HTTP Digest Auth with express, passport-http and routers

server.js

var express = require('express'), http = require('http');
var app = express();

var passport = require('passport');
var Strategy = require('passport-http').DigestStrategy;

passport.use(new Strategy(
    { qop: "auth" },
    function(username, done) {
        return done(null, {}, "password");
    },
    function(params, done) {
        return done(null, true);
    }
));

app.use(passport.initialize());
app.use(passport.session());

var handler = function(req, res) {
    res.json({"hello": "world"});
};

var use_router = false;
if (use_router) {
    var router = express.Router();
    router.get('/', passport.authenticate('digest', {session: false}), handler);
    app.use("/hello", router);
} else {
    app.get('/hello', passport.authenticate('digest', {session: false}), handler);
}

app.listen(8888);

use_router_is_false_output.txt

curl -v --user user:password --digest http://localhost:8888/hello
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8888 (#0)
* Server auth using Digest with user 'user'
> GET /hello HTTP/1.1
> Host: localhost:8888
> User-Agent: curl/7.51.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< X-Powered-By: Express
< WWW-Authenticate: Digest realm="Users", nonce="KVCVu6FeFPEFirdtooYqbcRczTIakZRr", qop="auth"
< Date: Fri, 02 Dec 2016 14:27:46 GMT
< Connection: keep-alive
< Content-Length: 12
< 
* Ignoring the response-body
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'http://localhost:8888/hello'
* Found bundle for host localhost: 0x1b187b0 [can pipeline]
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 8888 (#0)
* Server auth using Digest with user 'user'
> GET /hello HTTP/1.1
> Host: localhost:8888
> Authorization: Digest username="user", realm="Users", nonce="KVCVu6FeFPEFirdtooYqbcRczTIakZRr", uri="/hello", cnonce="NDIwMjI3MjdhYjkyMjJmMGI1ZGRkM2ZhNDNiMjA0YmI=", nc=00000001, qop=auth, response="5158a57c7208f98618a49518eeb13f3c"
> User-Agent: curl/7.51.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Content-Type: application/json; charset=utf-8
< Content-Length: 17
< ETag: W/"11-+8JLzHoXlHWPwTJ/z+va9g"
< Date: Fri, 02 Dec 2016 14:27:46 GMT
< Connection: keep-alive
< 
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact
{"hello":"world"}

use_router_is_true_output.txt

curl -v --user user:password --digest http://localhost:8888/hello
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8888 (#0)
* Server auth using Digest with user 'user'
> GET /hello HTTP/1.1
> Host: localhost:8888
> User-Agent: curl/7.51.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< X-Powered-By: Express
< WWW-Authenticate: Digest realm="Users", nonce="TKazPFUbbsL629eR6Z47U5JQwigBZbkg", qop="auth"
< Date: Fri, 02 Dec 2016 14:28:25 GMT
< Connection: keep-alive
< Content-Length: 12
< 
* Ignoring the response-body
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'http://localhost:8888/hello'
* Found bundle for host localhost: 0x1f597b0 [can pipeline]
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 8888 (#0)
* Server auth using Digest with user 'user'
> GET /hello HTTP/1.1
> Host: localhost:8888
> Authorization: Digest username="user", realm="Users", nonce="TKazPFUbbsL629eR6Z47U5JQwigBZbkg", uri="/hello", cnonce="ZDBlMGVkNDY4MWNhM2NmYTNjZmZjZGZlZTE5Y2I4MzE=", nc=00000001, qop=auth, response="ead9f344c8b1ca0c519e398a4bb27cef"
> User-Agent: curl/7.51.0
> Accept: */*
> 
< HTTP/1.1 400 Bad Request
< X-Powered-By: Express
< Date: Fri, 02 Dec 2016 14:28:25 GMT
< Connection: keep-alive
< Content-Length: 11
< 
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact
Bad Request