Basic HTTP authentication in Node.JS?

Question

I'm trying to write a REST-API server with NodeJS like the one used by Joyent, and everything is ok except I can't verify a normal user's authentication. If I jump to a terminal and do curl -u username:password localhost:8000 -X GET, I can't get the values username:password on the NodeJS http server. If my NodeJS http server is something like

var http = require('http');
http.createServer(function (req, res) {
  res.writeHead(200, {'Content-Type': 'text/plain'});
  res.end('Hello World\n');
}).listen(1337, "127.0.0.1");

, shouldn't I get the values username:password somewhere in the req object that comes from the callback ? How can I get those values without having to use Connect's basic http auth ?

console.dir(req.headers) only outputs { authorization: 'Basic am9hb2plcm9uaW1vOmJsYWJsYWJsYQ==', 'user-agent': 'curl/7.21.3 (x86_64-pc-linux-gnu) libcurl/7.21.3 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.18', host: 'localhost:8000', accept: '/' } — João Pinto Jerónimo
– João Pinto Jerónimo, Commented May 10, 2011 at 15:15

Rob Raisch · Accepted Answer · 2020-12-02 19:00:35Z

105

The username:password is contained in the Authorization header as a base64-encoded string.

Try this:

const http = require('http');
 
http.createServer(function (req, res) {
  var header = req.headers.authorization || '';       // get the auth header
  var token = header.split(/\s+/).pop() || '';        // and the encoded auth token
  var auth = Buffer.from(token, 'base64').toString(); // convert from base64
  var parts = auth.split(/:/);                        // split on colon
  var username = parts.shift();                       // username is first
  var password = parts.join(':');                     // everything else is the password
 
  res.writeHead(200, { 'Content-Type': 'text/plain' });
  res.end('username is "' + username + '" and password is "' + password + '"');
}).listen(1337, '127.0.0.1');

From HTTP Authentication: Basic and Digest Access Authentication - Part 2 Basic Authentication Scheme (Pages 4-5)

Basic Authentication in Backus-Naur Form

basic-credentials = base64-user-pass
base64-user-pass  = <base64 [4] encoding of user-pass,
                    except not limited to 76 char/line>
user-pass   = userid ":" password
userid      = *<TEXT excluding ":">
password    = *TEXT

edited Dec 2, 2020 at 19:00

answered May 10, 2011 at 23:27

Rob Raisch

17.4k4 gold badges51 silver badges59 bronze badges

Sign up to request clarification or add additional context in comments.

5 Comments

root-aj Over a year ago

Don't forget to parse out the "Basic", i.e.: 'Basic abcdef0123456789' === req.headers.authorization

Rob Raisch Over a year ago

The third line in the example already does this by splitting the header on whitespace to produce ["Basic","abcdef0123456789"] and popping off the last value, which will be the authorization token.

Baruch Even Over a year ago

It's much better to use the express.basicAuth method instead to handle all the issues. Simpler and cleaner.

Rob Raisch Over a year ago

Agree, but the OP didn't wish to do so.

ceving Over a year ago

This may fail, if the password contains a colon.

Jeroen Ooms · Accepted Answer · 2014-05-30 20:14:49Z

38

If you're using express, you can use the connect plugin (included with express):

//Load express
var express = require('express');

//User validation
var auth = express.basicAuth(function(user, pass) {     
   return (user == "super" && pass == "secret");
},'Super duper secret area');

//Password protected area
app.get('/admin', auth, routes.admin);

edited May 30, 2014 at 20:14

answered Aug 27, 2012 at 19:19

Jeroen Ooms

33.3k36 gold badges146 silver badges220 bronze badges

2 Comments

LifeOnLars Over a year ago

I don't believe this works any longer from Express 4 onwards. See stackoverflow.com/questions/24283848/… or use something like npmjs.org/package/http-auth as an alternative

gevorg Over a year ago

Yes http-auth should just do fine.

Phillip Kovalev · Accepted Answer · 2011-05-10 15:26:46Z

8

You can use node-http-digest for basic auth or everyauth, if adding authorization from external services are in you roadmap.

answered May 10, 2011 at 15:26

Phillip Kovalev

2,49723 silver badges23 bronze badges

Comments

Grant Li · Accepted Answer · 2014-01-05 23:53:30Z

I use this code for my own starter sites with auth.

It does several things:

basic auth
return index.html for / route
serve content without crashing and silent handle the error
allow port parameter when running
minimal amount of logging

Before using the code, npm install express

var express = require("express");
var app = express();

//User validation
var auth = express.basicAuth(function(user, pass) {     
     return (user == "username" && pass == "password") ? true : false;
},'dev area');

/* serves main page */
app.get("/", auth, function(req, res) {
try{
    res.sendfile('index.html')
}catch(e){}
});

/* add your other paths here */

/* serves all the static files */
app.get(/^(.+)$/, auth, function(req, res){ 
try{
    console.log('static file request : ' + req.params);
    res.sendfile( __dirname + req.params[0]); 
}catch(e){}
});

var port = process.env.PORT || 8080;
app.listen(port, function() {
    console.log("Listening on " + port);
});

Ebrahim Byagowi · Accepted Answer · 2022-01-31 06:02:31Z

5

It can be implemented easily in pure node.js with no dependency, this is my version which is based on this answer for express.js but simplified so you can see the basic idea easily:

const http = require('http');

http.createServer(function (req, res) {
    const userpass = Buffer.from(
        (req.headers.authorization || '').split(' ')[1] || '',
        'base64'
    ).toString();
    if (userpass !== 'username:password') {
        res.writeHead(401, { 'WWW-Authenticate': 'Basic realm="nope"' });
        res.end('HTTP Error 401 Unauthorized: Access is denied');
        return;
    }
    res.end('You are in! Yay!!');
}).listen(1337, '127.0.0.1');

edited Jan 31, 2022 at 6:02

answered Aug 8, 2017 at 12:12

Ebrahim Byagowi

11.4k6 gold badges76 silver badges88 bronze badges

Comments

Dave Pacheco · Accepted Answer · 2012-06-24 18:09:24Z

3

The restify framework (http://mcavage.github.com/node-restify/) includes an authorization header parser for "basic" and "signature" authentication schemes.

answered Jun 24, 2012 at 18:09

Dave Pacheco

8506 silver badges14 bronze badges

Comments

gevorg · Accepted Answer · 2016-04-22 10:19:00Z

1

You can use http-auth module

// Authentication module.
var auth = require('http-auth');
var basic = auth.basic({
    realm: "Simon Area.",
    file: __dirname + "/../data/users.htpasswd" // gevorg:gpass, Sarah:testpass ...
});

// Creating new HTTP server.
http.createServer(basic, function(req, res) {
    res.end("Welcome to private area - " + req.user + "!");
}).listen(1337);

answered Apr 22, 2016 at 10:19

gevorg

5,1155 gold badges40 silver badges54 bronze badges

Collectives™ on Stack Overflow

Basic HTTP authentication in Node.JS?

7 Answers 7

5 Comments

2 Comments

Comments

Comments

Comments

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

7 Answers 7

5 Comments

2 Comments

Comments

Comments

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related