Session.findByCredentials(username, password, done) in server/auth.js does not correspond with the Session model function that expects the session _id and key like in Aqua:

static findByCredentials(id, key, callback) {

    const self = this;

    Async.auto({
        session: function (done) {

            self.findById(id, done);
        },
        keyMatch: ['session', function (results, done) {

            if (!results.session) {
                return done(null, false);
            }

            const source = results.session.key;
            Bcrypt.compare(key, source, done);
        }]
    }, (err, results) => {

        if (err) {
            return callback(err);
        }

        if (results.keyMatch) {
            return callback(null, results.session);
        }

        callback();
    });
}

Never mind, I just found the answer in the door-bell branch.

Thanks for responding Reza.
Like I mentioned there is an answer to my question in that branch, however that code has to change or Frame does not work. And the code I found is very different from the new approach in Frame (which uses MongoModels and not var BaseModel = require('./base');)
I would be nice to bring that code up to date. Don't you think? The problems with the code the way it is are only apparent when you use a real client not if you test it with Postman which do not do Preflight for example.
Thanks in advance again.

I would be nice to bring that code up to date. Don't you think?

No. I'm going to delete that branch since it's so out of date.

I suggest following the most up-to-date docs for bell.

What I mean is bring the code in Frame Master up to date.

Oh. Well with the big changes we're seeing with hapi v17 and the other core modules migrating to async/await, we definitely have a lot of work to do there. 😉