema.validate(true, (err, value) => {
    console.log('err: ', err);
});

When you use Joi.object([schema]), it gets compiled the first time, so you can pass it to the validate() method multiple times and no overhead is added.

Another benefits of using Joi.object([schema]) instead of a plain JS object is that you can set any options on the object like allowing unknown keys, e.g:

const schema = Joi.object({
    arg: Joi.string().valid('firstname', 'lastname', 'title', 'company', 'jobtitle'),
    value: Joi.string(),
}).pattern(/firstname|lastname/, Joi.string().min(2));
Joi.object().keys([schema]) notation

This is basically the same as Joi.object([schema]), but using Joi.object().keys([schema]) is more useful when you want to add more keys (e.g. call keys() multiple times). If you are only adding one set of keys, you can skip the keys() method and just use object() directly.

Some people like to use keys() to make the code more explicit (this is style only).

object.append([schema])

Appends the allowed object keys where:

  • schema - optional object where each key is assigned a joi type object. If schema is null,undefined or {} no changes will be applied. Uses object.keys([schema]) to append keys.
// Validate key a
const base = Joi.object().keys({
    a: Joi.number()
});
// Validate keys a, b.
const extended = base.append({
    b: Joi.string()
});

object.min(limit)

Specifies the minimum number of keys in the object where:

  • limit - the lowest number of keys allowed.
const schema = Joi.object().min(2);

💥 Possible validation errors:object.min

object.max(limit)

Specifies the maximum number of keys in the object where:

  • limit - the highest number of object keys allowed.
const schema = Joi.object().max(10);

💥 Possible validation errors:object.max

object.length(limit)

Specifies the exact number of keys in the object where:

  • limit - the number of object keys allowed.
const schema = Joi.object().length(5);

💥 Possible validation errors:object.length

object.pattern(pattern, schema)

Specify validation rules for unknown keys matching a pattern where:

  • pattern - a pattern that can be either a regular expression or a joi schema that will be tested against the unknown key names.
  • schema - the schema object matching keys must validate against.
const schema = Joi.object({
    a: Joi.string()
}).pattern(/\w\d/, Joi.boolean());

// OR

const schema = Joi.object({
    a: Joi.string()
}).pattern(Joi.string().min(2).max(5), Joi.boolean());

object.and(peers)

Defines an all-or-nothing relationship between keys where if one of the peers is present, all of them are required as well where:

  • peers - the key names of which if one present, all are required. peers can be a single string value, an array of string values, or each peer provided as an argument.
const schema = Joi.object().keys({
    a: Joi.any(),
    b: Joi.any()
}).and('a', 'b');

💥 Possible validation errors:object.and

object.nand(peers)

Defines a relationship between keys where not all peers can be present at the same time where:

  • peers - the key names of which if one present, the others may not all be present. peers can be a single string value, an array of string values, or each peer provided as an argument.
const schema = Joi.object().keys({
    a: Joi.any(),
    b: Joi.any()
}).nand('a', 'b');

💥 Possible validation errors:object.nand

object.or(peers)

Defines a relationship between keys where one of the peers is required (and more than one is allowed) where:

  • peers - the key names of which at least one must appear. peers can be a single string value, an array of string values, or each peer provided as an argument.
const schema = Joi.object().keys({
    a: Joi.any(),
    b: Joi.any()
}).or('a', 'b');

💥 Possible validation errors:object.missing

object.xor(peers)

Defines an exclusive relationship between a set of keys where one of them is required but not at the same time where:

  • peers - the exclusive key names that must not appear together but where one of them is required. peers can be a single string value, an array of string values, or each peer provided as an argument.
const schema = Joi.object().keys({
    a: Joi.any(),
    b: Joi.any()
}).xor('a', 'b');

💥 Possible validation errors:object.xor, object.missing

object.oxor(...peers)

Defines an exclusive relationship between a set of keys where only one is allowed but none are required where:

  • peers - the exclusive key names that must not appear together but where none are required.
const schema = Joi.object().keys({
    a: Joi.any(),
    b: Joi.any()
}).oxor('a', 'b');

💥 Possible validation errors:object.oxor

object.with(key, peers)

Requires the presence of other keys whenever the specified key is present where:

  • key - the reference key.
  • peers - the required peer key names that must appear together with key. peers can be a single string value or an array of string values.

Note that unlike object.and(), with() creates a dependency only between the key and each of the peers, not between the peers themselves.

const schema = Joi.object().keys({
    a: Joi.any(),
    b: Joi.any()
}).with('a', 'b');

💥 Possible validation errors:object.with

object.without(key, peers)

Forbids the presence of other keys whenever the specified is present where:

  • key - the reference key.
  • peers - the forbidden peer key names that must not appear together with key. peers can be a single string value or an array of string values.
const schema = Joi.object().keys({
    a: Joi.any(),
    b: Joi.any()
}).without('a', ['b']);

💥 Possible validation errors:object.without

object.rename(from, to, [options])

Renames a key to another name (deletes the renamed key) where:

  • from - the original key name or a regular expression matching keys.
  • to - the new key name.
  • options - an optional object with the following optional keys:
    • alias - if true, does not delete the old key name, keeping both the new and old keys in place. Defaults to false.
    • multiple - if true, allows renaming multiple keys to the same destination where the last rename wins. Defaults to false.
    • override - if true, allows renaming a key over an existing key. Defaults to false.
    • ignoreUndefined - if true, skip renaming of a key if it's undefined. Defaults to false.

Keys are renamed before any other validation rules are applied.

const object = Joi.object().keys({
    a: Joi.number()
}).rename('b', 'a');

object.validate({ b: 5 }, (err, value) => { });

It can also rename keys using a regular expression:

const regex = /^foobar$/i;

const schema = Joi.object().keys({
  fooBar: Joi.string()
}).rename(regex, 'fooBar');

schema.validate({ FooBar: 'a'}, (err, value) => {});

💥 Possible validation errors:object.rename.multiple, object.rename.override, object.rename.regex.multiple, object.rename.regex.override

object.assert(ref, schema, [message])

Verifies an assertion where:

  • ref - the key name or reference.
  • schema - the validation rules required to satisfy the assertion. If the schema includes references, they are resolved against the object value, not the value of the ref target.
  • message - optional human-readable message used when the assertion fails. Defaults to 'failed to pass the assertion test'.
const schema = Joi.object().keys({
    a: {
        b: Joi.string(),
        c: Joi.number()
    },
    d: {
        e: Joi.any()
    }
}).assert('d.e', Joi.ref('a.c'), 'equal to a.c');

💥 Possible validation errors:object.assert

object.unknown([allow])

Overrides the handling of unknown keys for the scope of the current object only (does not apply to children) where:

  • allow - if false, unknown keys are not allowed, otherwise unknown keys are ignored.
const schema = Joi.object({ a: Joi.any() }).unknown();

💥 Possible validation errors:object.allowUnknown

object.type(constructor, [name])

Requires the object to be an instance of a given constructor where:

  • constructor - the constructor function that the object must be an instance of.
  • name - an alternate name to use in validation errors. This is useful when the constructor function does not have a name.
const schema = Joi.object().type(RegExp);

💥 Possible validation errors:object.type

object.schema()

Requires the object to be a Joi schema instance.

const schema = Joi.object().schema();

💥 Possible validation errors:object.schema

object.requiredKeys(children)

Sets the specified children to required.

  • children - can be a single string value, an array of string values, or each child provided as an argument.
const schema = Joi.object().keys({ a: { b: Joi.number() }, c: { d: Joi.string() } });
const requiredSchema = schema.requiredKeys('', 'a.b', 'c', 'c.d');

Note that in this example '' means the current object, a is not required but b is, as well as c and d.

object.optionalKeys(children)

Sets the specified children to optional.

  • children - can be a single string value, an array of string values, or each child provided as an argument.
const schema = Joi.object().keys({ a: { b: Joi.number().required() }, c: { d: Joi.string().required() } });
const optionalSchema = schema.optionalKeys('a.b', 'c.d');

The behavior is exactly the same as requiredKeys.

object.forbiddenKeys(children)

Sets the specified children to forbidden.

  • children - can be a single string value, an array of string values, or each child provided as an argument.
const schema = Joi.object().keys({ a: { b: Joi.number().required() }, c: { d: Joi.string().required() } });
const optionalSchema = schema.forbiddenKeys('a.b', 'c.d');

The behavior is exactly the same as requiredKeys.

string - inherits from Any

Generates a schema object that matches a string data type. Note that empty strings are not allowed by default and must be enabled with allow(''). However, if you want to specify a default value in case of empty string you have to use a different pattern: Joi.string().empty('').default('default value'). This tells Joi that the empty string should be considered as an empty value (instead of invalid) and which value to use as default.

If the validation convert option is on (enabled by default), a string will be converted using the specified modifiers for string.lowercase(), string.uppercase(), string.trim(), and each replacement specified with string.replace().

Supports the same methods of the any() type.

const schema = Joi.string().min(1).max(10);
schema.validate('12345', (err, value) => { });

💥 Possible validation errors:string.base, any.empty

string.insensitive()

Allows the value to match any whitelist or blacklist item in a case insensitive comparison.

const schema = Joi.string().valid('a').insensitive();

string.min(limit, [encoding])

Specifies the minimum number string characters where:

  • limit - the minimum number of string characters required.
  • encoding - if specified, the string length is calculated in bytes using the provided encoding.
const schema = Joi.string().min(2);

It can also be a reference to another field.

const schema = Joi.object({
  min: Joi.string().required(),
  value: Joi.string().min(Joi.ref('min'), 'utf8').required()
});

💥 Possible validation errors:string.min, string.ref

string.max(limit, [encoding])

Specifies the maximum number of string characters where:

  • limit - the maximum number of string characters allowed.
  • encoding - if specified, the string length is calculated in bytes using the provided encoding.
const schema = Joi.string().max(10);

It can also be a reference to another field.

const schema = Joi.object({
  max: Joi.string().required(),
  value: Joi.string().max(Joi.ref('max'), 'utf8').required()
});

💥 Possible validation errors:string.max, string.ref

string.truncate([enabled])

Specifies whether the string.max() limit should be used as a truncation.

Parameters are:

  • enabled - optional parameter defaulting to true which allows you to reset the behavior of truncate by providing a falsy value.
const schema = Joi.string().max(5).truncate();

string.creditCard()

Requires the number to be a credit card number (Using Luhn Algorithm).

const schema = Joi.string().creditCard();

💥 Possible validation errors:string.creditCard

string.length(limit, [encoding])

Specifies the exact string length required where:

  • limit - the required string length.
  • encoding - if specified, the string length is calculated in bytes using the provided encoding.
const schema = Joi.string().length(5);

It can also be a reference to another field.

const schema = Joi.object({
  length: Joi.string().required(),
  value: Joi.string().length(Joi.ref('length'), 'utf8').required()
});

💥 Possible validation errors:string.length, string.ref

string.regex(pattern, [name | options])

Defines a regular expression rule where:

