Error responses include state

[kanongil]

Support plan

• is this issue currently blocking your project? (yes/no): no
• is this issue affecting a production system? (yes/no): no

Context

• node version:
• module version with issue: 20.2.0
• last module version without issue:
• environment (e.g. node, browser, native): node
• used with (e.g. hapi application, another framework, standalone, ...):
• any other relevant information:

The 'set-cookie header is generated for responses here:

hapi/lib/headers.js

Lines 104 to 110 in 7b4d7d8

	let header = await request._core.states.format(states, request);
	const existing = response.headers['set-cookie'];
	if (existing) {
	header = (Array.isArray(existing) ? existing : [existing]).concat(header);
	}
	response._header('set-cookie', header);

It does not use information from response to generate this. Only from the request.

What are you trying to achieve or the steps to reproduce?

Created a test case to demonstrate:

    it('does not set cookie on response errors', async () => {

        const server = Hapi.server();
        server.state('data', { encoding: 'base64json' });
        server.route({ method: 'GET', path: '/', handler: (request, h) => h.response('ok').state('data', { b: 3 }) });
        server.ext('onPostHandler', () => Hoek.wait(50), { timeout: 1 });

        const res = await server.inject('/');
        expect(res.statusCode).to.equal(500);
        expect(res.headers['set-cookie']).to.not.exist();
    });

What was the result you got?

Expected [ 'data=eyJiIjozfQ==; Secure; HttpOnly; SameSite=Strict' ] to not exist

What result did you expect?

Pass.

[Nargonath]

Good catch, thanks @kanongil.

[kanongil]

I caught it during my recent investigations into abort handling. Here I found that autoValue is unintentionally called twice when it returns an error, since it calls it again when trying to marshal an error.