From 7b57e46080f8290c1c16be5bf836343b73405dbd Mon Sep 17 00:00:00 2001
From: Gil Pedersen <git@gpost.dk>
Date: Wed, 27 Aug 2025 12:58:03 +0200
Subject: [PATCH] Improve validation error tests

---
 test/index.js | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/test/index.js b/test/index.js
index 3a7d654..935c55e 100755
--- a/test/index.js
+++ b/test/index.js
@@ -371,7 +371,7 @@ describe('scheme', () => {
         expect(res2.result).to.equal('resource');
     });
 
-    it('errors in validation function', async () => {
+    it('returns unauthorized on errors in validation function', async () => {
 
         const server = Hapi.server();
         await server.register(require('../'));
@@ -411,6 +411,8 @@ describe('scheme', () => {
 
         expect(res2.statusCode).to.equal(401);
         expect(error).to.be.an.error('boom');
+        expect(res2.headers['set-cookie']).to.exist().and.have.length(1);
+        expect(res2.headers['set-cookie'][0]).to.include('special=;');
     });
 
     it('uauthorized error in validation function fails over to subsequent authentication scheme', async () => {
@@ -489,6 +491,49 @@ describe('scheme', () => {
         expect(res2.request.auth.credentials.user).to.equal('bogus-user');
     });
 
+    it('returns system errors in validation function', async () => {
+
+        const server = Hapi.server({ debug: false });
+        await server.register(require('../'));
+
+        server.auth.strategy('default', 'cookie', {
+            cookie: {
+                password: 'password-should-be-32-characters',
+                clearInvalid: true,
+                ttl: 60 * 1000,
+                name: 'special'
+            },
+            validate: function (request, session) {
+
+                throw new TypeError('huh?');
+            }
+        });
+        server.auth.default('default');
+
+        Helpers.loginWithResourceEndpoint(server);
+
+        const res = await server.inject('/login/steve');
+
+        expect(res.result).to.equal('steve');
+        const header = res.headers['set-cookie'];
+        expect(header.length).to.equal(1);
+        expect(header[0]).to.contain('Max-Age=60');
+        const cookie = header[0].match(internals.cookieRx);
+
+        let error;
+        server.ext('onPreResponse', (request, h) => {
+
+            error = request.response;
+            return h.continue;
+        });
+
+        const res2 = await server.inject({ method: 'GET', url: '/resource', headers: { cookie: 'special=' + cookie[1] } });
+
+        expect(res2.statusCode).to.equal(500);
+        expect(error).to.be.an.error('huh?');
+        expect(res2.headers['set-cookie']).to.not.exist();
+    });
+
     it('authenticates a request (no ttl)', async () => {
 
         const server = Hapi.server();