  • pattern - a regular expression object the string value must match against.
  • name - optional name for patterns (useful with multiple patterns).
  • options - an optional configuration object with the following supported properties:
    • name - optional pattern name.
    • invert - optional boolean flag. Defaults to false behavior. If specified as true, the provided pattern will be disallowed instead of required.
const schema = Joi.string().regex(/^[abc]+$/);

const inlineNamedSchema = Joi.string().regex(/^[0-9]+$/, 'numbers');
inlineNamedSchema.validate('alpha'); // ValidationError: "value" with value "alpha" fails to match the numbers pattern

const namedSchema = Joi.string().regex(/^[0-9]+$/, { name: 'numbers'});
namedSchema.validate('alpha'); // ValidationError: "value" with value "alpha" fails to match the numbers pattern

const invertedSchema = Joi.string().regex(/^[a-z]+$/, { invert: true });
invertedSchema.validate('lowercase'); // ValidationError: "value" with value "lowercase" matches the inverted pattern: [a-z]

const invertedNamedSchema = Joi.string().regex(/^[a-z]+$/, { name: 'alpha', invert: true });
invertedNamedSchema.validate('lowercase'); // ValidationError: "value" with value "lowercase" matches the inverted alpha pattern

💥 Possible validation errors:string.regex.base, string.regex.invert.base, string.regex.invert.name, string.regex.name

string.replace(pattern, replacement)

Replace characters matching the given pattern with the specified replacement string where:

  • pattern - a regular expression object to match against, or a string of which all occurrences will be replaced.
  • replacement - the string that will replace the pattern.
const schema = Joi.string().replace(/b/gi, 'x');
schema.validate('abBc', (err, value) => {
  // here value will be 'axxc'
});

When pattern is a string all its occurrences will be replaced.

string.alphanum()

Requires the string value to only contain a-z, A-Z, and 0-9.

const schema = Joi.string().alphanum();

💥 Possible validation errors:string.alphanum

string.token()

Requires the string value to only contain a-z, A-Z, 0-9, and underscore _.

const schema = Joi.string().token();

💥 Possible validation errors:string.token

string.email([options])

Requires the string value to be a valid email address.

  • options - optional settings:
    • allowUnicode - if true, Unicode characters are permitted. Defaults to true.
    • minDomainSegments - Number of segments required for the domain. Be careful since some domains, such as io, directly allow email.
    • tlds - options for TLD (top level domain) validation. By default, the TLD must be a valid name listed on the IANA registry. To disable validation, set tlds to false. To customize how TLDs are validated, set one of these:
      • allow - one of:
        • true to use the IANA list of registered TLDs. This is the default value.
        • false to allow any TLD not listed in the deny list, if present.
        • a Set or array of the allowed TLDs. Cannot be used together with deny.
      • deny - one of:
        • a Set or array of the forbidden TLDs. Cannot be used together with a custom allow list.
const schema = Joi.string().email();

💥 Possible validation errors:string.email

string.ip([options])

Requires the string value to be a valid ip address.

  • options - optional settings:
    • version - One or more IP address versions to validate against. Valid values: ipv4, ipv6, ipvfuture
    • cidr - Used to determine if a CIDR is allowed or not. Valid values: optional, required, forbidden
// Accept only ipv4 and ipv6 addresses with a CIDR
const schema = Joi.string().ip({
  version: [
    'ipv4',
    'ipv6'
  ],
  cidr: 'required'
});

💥 Possible validation errors:string.ip, string.ipVersion

string.uri([options])

Requires the string value to be a valid RFC 3986 URI.

  • options - optional settings:
    • scheme - Specifies one or more acceptable Schemes, should only include the scheme name. Can be an Array or String (strings are automatically escaped for use in a Regular Expression).
    • allowRelative - Allow relative URIs. Defaults to false.
    • relativeOnly - Restrict only relative URIs. Defaults to false.
    • allowQuerySquareBrackets - Allows unencoded square brackets inside the query string. This is NOT RFC 3986 compliant but query strings like abc[]=123&abc[]=456 are very common these days. Defaults to false.
// Accept git or git http/https
const schema = Joi.string().uri({
  scheme: [
    'git',
    /git\+https?/
  ]
});

💥 Possible validation errors:string.uri, string.uriCustomScheme, string.uriRelativeOnly

string.guid() - aliases: uuid

Requires the string value to be a valid GUID.

  • options - optional settings:
    • version - Specifies one or more acceptable versions. Can be an Array or String with the following values: uuidv1, uuidv2, uuidv3, uuidv4, or uuidv5. If no version is specified then it is assumed to be a generic guid.
const schema = Joi.string().guid({
    version: [
        'uuidv4',
        'uuidv5'
    ]
});

💥 Possible validation errors:string.guid

string.hex([options])

Requires the string value to be a valid hexadecimal string.

  • options - optional settings:
    • byteAligned - Boolean specifying whether you want to check that the hexadecimal string is byte aligned. If convert is true, a 0 will be added in front of the string in case it needs to be aligned. Defaults to false.
const schema = Joi.string().hex();

💥 Possible validation errors:string.hex, string.hexAlign

string.base64([options])

Requires the string value to be a valid base64 string; does not check the decoded value.

  • options - optional settings:
    • paddingRequired - optional parameter defaulting to true which will require = padding if true or make padding optional if false.

Padding characters are not required for decoding, as the number of missing bytes can be inferred from the number of digits. With that said, try to use padding if at all possible.

const schema = Joi.string().base64();
schema.validate('VE9PTUFOWVNFQ1JFVFM'); // ValidationError: "value" must be a valid base64 string
schema.validate('VE9PTUFOWVNFQ1JFVFM='); // No Error

const paddingRequiredSchema = Joi.string().base64({ paddingRequired: true });
paddingRequiredSchema.validate('VE9PTUFOWVNFQ1JFVFM'); // ValidationError: "value" must be a valid base64 string
paddingRequiredSchema.validate('VE9PTUFOWVNFQ1JFVFM='); // No Error

const paddingOptionalSchema = Joi.string().base64({ paddingRequired: false });
paddingOptionalSchema.validate('VE9PTUFOWVNFQ1JFVFM'); // No Error
paddingOptionalSchema.validate('VE9PTUFOWVNFQ1JFVFM='); // No Error

💥 Possible validation errors:string.base64

string.dataUri([options])

Requires the string value to be a valid data URI string.

  • options - optional settings:
    • paddingRequired - optional parameter defaulting to true which will require = padding if true or make padding optional if false.
const schema = Joi.string().dataUri();
schema.validate('VE9PTUFOWVNFQ1JFVFM='); // ValidationError: "value" must be a valid dataUri string
schema.validate('data:image/png;base64,VE9PTUFOWVNFQ1JFVFM='); // No Error

💥 Possible validation errors:string.dataUri

string.hostname()

Requires the string value to be a valid hostname as per RFC1123.

const schema = Joi.string().hostname();

💥 Possible validation errors:string.hostname

string.normalize([form])

Requires the string value to be in a unicode normalized form. If the validation convert option is on (enabled by default), the string will be normalized.

  • form - The unicode normalization form to use. Valid values: NFC [default], NFD, NFKC, NFKD
const schema = Joi.string().normalize(); // defaults to NFC
const schema = Joi.string().normalize('NFC'); // canonical composition
const schema = Joi.string().normalize('NFD'); // canonical decomposition
const schema = Joi.string().normalize('NFKC'); // compatibility composition
const schema = Joi.string().normalize('NFKD'); // compatibility decomposition

💥 Possible validation errors:string.normalize

string.lowercase()

Requires the string value to be all lowercase. If the validation convert option is on (enabled by default), the string will be forced to lowercase.

const schema = Joi.string().lowercase();

💥 Possible validation errors:string.lowercase

string.uppercase()

Requires the string value to be all uppercase. If the validation convert option is on (enabled by default), the string will be forced to uppercase.

const schema = Joi.string().uppercase();

💥 Possible validation errors:string.uppercase

string.trim([enabled])

Requires the string value to contain no whitespace before or after. If the validation convert option is on (enabled by default), the string will be trimmed.

Parameters are:

  • enabled - optional parameter defaulting to true which allows you to reset the behavior of trim by providing a falsy value.
const schema = Joi.string().trim();
const schema = Joi.string().trim(false); // disable trim flag

💥 Possible validation errors:string.trim

string.isoDate()

Requires the string value to be in valid ISO 8601 date format. If the validation convert option is on (enabled by default), the string will be forced to simplified extended ISO format (ISO 8601). Be aware that this operation uses javascript Date object, which does not support the full ISO format, so a few formats might not pass when using convert.

const schema = Joi.string().isoDate();

💥 Possible validation errors:string.isoDate

symbol - inherits from Any

Generates a schema object that matches a Symbol data type.

If the validation convert option is on (enabled by default), the mappings declared in map() will be tried for an eventual match.

Supports the same methods of the any() type.

const schema = Joi.symbol().map({ 'foo': Symbol('foo'), 'bar': Symbol('bar') });
schema.validate('foo', (err, value) => { });

💥 Possible validation errors:symbol.base

symbol.map(map)

Allows values to be transformed into Symbols, where:

  • map - mapping declaration that can be:
    • an object, where keys are strings, and values are Symbols
    • an array of arrays of length 2, where for each sub-array, the 1st element must be anything but an object, a function or a Symbol, and the 2nd element must be a Symbol
    • a Map, following the same principles as the array above
const schema = Joi.symbol().map([
    [1, Symbol('one')],
    ['two', Symbol('two')]
]);

💥 Possible validation errors:symbol.map

alternatives - inherits from Any

Generates a type that will match one of the provided alternative schemas via the try() method. If no schemas are added, the type will not match any value except for undefined.

Supports the same methods of the any() type.

Alternatives can be expressed using the shorter [] notation.

const alt = Joi.alternatives().try(Joi.number(), Joi.string());
// Same as [Joi.number(), Joi.string()]

💥 Possible validation errors:alternatives.base

alternatives.try(schemas)

Adds an alternative schema type for attempting to match against the validated value where:

  • schema - an array of alternative joi types. Also supports providing each type as a separate argument.
const alt = Joi.alternatives().try(Joi.number(), Joi.string());
alt.validate('a', (err, value) => { });

alternatives.when(condition, options)

Adds a conditional alternative schema type, either based on another key (not the same as any.when()) value, or a schema peeking into the current value, where:

  • condition - the key name or reference, or a schema.
  • options - an object with:
    • is - the required condition joi type. Forbidden when condition is a schema.
    • then - the alternative schema type to try if the condition is true. Required if otherwise is missing.
    • otherwise - the alternative schema type to try if the condition is false. Required if then is missing.
const schema = {
    a: Joi.alternatives().when('b', { is: 5, then: Joi.string(), otherwise: Joi.number() }),
    b: Joi.any()
};
const schema = Joi.alternatives().when(Joi.object({ b: 5 }).unknown(), {
    then: Joi.object({
        a: Joi.string(),
        b: Joi.any()
    }),
    otherwise: Joi.object({
        a: Joi.number(),
        b: Joi.any()
    })
});

Note that when() only adds additional alternatives to try and does not impact the overall type. Setting a required() rule on a single alternative will not apply to the overall key. For example, this definition of a:

const schema = {
    a: Joi.alternatives().when('b', { is: true, then: Joi.required() }),
    b: Joi.boolean()
};

Does not turn a into a required key when b is true. Instead, it tells the validator to try and match the value to anything that's not undefined. However, since Joi.alternatives() by itself allows undefined, the rule does not accomplish turning a to a required value. This rule is the same as Joi.alternatives([Joi.required()]) when b is true which will allow any value including undefined.

To accomplish the desired result above use:

const schema = {
    a: Joi.when('b', { is: true, then: Joi.required() }),
    b: Joi.boolean()
};

lazy(fn[, options]) - inherits from Any

Generates a placeholder schema for a schema that you would provide where:

  • fn - is a function returning the actual schema to use for validation.
  • options:
    • once - enables or disables the single evaluation behavior. When false, the function will be called every time a validation happens, otherwise the schema will be cached for further re-use. Defaults to true.

Supports the same methods of the any() type.

This is mostly useful for recursive schemas, like :

const Person = Joi.object({
    firstName: Joi.string().required(),
    lastName: Joi.string().required(),
    children: Joi.array().items(Joi.lazy(() => Person).description('Person schema'))
});

💥 Possible validation errors:lazy.base, lazy.schema

Errors

Joi throws classical javascript Errors containing :

  • name - 'ValidationError'.
  • isJoi - true.
  • details - an array of errors :
    • message - string with a description of the error.
    • path - ordered array where each element is the accessor to the value where the error happened.
    • type - type of the error.
    • context - object providing context of the error containing at least:
      • key - key of the value that errored, equivalent to the last element of details.path.
      • label - label of the value that errored, or the key if any, or the default language.root.
  • annotate - function that returns a string with an annotated version of the object pointing at the places where errors occurred. Takes an optional parameter that, if truthy, will strip the colors out of the output.
  • _object - the original object to validate.

List of errors

alternatives.base

Description

No alternative matched the input.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string // Label if defined, otherwise it's the key
}

any.allowOnly

Description

Only some values were allowed, the input didn't match any of them.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    valids: Array<any> // Contains the list of the valid values that were expected
}

any.default

Description

If your any.default() generator function throws error, you will have it here.

Context

{
    error: Error // Error generated during the default value function call
}

any.empty

Description

When an empty string is found and denied by invalid values.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: '', // Empty string
    invalids: Array<any> // Contains the list of the invalid values that should be rejected
}

any.invalid

Description

The value matched a value listed in the invalid values.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: any, // Value being validated
    invalids: Array<any> // Contains the list of the invalid values that should be rejected
}

any.required

Description

A required value wasn't present.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string // Label if defined, otherwise it's the key
}

any.unknown

Description

A value was present while it wasn't expected.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string // Label if defined, otherwise it's the key
}

array.base

Description

The value is not of Array type or could not be cast to an Array from a string.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string // Label if defined, otherwise it's the key
}

array.excludes

Description

The array contains a value that is part of the exclusion list.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    pos: number, // Index where the value was found in the array
    value: any // Value that matched an exclude condition
}

array.excludesSingle

Description

Same as array.excludes but the value was a single value. Happens with array.single().

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    pos: number, // Index where the value was found in the array
    value: any // Value that matched an exclude condition
}

array.includesRequiredBoth

Description

Some values were expected to be present in the array and are missing. This error happens when we have a mix of labelled and unlabelled schemas.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    knownMisses: Array<string>, // Labels of all the missing values
    unknownMisees: number // Count of missing values that didn't have a label
}

array.includesRequiredKnowns

Description

Some values were expected to be present in the array and are missing. This error happens when we only have labelled schemas.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    knownMisses: Array<string> // Labels of all the missing values
}

array.includesRequiredUnknowns

Description

Some values were expected to be present in the array and are missing. This error happens when we only have unlabelled schemas.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    unknownMisees: number // Count of missing values that didn't have a label
}

array.includes

Description

The value didn't match any of the allowed types for that array.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    pos: number, // Index where the value was found in the array
    value: any // Value that failed all the schemas
}

array.includesSingle

Description

Same as array.includes but the value was a single value. Happens with array.single().

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    pos: number, // Index where the value was found in the array
    value: any // Value that failed all the schemas
}

array.length

Description

The array is not of the expected length.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Length that was expected for this array
    value: Array<any> // The array itself
}

array.max

Description

The array has more elements than the maximum allowed.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Maximum length that was expected for this array
    value: Array<any> // The array itself
}

array.min

Description

The array has less elements than the minimum allowed.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Minimum length that was expected for this array
    value: Array<any> // The array itself
}

array.orderedLength

Description

Given an array.ordered(), that array has more elements than it should.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    pos: number, // Index where the value was found in the array
    limit: number // Maximum length that was expected for this array
}

array.ref

Description

A reference was used in one of array.min(), array.max() or array.length() and the value pointed to by that reference in the input is not a valid number for those rules.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    ref: Reference, // Reference used
    value: any // Value found using the reference
}

array.sparse

Description

An undefined value was found in an array that shouldn't be sparse.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    pos: number // Index where an undefined value was found in the array
}

array.unique

Description

A duplicate value was found in an array.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    pos: number, // Index where the duplicate value was found in the array
    value: any, // Value that is duplicated
    dupePos: number, // Index where the first appearance of the duplicate value was found in the array
    dupeValue: any // Value with which the duplicate was met
}

array.hasKnown

Description

The schema on an array.has() was not found in the array. This error happens when the schema is labelled.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    patternLabel: string // Label of assertion schema
}

array.hasUnknown

Description

The schema on an array.has() was not found in the array. This error happens when the schema is unlabelled.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
}

