-
-
Save ayoungh/b8a899d42534a7189647 to your computer and use it in GitHub Desktop.
Example of HTTP Basic Auth in NodeJS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var http = require('http'); | |
var server = http.createServer(function(req, res) { | |
// console.log(req); // debug dump the request | |
// If they pass in a basic auth credential it'll be in a header called "Authorization" (note NodeJS lowercases the names of headers in its request object) | |
var auth = req.headers['authorization']; // auth is in base64(username:password) so we need to decode the base64 | |
console.log("Authorization Header is: ", auth); | |
if(!auth) { // No Authorization header was passed in so it's the first time the browser hit us | |
// Sending a 401 will require authentication, we need to send the 'WWW-Authenticate' to tell them the sort of authentication to use | |
// Basic auth is quite literally the easiest and least secure, it simply gives back base64( username + ":" + password ) from the browser | |
res.statusCode = 401; | |
res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"'); | |
res.end('<html><body>Need some creds son</body></html>'); | |
} | |
else if(auth) { // The Authorization was passed in so now we validate it | |
var tmp = auth.split(' '); // Split on a space, the original auth looks like "Basic Y2hhcmxlczoxMjM0NQ==" and we need the 2nd part | |
var buf = new Buffer(tmp[1], 'base64'); // create a buffer and tell it the data coming in is base64 | |
var plain_auth = buf.toString(); // read it back out as a string | |
console.log("Decoded Authorization ", plain_auth); | |
// At this point plain_auth = "username:password" | |
var creds = plain_auth.split(':'); // split on a ':' | |
var username = creds[0]; | |
var password = creds[1]; | |
if((username == 'hack') && (password == 'thegibson')) { // Is the username/password correct? | |
res.statusCode = 200; // OK | |
res.end('<html><body>Congratulations you just hax0rd teh Gibson!</body></html>'); | |
} | |
else { | |
res.statusCode = 401; // Force them to retry authentication | |
res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"'); | |
// res.statusCode = 403; // or alternatively just reject them altogether with a 403 Forbidden | |
res.end('<html><body>You shall not pass</body></html>'); | |
} | |
} | |
}); | |
server.listen(5000, function() { console.log("Server Listening on http://localhost:5000/"); }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment