auth-header

What is auth-header?

The auth-header npm package is a utility for parsing and creating HTTP Authorization headers. It simplifies the process of handling authentication headers in HTTP requests, making it easier to work with various authentication schemes.

What are auth-header's main functionalities?

Parse Authorization Header

This feature allows you to parse an Authorization header string into an object. The example demonstrates parsing a Basic Auth header.

const authHeader = require('auth-header');
const header = 'Basic dXNlcjpwYXNz';
const parsed = authHeader.parse(header);
console.log(parsed);

Create Authorization Header

This feature allows you to create an Authorization header string from a scheme and token. The example demonstrates creating a Basic Auth header.

const authHeader = require('auth-header');
const header = authHeader.create('Basic', 'dXNlcjpwYXNz');
console.log(header);

Check Authorization Scheme

This feature allows you to check if an Authorization header uses a specific scheme. The example demonstrates checking if the header uses the Basic scheme.

const authHeader = require('auth-header');
const header = 'Basic dXNlcjpwYXNz';
const isBasic = authHeader.is(header, 'Basic');
console.log(isBasic);

Other packages similar to auth-header

basic-auth

The basic-auth package is a utility for parsing Basic Authentication headers. It is more specialized compared to auth-header, focusing solely on Basic Auth, whereas auth-header supports multiple authentication schemes.

http-auth

The http-auth package provides a more comprehensive solution for handling various HTTP authentication schemes, including Basic, Digest, and others. It offers more features compared to auth-header but may be more complex to use for simple tasks.

passport

Passport is a popular authentication middleware for Node.js. It supports a wide range of authentication strategies, including OAuth, OpenID, and more. While it offers much more functionality than auth-header, it is also more complex and intended for larger applications.

README

auth-header

Deal with obscene HTTP Authorization and WWW-Authenticate headers.

Type	Parse	Format
Basic	✓	✓
Digest	✓	✓
AWS	✓	✓
Bearer/OAuth	✓	✓
RFC7235	✓	✓

Note: If you're looking for an all-on-one solution to do authentication against these headers check out express-authentication-header which uses this library behind the scenes.

The HTTP Authorization and WWW-Authenticate family of headers are both pretty nightmareish; there has been, up until recently, no wide consensus about how they should be formatted and so parsing them is lots of fun if fun is pulling your hair out.

This library provides an implementation of RFC7235 which allows for the parsing of many known existing authorization headers (like Basic and Digest) as well as any future ones which follow the standard. Noteably, this library is less strict than it could be to parse some of these legacy formats.

In addition to the format of the header itself being in flux, WWW-Authenticate has its own nasty surprise: sometimes multiple authentication prompts can appear in one header, sometimes they can appear in multiple headers; we ONLY support the latter case since trying to disambiguate between a second prompt and parameters for the first is just about impossible.

import * as authorization from 'auth-header';
import express from 'express';

const app = express();

app.get('/', function(req, res) {

	// Something messed up.
	function fail() {
		res.set('WWW-Authenticate', authorization.format('Basic'));
		res.status(401).send();
	}

	// Get authorization header.
	var auth = authorization.parse(req.get('authorization'));

	// No basic authentication provided.
	if (auth.scheme !== 'Basic') {
		return fail();
	}

	// Get the basic auth component.
	var [un, pw] = Buffer(auth.token, 'base64').toString().split(':', 2);

	// Verify authentication.
	if (pw !== 'admin') {
		return fail();
	}

	// We've reached the promise land.
	res.send('Hello world.');
});