binary.base

Description

The value is either not a Buffer or could not be cast to a Buffer from a string.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string // Label if defined, otherwise it's the key
}

binary.length

Description

The buffer was not of the specified length.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Length that was expected for this buffer
    value: Buffer // The buffer itself
}

binary.max

Description

The buffer contains more bytes than expected.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Maximum length that was expected for this buffer
    value: Buffer // The buffer itself
}

binary.min

Description

The buffer contains less bytes than expected.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Minimum length that was expected for this buffer
    value: Buffer // The buffer itself
}

boolean.base

Description

The value is either not a boolean or could not be cast to a boolean from one of the truthy or falsy values.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: any // Input value
}

date.base

Description

The value is either not a date or could not be cast to a date from a string or a number.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: any // Input value
}

date.greater

Description

The date is over the limit that you set.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: Date, // Maximum date
    value: Date // Input value as Date
}

date.isoDate

Description

The date does not match the ISO 8601 format.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: any // Input value
}

date.less

Description

The date is under the limit that you set.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: Date, // Minimum date
    value: Date // Input value as Date
}

date.max

Description

The date is over or equal to the limit that you set.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: Date, // Maximum date
    value: Date // Input value as Date
}

date.min

Description

The date is under or equal to the limit that you set.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: Date, // Minimum date
    value: Date // Input value as Date
}

date.ref

Description

A reference was used in one of date.min(), date.max(), date.less() or date.greater() and the value pointed to by that reference in the input is not a valid date.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    ref: Reference, // Reference used
    value: any // Value found using the reference
}

date.strict

Description

Occurs when the input is not a Date type and convert is disabled.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: any // Value
}

date.timestamp.javascript

Description

Failed to be converted from a string or a number to a date as JavaScript timestamp.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: any // Input value
}

date.timestamp.unix

Description

Failed to be converted from a string or a number to a date as Unix timestamp.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: any // Input value
}

function.arity

Description

The number of arguments for the function doesn't match the required number.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    n: number // Expected arity
}

function.base

Description

The input is not a function.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: any // Input value
}

function.class

Description

The input is not a JavaScript class.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: any // Input value
}

function.maxArity

Description

The number of arguments for the function is over the required number.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    n: number // Maximum expected arity
}

function.minArity

Description

The number of arguments for the function is under the required number.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    n: number // Minimum expected arity
}

function.ref

Description

The function is not a Joi.ref().

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: function // Input value
}

lazy.base

Description

The lazy function is not set.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string // Label if defined, otherwise it's the key
}

lazy.schema

Description

The lazy function didn't return a joi schema.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    schema: any // The value return by the generator function
}

number.base

Description

The value is not a number or could not be cast to a number.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: any // Input value
}

number.greater

Description

The number is lower or equal to the limit that you set.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Minimum value that was expected for this number
    value: number // The number itself
}

number.integer

Description

The number is not a valid integer.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: number // Value that failed, likely a floating number
}

number.less

Description

The number is higher or equal to the limit that you set.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Maximum value that was expected for this number
    value: number // The number itself
}

number.max

Description

The number is higher than the limit that you set.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Maximum value that was expected for this number
    value: number // The number itself
}

number.min

Description

The number is lower than the limit that you set.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Minimum value that was expected for this number
    value: number // The number itself
}

number.multiple

Description

The number could not be divided by the multiple you provided.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    multiple: number, // The number of which the input is supposed to be a multiple of
    value: number // The number itself
}

number.negative

Description

The number was positive.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: number // The number itself
}

number.port

Description

The number didn't look like a port number.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: number // The number itself 
}

number.positive

Description

The number was negative.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: number // The number itself
}

number.precision

Description

The number didn't have the required precision.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // The precision that it should have had
    value: number // The number itself
}

number.ref

Description

A reference was used in one of number.min(), number.max(), number.less(), number.greater(), or number.multiple() and the value pointed to by that reference in the input is not a valid number.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    ref: Reference, // Reference used
    value: any // Value found using the reference
}

number.unsafe

Description

The number is not within the safe range of JavaScript numbers.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: any // Input value
}

object.allowUnknown

Description

An unexpected property was found in the object.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    child: string, // Property that is unexpected
    value: any // Value of that property
}

object.and

Description

The AND condition between the properties you specified was not satisfied in that object.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    present: Array<string>, // List of properties that are set
    presentWithLabels: Array<string>, // List of labels for the properties that are set
    missing: Array<string>, // List of properties that are not set
    missingWithLabels: Array<string> // List of labels for the properties that are not set
}

object.assert

Description

The schema on an object.assert() failed to validate.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    ref: string, // Dotted path to the property that was checked
    message: string // Custom message or default one
}

object.base

Description

The value is not of object type or could not be cast to an object from a string.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: any // Input value
}

object.length

Description

The number of keys for this object is not of the expected length.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Number of keys that was expected for this object
    value: object // The object itself
}

object.max

Description

The number of keys for this object is over or equal to the limit that you set.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Maximum number of keys
    value: object // Input value
}

object.min

Description

The number of keys for this object is under or equal to the limit that you set.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Minimum number of keys
    value: object // Input value
}

object.missing

Description

The OR or XOR condition between the properties you specified was not satisfied in that object, none of it were set.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    peers: Array<string>, // List of properties were none of it was set
    peersWithLabels: Array<string> // List of labels for the properties were none of it was set
}

object.nand

Description

The NAND condition between the properties you specified was not satisfied in that object.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    main: string, // One of the properties that was present
    mainWithLabel: string, // The label of the `main` property
    peers: Array<string>, // List of the other properties that were present
    peersWithLabels: Array<string> // List of the labels of the other properties that were present
}

