Created
January 27, 2012 02:53
-
-
Save charlesdaniel/1686663 to your computer and use it in GitHub Desktop.
Example of HTTP Basic Auth in NodeJS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var http = require('http'); | |
var server = http.createServer(function(req, res) { | |
// console.log(req); // debug dump the request | |
// If they pass in a basic auth credential it'll be in a header called "Authorization" (note NodeJS lowercases the names of headers in its request object) | |
var auth = req.headers['authorization']; // auth is in base64(username:password) so we need to decode the base64 | |
console.log("Authorization Header is: ", auth); | |
if(!auth) { // No Authorization header was passed in so it's the first time the browser hit us | |
// Sending a 401 will require authentication, we need to send the 'WWW-Authenticate' to tell them the sort of authentication to use | |
// Basic auth is quite literally the easiest and least secure, it simply gives back base64( username + ":" + password ) from the browser | |
res.statusCode = 401; | |
res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"'); | |
res.end('<html><body>Need some creds son</body></html>'); | |
} | |
else if(auth) { // The Authorization was passed in so now we validate it | |
var tmp = auth.split(' '); // Split on a space, the original auth looks like "Basic Y2hhcmxlczoxMjM0NQ==" and we need the 2nd part | |
var buf = new Buffer(tmp[1], 'base64'); // create a buffer and tell it the data coming in is base64 | |
var plain_auth = buf.toString(); // read it back out as a string | |
console.log("Decoded Authorization ", plain_auth); | |
// At this point plain_auth = "username:password" | |
var creds = plain_auth.split(':'); // split on a ':' | |
var username = creds[0]; | |
var password = creds[1]; | |
if((username == 'hack') && (password == 'thegibson')) { // Is the username/password correct? | |
res.statusCode = 200; // OK | |
res.end('<html><body>Congratulations you just hax0rd teh Gibson!</body></html>'); | |
} | |
else { | |
res.statusCode = 401; // Force them to retry authentication | |
res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"'); | |
// res.statusCode = 403; // or alternatively just reject them altogether with a 403 Forbidden | |
res.end('<html><body>You shall not pass</body></html>'); | |
} | |
} | |
}); | |
server.listen(5000, function() { console.log("Server Listening on http://localhost:5000/"); }); |
If the password has a colon plain_auth.split(':'); will return an array with size >2 and the extracted password will be incomplete.
cosu is right.
You should use following syntax.
"username:password:123".split(/:(.+)/)[1]
Thank you !
Massively appreciate the post @charlesdaniel, thanks so much for taking the time and spreading the good word!
Very useful, thanks
Thanks a lot man. This short and straight to the point piece of code really helped me understand it.
wo, very simple but good explain example :)
Thank you for explaining in detail each step and why each piece of code is needed. I wish there were more examples of code on the web explained this clearly.
ya this is to much helpfull!!
Still useful in 2021!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
FWIW, a somewhat prettified version of this gist.