Example of HTTP Basic Auth in NodeJS

basic_auth_nodejs_test.js

var http = require('http');

var server = http.createServer(function(req, res) {
        // console.log(req);   // debug dump the request

        // If they pass in a basic auth credential it'll be in a header called "Authorization" (note NodeJS lowercases the names of headers in its request object)

        var auth = req.headers['authorization'];  // auth is in base64(username:password)  so we need to decode the base64
        console.log("Authorization Header is: ", auth);

        if(!auth) {     // No Authorization header was passed in so it's the first time the browser hit us

                // Sending a 401 will require authentication, we need to send the 'WWW-Authenticate' to tell them the sort of authentication to use
                // Basic auth is quite literally the easiest and least secure, it simply gives back  base64( username + ":" + password ) from the browser
                res.statusCode = 401;
                res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"');

                res.end('<html><body>Need some creds son</body></html>');
        }

        else if(auth) {    // The Authorization was passed in so now we validate it

                var tmp = auth.split(' ');   // Split on a space, the original auth looks like  "Basic Y2hhcmxlczoxMjM0NQ==" and we need the 2nd part

                var buf = new Buffer(tmp[1], 'base64'); // create a buffer and tell it the data coming in is base64
                var plain_auth = buf.toString();        // read it back out as a string

                console.log("Decoded Authorization ", plain_auth);

                // At this point plain_auth = "username:password"

                var creds = plain_auth.split(':');      // split on a ':'
                var username = creds[0];
                var password = creds[1];

                if((username == 'hack') && (password == 'thegibson')) {   // Is the username/password correct?

                        res.statusCode = 200;  // OK
                        res.end('<html><body>Congratulations you just hax0rd teh Gibson!</body></html>');
                }
                else {
                        res.statusCode = 401; // Force them to retry authentication
                        res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"');

                        // res.statusCode = 403;   // or alternatively just reject them altogether with a 403 Forbidden

                        res.end('<html><body>You shall not pass</body></html>');
                }
        }
});


server.listen(5000, function() { console.log("Server Listening on http://localhost:5000/"); });

@thesailored wrote:

If I want to use this to log into a specific "http://someserver.com/8080/", where would I put the url in the code?

Assume you mean http://someserver.com:8080 and you only want to accept incoming connections on port 8080 for the hostname someserver.com. If so, you'd just modify line 53:

server.listen(port, [hostname], [backlog], [callback])

So ...

server.listen(8080, 'someserver.com')

See docs on server.listen.

FWIW, a somewhat prettified version of this gist.

If the password has a colon plain_auth.split(':'); will return an array with size >2 and the extracted password will be incomplete.

cosu is right.
You should use following syntax.
"username:password:123".split(/:(.+)/)[1]

Thank you !

Massively appreciate the post @charlesdaniel, thanks so much for taking the time and spreading the good word!

Very useful, thanks

Thanks a lot man. This short and straight to the point piece of code really helped me understand it.

wo, very simple but good explain example :)

Thank you for explaining in detail each step and why each piece of code is needed. I wish there were more examples of code on the web explained this clearly.

ya this is to much helpfull!!

Still useful in 2021!