object.rename.multiple

Description

Another rename was already done to the same target property.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    from: string, // Origin property name of the rename
    to: string // Target property of the rename
}

object.rename.override

Description

The target property already exists and you disallowed overrides.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    from: string, // Origin property name of the rename
    to: string // Target property of the rename
}

object.rename.regex.multiple

Description

The target property already exists and you disallowed overrides.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    from: Array<string>, // List of property names that matched the regex
    to: string // Target property of the rename
}

object.rename.regex.override

Description

The target property already exists and you disallowed overrides.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    from: Array<string>, // List of property names that matched the regex
    to: string // Target property of the rename
}

object.schema

Description

The object was not a joi schema.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string // Label if defined, otherwise it's the key
}

object.type

Description

The object is not of the type you specified.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    type: string, // Type name the object should have been
    value: object // Input value
}

object.with

Description

Property that should have been present at the same time as another one was missing.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    main: string, // Property that triggered the check
    mainWithLabel: string, // Label of the property that triggered the check
    peer: string, // Property that was missing
    peerWithLabels: string // Label of the other property that was missing
}

object.without

Description

Property that should have been absent at the same time as another one was present.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    main: string, // Property that triggered the check
    mainWithLabel: string, // Label of the property that triggered the check
    peer: string, // Property that was present
    peerWithLabels: string // Label of the other property that was present
}

object.xor

Description

The XOR condition between the properties you specified was not satisfied in that object.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    peers: Array<string>, // List of properties where none of it or too many of it was set
    peersWithLabels: Array<string> // List of labels for the properties where none of it or too many of it was set
}

object.oxor

Description

The optional XOR condition between the properties you specified was not satisfied in that object.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    peers: Array<string>, // List of properties where too many of it was set
    peersWithLabels: Array<string> // List of labels for the properties where too many of it was set
}

string.alphanum

Description

The string doesn't only contain alphanumeric characters.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

string.base64

Description

The string isn't a valid base64 string.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

string.base

Description

The input is not a string.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: any // Input value
}

string.creditCard

Description

The string is not a valid credit card number.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

string.dataUri

Description

The string is not a valid data URI.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

string.email

Description

The string is not a valid e-mail.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

string.guid

Description

The string is not a valid GUID.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

string.hexAlign

Description

The string contains hexadecimal characters but they are not byte-aligned.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

string.hex

Description

The string is not a valid hexadecimal string.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

string.hostname

Description

The string is not a valid hostname.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

string.ipVersion

Description

The string is not a valid IP address considering the provided constraints.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    cidr: string, // CIDR used for the validation
    version: Array<string>, // List of IP version accepted
    value: string // Input value
}

string.ip

Description

The string is not a valid IP address.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    cidr: string, // CIDR used for the validation
    value: string // Input value
}

string.isoDate

Description

The string is not a valid ISO date string.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

string.length

Description

The string is not of the expected length.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Length that was expected for this string
    encoding: undefined | string, // Encoding specified for the check if any
    value: string // Input value
}

string.lowercase

Description

The string isn't all lower-cased.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

string.max

Description

The string is larger than expected.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Maximum length that was expected for this string
    encoding: undefined | string, // Encoding specified for the check if any
    value: string // Input value
}

string.min

Description

The string is smaller than expected.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    limit: number, // Minimum length that was expected for this string
    encoding: undefined | string, // Encoding specified for the check if any
    value: string // Input value
}

string.normalize

Description

The string isn't valid in regards of the normalization form expected.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    form: string, // Normalization form that is expected
    value: string // Input value
}

string.ref

Description

A reference was used in one of string.min(), string.max() or string.length() and the value pointed to by that reference in the input is not a valid number for those rules.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    ref: Reference, // Reference used
    value: any // Value found using the reference
}

string.regex.base

Description

The string didn't match the regular expression.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    name: undefined, // Undefined since the regular expression has no name
    pattern: string, // Regular expression
    value: string // Input value
}

string.regex.name

Description

The string didn't match the named regular expression.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    name: string, // Name of the regular expression
    pattern: string, // Regular expression
    value: string // Input value
}

string.regex.invert.base

Description

The string matched the regular expression while it shouldn't.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    name: undefined, // Undefined since the regular expression has no name
    pattern: string, // Regular expression
    value: string // Input value
}

string.regex.invert.name

Description

The string matched the named regular expression while it shouldn't.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    name: string, // Name of the regular expression
    pattern: string, // Regular expression
    value: string // Input value
}

string.token

Description

The string isn't a token.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

string.trim

Description

The string contains whitespaces around it.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

string.uppercase

Description

The string isn't all upper-cased.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

string.uri

Description

The string isn't a valid URI.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

string.uriCustomScheme

Description

The string isn't a valid URI considering the custom schemes.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    scheme: string, // Scheme prefix that is expected in the URI
    value: string // Input value
}

string.uriRelativeOnly

Description

The string is a valid relative URI.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: string // Input value
}

symbol.base

Description

The input is not a Symbol.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: any // Input value
    ...
}

symbol.map

Description

The input is not a Symbol or could not be converted to one.

Context

{
    key: string, // Last element of the path accessing the value, `undefined` if at the root
    label: string, // Label if defined, otherwise it's the key
    value: any // Input value
    ...
}

API Reference

Shot

await Shot.inject(dispatchFunc, options)

Injects a fake request into an HTTP server.

