Skip to content

Instantly share code, notes, and snippets.

@charlesdaniel
Created January 27, 2012 02:53
Show Gist options
  • Save charlesdaniel/1686663 to your computer and use it in GitHub Desktop.
Save charlesdaniel/1686663 to your computer and use it in GitHub Desktop.
Example of HTTP Basic Auth in NodeJS
var http = require('http');
var server = http.createServer(function(req, res) {
// console.log(req); // debug dump the request
// If they pass in a basic auth credential it'll be in a header called "Authorization" (note NodeJS lowercases the names of headers in its request object)
var auth = req.headers['authorization']; // auth is in base64(username:password) so we need to decode the base64
console.log("Authorization Header is: ", auth);
if(!auth) { // No Authorization header was passed in so it's the first time the browser hit us
// Sending a 401 will require authentication, we need to send the 'WWW-Authenticate' to tell them the sort of authentication to use
// Basic auth is quite literally the easiest and least secure, it simply gives back base64( username + ":" + password ) from the browser
res.statusCode = 401;
res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"');
res.end('<html><body>Need some creds son</body></html>');
}
else if(auth) { // The Authorization was passed in so now we validate it
var tmp = auth.split(' '); // Split on a space, the original auth looks like "Basic Y2hhcmxlczoxMjM0NQ==" and we need the 2nd part
var buf = new Buffer(tmp[1], 'base64'); // create a buffer and tell it the data coming in is base64
var plain_auth = buf.toString(); // read it back out as a string
console.log("Decoded Authorization ", plain_auth);
// At this point plain_auth = "username:password"
var creds = plain_auth.split(':'); // split on a ':'
var username = creds[0];
var password = creds[1];
if((username == 'hack') && (password == 'thegibson')) { // Is the username/password correct?
res.statusCode = 200; // OK
res.end('<html><body>Congratulations you just hax0rd teh Gibson!</body></html>');
}
else {
res.statusCode = 401; // Force them to retry authentication
res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"');
// res.statusCode = 403; // or alternatively just reject them altogether with a 403 Forbidden
res.end('<html><body>You shall not pass</body></html>');
}
}
});
server.listen(5000, function() { console.log("Server Listening on http://localhost:5000/"); });
@joyrexus
Copy link

@thesailored wrote:

If I want to use this to log into a specific "http://someserver.com/8080/", where would I put the url in the code?

Assume you mean http://someserver.com:8080 and you only want to accept incoming connections on port 8080 for the hostname someserver.com. If so, you'd just modify line 53:

server.listen(port, [hostname], [backlog], [callback])

So ...

server.listen(8080, 'someserver.com')

See docs on server.listen.

@joyrexus
Copy link

@cosu
Copy link

cosu commented Jun 18, 2016

If the password has a colon plain_auth.split(':'); will return an array with size >2 and the extracted password will be incomplete.

@anujkumar-df
Copy link

cosu is right.
You should use following syntax.
"username:password:123".split(/:(.+)/)[1]

@mauroao
Copy link

mauroao commented Jul 26, 2017

Thank you !

@fusion27
Copy link

fusion27 commented Aug 28, 2017

Massively appreciate the post @charlesdaniel, thanks so much for taking the time and spreading the good word!

@andreafalzetti
Copy link

Very useful, thanks

@pedrobertao
Copy link

Thanks a lot man. This short and straight to the point piece of code really helped me understand it.

@wahengchang
Copy link

wo, very simple but good explain example :)

@Jason-Weyland
Copy link

Thank you for explaining in detail each step and why each piece of code is needed. I wish there were more examples of code on the web explained this clearly.

@Umang2002
Copy link

ya this is to much helpfull!!

@subodhkarwa
Copy link

Still useful in 2021!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment