basic authentication with Node.js and restify

Asked 10/4, 2014 at 15:14 Answered 12/4, 2014 at 23:5

javascript node.js basic-authentication restify

I'm currently developing a RESTful web service with NodeJS and restify.

I have everything up and running with node-mysql for the database, but I also would like to implement HTTP Basic authentication.

I only did this once with Apache and an .htaccess file.

But here the webserver comes with restify and I start it like this:

var server = restify.createServer({
  name: 'my webservice'
});

There is a Authentication Parser Plugin listed in the restify documentation (http://mcavage.me/node-restify/#Bundled-Plugins) but I can't figure out how to use it.

The req.username value is always set to anonymous, even when I use http://user:pass@url....

The best thing would be if I could use it with a .htpasswd file to store/access the user and pass.

Does anyone know how to implement this with restify or another module?

Spathose answered 10/4, 2014 at 15:14 Comment(0)

Finally I found a way to do it without any additional modules.

First I send the correkt header:

var auth = req.headers['authorization'];
res.statusCode = 401;
res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"');
res.end('need creds');

Then I check the user and pass and if its ok then send the correct status code

res.statusCode = 200;  // OK

If the password is not correct:

  res.statusCode = 401; // Force them to retry authentication
  res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"');
  res.end('<html><body>You shall not pass</body></html>');

This works pretty well. I only have some trouble to read the .htpasswd and the crypted password. Does anyone know how I can check a plain password against a .htpasswd file?

Spathose answered 12/4, 2014 at 23:5 Comment(1)

Do you think that it could work also in my case : #40288397 ? Or I should change my old code and use only "restify" extensions? – Thenceforward 27/10, 2016 at 15:21

Have a look at Passport.js. It supports Basic HTTP as one of the authentication schemes.

Bloodandthunder answered 10/4, 2014 at 15:22 Comment(1)

looks promising... I will give it a try – Spathose 11/4, 2014 at 8:51

The req.username value is always set to anonymous, even when I use http: //user:pass@url....

The documentation seems to suggest that it expects the credentials in the header not in the url, you might need to use Curl or some other tool besides a browser to make headers with authorization headers.

Edp answered 10/4, 2014 at 15:25 Comment(2)

Ok... I thought that they will be send in the header even when I put them in the url. – Spathose 11/4, 2014 at 8:54

@nico - I guess a browser could have that feature, but you can't be sure. I've never see the url format you show in use. – Edp 11/4, 2014 at 10:43

-4

With express you can do something like this:

var auth = express.basicAuth(function(user, pass) {
    return (user == "admin" && pass == "1234");
},'Super duper secret area');

app.get('/test', auth, function(req, res){
    ...
});

expressjs.com

Authentic answered 10/4, 2014 at 15:25 Comment(1)

I don't want to use express. It has too much included that I do not need... thats why I chose restify.js – Spathose 11/4, 2014 at 8:41

Recommended topics

Hot tags