  • dispatchFunc - listener function. The same as you would pass to Http.createServer when making a node HTTP server. Has the signature function (req, res) where:
    • req - a simulated request object. Inherits from Stream.Readable.
    • res - a simulated response object. Inherits from node's Http.ServerResponse.
  • options - request options object where:
    • url - a string specifying the request URL.
    • method - a string specifying the HTTP request method, defaulting to 'GET'.
    • authority - a string specifying the HTTP HOST header value to be used if no header is provided, and the url does not include an authority component. Defaults to 'localhost'.
    • headers - an optional object containing request headers.
    • remoteAddress - an optional string specifying the client remote address. Defaults to '127.0.0.1'.
    • payload - an optional request payload. Can be a string, Buffer, Stream or object.
    • simulate - an object containing flags to simulate various conditions:
      • end - indicates whether the request will fire an end event. Defaults to undefined, meaning an end event will fire.
      • split - indicates whether the request payload will be split into chunks. Defaults to undefined, meaning payload will not be chunked.
      • error - whether the request will emit an error event. Defaults to undefined, meaning no error event will be emitted. If set to true, the emitted error will have a message of 'Simulated'.
      • close - whether the request will emit a close event. Defaults to undefined, meaning no close event will be emitted.
    • validate - Optional flag to validate this options object. Defaults to true.

Returns a response object where:

  • raw - an object containing the raw request and response objects where:
    • req - the simulated request object.
    • res - the simulated response object.
  • headers - an object containing the response headers.
  • statusCode - the HTTP status code.
  • statusMessage - the HTTP status message.
  • payload - the payload as a UTF-8 encoded string.
  • rawPayload - the raw payload as a Buffer.
  • trailers - an object containing the response trailers.

Shot.isInjection(obj)

Checks if given object obj is a Shot Request object.

API Reference

Topo

The Topo object is the container for topologically sorting a list of nodes with non-circular interdependencies.

new Topo()

Creates a new Topo object.

topo.add(nodes, [options])

Specifies an additional node or list of nodes to be topologically sorted where:

  • nodes - a mixed value or array of mixed values to be added as nodes to the topologically sorted list.
  • options - optional sorting information about the nodes:
    • group - a string naming the group to which nodes should be assigned. The group name '?' is reserved.
    • before - a string or array of strings specifying the groups that nodes must precede in the topological sort.
    • after - a string or array of strings specifying the groups that nodes must succeed in the topological sort.
    • sort - a numerical value used to sort items when performing a topo.merge().

Returns an array of the topologically sorted nodes.

topo.nodes

An array of the topologically sorted nodes. This list is renewed upon each call to topo.add().

topo.merge(others)

Merges another Topo object into the current object where:

  • others - the other object or array of objects to be merged into the current one. null values are ignored.

Returns an array of the topologically sorted nodes. Will throw if a dependency error is found as a result of the combined items.

If the order in which items have been added to each list matters, use the sort option in topo.add() with an incrementing value providing an absolute sort order among all items added to either object.

API Reference

Options

  • name - determines the name of the cookie used to store session information. Defaults to session.
  • maxCookieSize - maximum cookie size before using server-side storage. Defaults to 1K. Set to zero to always use server-side storage.
  • storeBlank - determines whether to store empty session before they've been modified. Defaults to true.
  • errorOnCacheNotReady - will cause yar to throw an exception if trying to persist to cache when the cache is unavailable. Setting this to false will allow applications using yar to run uninterrupted if the cache is not ready (however sessions will not be saving). Defaults to true.
  • cache - hapi cache options which includes (among other options):
    • expiresIn - server-side storage expiration (defaults to 1 day).
  • cookieOptions - the configuration for cookie-specific features:
    • password - (Required) used to encrypt and sign the cookie data.
    • path - determines the cookie path. Defaults to '/'.
    • isSameSite - enables the same-site cookie parameter. Default to 'Lax'. Can be 'Strict'|'Lax'|false.
    • isSecure - determines whether or not to transfer using TLS/SSL. Defaults to true.
    • isHttpOnly - determines whether or not to set HttpOnly option in cookie. Defaults to false.
    • ttl - sets the time for the cookie to live in the browser, in milliseconds. Defaults to null (session time-life - cookies are deleted when the browser is closed).
  • customSessionIDGenerator - an optional function to create custom session IDs. Must retun a string and have the signature function (request) where:
    • request - (optional) is the original request received from the client.

Route Options

You can also add these options on a route per route basis at config.plugins.yar: - skip - a boolean value which, if true, means no session with be attached to the request (defaults to false).

Methods

yar adds the yar property to every request object and initializes the yar.id on the first request from each browser. The request.yar interface provides the following methods:

  • reset() - clears the session and assigns a new session id.
  • set(key, value) - assigns a value (string, object, etc) to a given key which will persist across requests. Returns the value.
  • set(keysObject) - assigns values to multiple keys using each 'keysObject' top-level property. Returns the keysObject.
  • get(key, clear) - retrieve value using a key. If 'clear' is 'true', key is cleared on return.
  • clear(key) - clears key.
  • touch() - Manually notify the session of changes (when using get() and changing the content of the returned reference directly without calling set()).
  • flash(type, message, isOverride) - stores volatile data - data that should be deleted once read. When given no arguments, it will return all of the flash messages and delete the originals. When given only a type, it will return all of the flash messages of that type and delete the originals. When given a type and a message, it will set or append that message to the given type. 'isOverride' used to indicate that the message provided should replace any existing value instead of being appended to it (defaults to false).
  • lazy(enabled) - if set to 'true', enables lazy mode. In lazy mode, request.yar can be modified directly (e.g. setting request.yar.myKey to an object value), and those keys will be stored and loaded back. Lazy mode isn't as fast as the normal get/set because it has to store the session state on every responses regardless of any changes being made.

yar adds the yar property to the server instance. The server.yar interface provides the following methods:

  • revoke(id) - revokes the specified session.