-
-
Save charlesdaniel/1686663 to your computer and use it in GitHub Desktop.
| var http = require('http'); | |
| var server = http.createServer(function(req, res) { | |
| // console.log(req); // debug dump the request | |
| // If they pass in a basic auth credential it'll be in a header called "Authorization" (note NodeJS lowercases the names of headers in its request object) | |
| var auth = req.headers['authorization']; // auth is in base64(username:password) so we need to decode the base64 | |
| console.log("Authorization Header is: ", auth); | |
| if(!auth) { // No Authorization header was passed in so it's the first time the browser hit us | |
| // Sending a 401 will require authentication, we need to send the 'WWW-Authenticate' to tell them the sort of authentication to use | |
| // Basic auth is quite literally the easiest and least secure, it simply gives back base64( username + ":" + password ) from the browser | |
| res.statusCode = 401; | |
| res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"'); | |
| res.end('<html><body>Need some creds son</body></html>'); | |
| } | |
| else if(auth) { // The Authorization was passed in so now we validate it | |
| var tmp = auth.split(' '); // Split on a space, the original auth looks like "Basic Y2hhcmxlczoxMjM0NQ==" and we need the 2nd part | |
| var buf = new Buffer(tmp[1], 'base64'); // create a buffer and tell it the data coming in is base64 | |
| var plain_auth = buf.toString(); // read it back out as a string | |
| console.log("Decoded Authorization ", plain_auth); | |
| // At this point plain_auth = "username:password" | |
| var creds = plain_auth.split(':'); // split on a ':' | |
| var username = creds[0]; | |
| var password = creds[1]; | |
| if((username == 'hack') && (password == 'thegibson')) { // Is the username/password correct? | |
| res.statusCode = 200; // OK | |
| res.end('<html><body>Congratulations you just hax0rd teh Gibson!</body></html>'); | |
| } | |
| else { | |
| res.statusCode = 401; // Force them to retry authentication | |
| res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"'); | |
| // res.statusCode = 403; // or alternatively just reject them altogether with a 403 Forbidden | |
| res.end('<html><body>You shall not pass</body></html>'); | |
| } | |
| } | |
| }); | |
| server.listen(5000, function() { console.log("Server Listening on http://localhost:5000/"); }); |
If I want to use this to log into a specific "http://someserver.com/8080/", where would I put the url in the code?
@charlesdaniel, thanks for this piece of code, it does exactly what I needed :-)
Awesome! Thanks for this!! Easy! Mine is setup to run over SSL, but with this simple example, I can easily tie it into auth tables in DB. Thanks!
@thesailored wrote:
If I want to use this to log into a specific "http://someserver.com/8080/", where would I put the url in the code?
Assume you mean http://someserver.com:8080 and you only want to accept incoming connections on port 8080 for the hostname someserver.com. If so, you'd just modify line 53:
server.listen(port, [hostname], [backlog], [callback])
So ...
server.listen(8080, 'someserver.com')
See docs on server.listen.
If the password has a colon plain_auth.split(':'); will return an array with size >2 and the extracted password will be incomplete.
cosu is right.
You should use following syntax.
"username:password:123".split(/:(.+)/)[1]
Thank you !
Massively appreciate the post @charlesdaniel, thanks so much for taking the time and spreading the good word!
Very useful, thanks
Thanks a lot man. This short and straight to the point piece of code really helped me understand it.
wo, very simple but good explain example :)
Thank you for explaining in detail each step and why each piece of code is needed. I wish there were more examples of code on the web explained this clearly.
ya this is to much helpfull!!
Still useful in 2021!
Thank you, you have clarified most of my dubts :)