koajs / basic-auth Goto Github PK

blanket basic auth middleware

JavaScript 100.00%

basic-auth's Introduction

koa-basic-auth

Add simple "blanket" basic auth with username / password. If you require anything more specific just use the basic-auth module.

v4.x+ Breaking Change: This package no longer requires both a username and a password. Either or is supported, see #39 for more insight.

Installation

$ npm install koa-basic-auth

Example

Password protect downstream middleware:

const auth = require('koa-basic-auth');
const Koa = require('koa');
const app = new Koa();

// custom 401 handling
app.use(async (ctx, next) => {
  try {
    await next();
  } catch (err) {
    if (401 == err.status) {
      ctx.status = 401;
      ctx.set('WWW-Authenticate', 'Basic');
      ctx.body = 'cant haz that';
    } else {
      throw err;
    }
  }
});

// require auth
app.use(auth({ name: 'tj', pass: 'tobi' }));

// secret response
app.use(async (ctx) => {
  ctx.body = 'secret';
});

app.listen(3000, function () {
  console.log('listening on port 3000');
});

Example request:

$ curl -H "Authorization: basic dGo6dG9iaQ==" http://localhost:3000/ -i
HTTP/1.1 200 OK
X-Powered-By: koa
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Date: Sat, 30 Nov 2013 19:35:17 GMT
Connection: keep-alive

secret

Using the mount middleware you may specify auth for a given prefix:

const mount = require('koa-mount');
const auth = require('koa-basic-auth');

app.use(mount('/admin', auth({ name: 'tobi', pass: 'ferret' })));

License

MIT

basic-auth's People

Contributors

Stargazers

Watchers

Forkers

mako-taco vesln jeromew tpisto marcusoftnet hgenru sokolskynikita sharksevenro xjenekx nicolasleger melnikaite oxoyo antoinemaillard xinyi1989 isabella232

basic-auth's Issues

Support for Koa v2.x

I was wondering if anyone is working on migrating this middleware to Koa v.2.x?

If not, can I do an implementation in the upcoming week? Thank you.

might as well be auth(ctx)

var auth = basicAuth(this);
if (auth) ...

Updated example

I (and presumable others) have a bit of a hard time understanding how I could use this to protect certain routes with authentication. For example.

/ - public
/admin - uses authentication

Could you update the example.js with that? I don't really get how to stitch it together... :S

Allow blank/empty user || pass

A lot of API's only require a user, or a pass, but not both.

This package requires that both be present.

Can we please patch this to allow either a user AND/OR a pass?

Use crypto.timingSafeEqual for comparison

jshttp/basic-auth#39

Basic HTTP header authentication

It was not clear to me that this authentication used the HTTP standard headers to perform a very basic login. I spent a bit of time trying to find how the login screen was setup on the backend as I was not aware that the browsers had a standard for doing this. Hence the screen was generated by the browser and not in the backend.

Maybe I will update the MD file. Clearly this basic authentication is persistent at the client and so not suitable for commercial use. In future the standard may be updated so that the authentication does not persist, but standards are a bit like government. Expect nothing and you will not be disappointed,

npm update

could you please update this module on npm ? (had the same bug that was already fixed)
thanks

manifest.json and google chrome

Hello there,

I use a basic auth on my server side rendering project with this repo.
Interestingly, After authenticating on /, I can see in the network devtools panel the /manifest.json route serves a 401. Indeed the basic auth is not passed for this route. This is the one and only route which has the problem.
In firefox, the route is not even fetched.

Manifest.json is for making single page application as desktop/mobile web app using service worker.
Looks like chrome does not want to pass the Authorization request header for this route as explained here:
web-push-libs/pywebpush#42
and https://developers.google.com/web/ilt/pwa/introduction-to-push-notifications

Does someone know if there is a way to work with basic auth and manifest.json?
Maybe using koa-cors?
Like proposed here: https://groups.google.com/a/chromium.org/forum/#!topic/chromium-discuss/ZLXwilWYwZs

Thank you,