auth-basic.js

/**
 * api/services/auth-basic.js
 * 
 * Basic authentication strategy is defined here.
 * Other strategies can be defined as needed by adding files like this to the services folder.
 * 
**/

var passport = require('passport'),
        BasicStrategy = require('passport-http').BasicStrategy;

passport.use(new BasicStrategy(function(username, password, next) {
    User.findOneByUsername(username).done(function(err, user) {
        if (err) {
            return next(err);
        }
        if (!user) {
            return next(null, false);
        }
        user.validPassword(password, function(err, res) {
            if (err) {
                return next(err);
            }
            next (null, res ? user : false);
        });
    });
}));

authenticated.js

/**
 * api/policies/authenticated.js
 * 
 * This example shows how to use the HTTP Basic authentication strategy using the passport-http module.
 * Other strategies (Digest, OAuth, OAuth2, etc) can be similarly implemented.
 * 
**/

var express = require("express"),
    app = express(),
    passport = require("passport");

app.use(passport.initialize());


module.exports = function (req, res, ok) {
    passport.authenticate("basic", {
        session: false
    }, function (err, user, info) {
        if (err || !user) {
            res.set("WWW-Authenticate", "Basic realm=\"Restricted\"");
            return res.send("You are not permitted to perform this action", 401);
        }

        req.session.user = user;
        return ok(null, user);
        
    })(req, res, ok);
};

policies.js

/**
 * config/policies.js
 * 
**/
module.exports.policies = {

  // Default policy for all controllers and actions
  // (`true` allows public access) 
  '*': 'authenticated' //define the policy to be used globally, or specific to controllers/actions.
}

User.js

/**
 * api/models/User.js
 * 
 * The user model contains the instance method for validating the password.
 */

var bcrypt = require('bcrypt');

function hashPassword(values, next) {
    bcrypt.hash(values.password, 10, function(err, hash) {
        if (err) {
            return next(err);
        }
        values.password = hash;
        next();
    });
}

module.exports = {
    attributes: {
        username: {
            type: 'STRING',
            required: true,
            unique: true
        },
        password: {
            type: 'STRING',
            required: true,
            minLength: 6
        },
        email: {
            type: 'email',
            required: true,
            unique: true
        },
        // Override toJSON instance method to remove password value
        toJSON: function() {
            var obj = this.toObject();
            delete obj.password;
            return obj;
        },
        validPassword: function(password, callback) {
            var obj = this.toObject();
            if (callback) {
                //callback (err, res)
                return bcrypt.compare(password, obj.password, callback);
            }
            return bcrypt.compareSync(password, obj.password);
        }
    },
    // Lifecycle Callbacks
    beforeCreate: function(values, next) {
        hashPassword(values, next);
    },
    beforeUpdate: function(values, next) {
        if (values.password) {
            hashPassword(values, next);
        }
        else {
            //IMPORTANT: The following is only needed when a BLANK password param gets submitted through a form. Otherwise, a next() call is enough.
            User.findOne(values.id).done(function(err, user) {
                if (err) {
                    next(err);
                }
                else {
                    values.password = user.password;
                    next();
                }
            });
        }
    }
};