Using Hapijs and Bell with twitter provider. How to handle the authorize rejection from Twitter using the Bell module?

Question

Using Hapijs and Bell with twitter provider. How to handle the authorize rejection from Twitter using the Bell module?

I'm using the Hapi framework (nodejs) with the Bell module, working with the Twitter provider.

It was pretty simple to get a working code with the example given in the github page. I access the /login route and I get redirected to Twitter, where I authorize the app and then I'm redirected back to /login?oauth_token=xxxxxxx&oauth_verifier=xxxxxxx where I can have access to the user profile in the request.auth.credentials.

The problem came when I tried to reject the app. Instead of clicking the "Sign In" button on Twitter, I clicked the "Cancel" button and then the "Return to site name" button. This last button redirects me to /login?denied=xxxxxx and then I'm redirected (again) to Twitter to approve the app.

I tried to handle this scenario using another example in the same page https://github.com/hapijs/bell#handling-errors but can't get it to work.

server.route({
    method: ['GET', 'POST'],
    path: '/login',
    config: {
        auth: {
            strategy: 'twitter',
            mode: 'try'
        },
        handler: function (request, reply) {

            if (!request.auth.isAuthenticated) {
                return reply('Authentication failed due to: ' + request.auth.error.message);
            }

            return reply.redirect('/home');
        }
    }
});

It seems that before checking the request.auth it interprets the /login route and redirects to Twitter. I still don't understand very well the Bell module but it might be that the Twitter strategy is expecting the oauth_token and oauth_verifier in the request.params, but the denied param is not interpreted by the strategy and that's why the redirect happens.

Has somebody managed to handle this scenario?

node.js
twitter
hapijs

Answer 1

I found a workaround. It's not an optimal solution but at least allows me to handle the rejection from Twitter.

I had to modify a file inside the bell module. In bell/lib/oauth.js, before the verification of oauth_token

exports.v1 = function (settings) {

var client = new internals.Client(settings);

return function (request, reply) {

    var cookie = settings.cookie;
    var name = settings.name;

    // Sign-in Initialization

    // Verify if app (Twitter) was rejected
    if (name=='twitter' && request.query.denied) {
        return reply(Boom.internal('App was rejected'));
    }

    if (!request.query.oauth_token) {

        // Obtain temporary OAuth credentials

        var oauth_callback = request.server.location(request.path, request);

With that change I can catch and show the auth error in the handler, without the automatic redirect.

At least this is the way I managed to make it work. The cons of this modification is that if the bell module is updated then the modification is lost and the bug arise again, unless the updated module comes already with a fix for this. So, you have to keep an eye on that.

Here's the link off the Github issue I created on the Bell repository regarding this bug.