auth-header

auth-header

Deal with obscene HTTP Authorization and WWW-Authenticate headers.

Type	Parse	Format
Basic	✓	✓
Digest	✓	✓
AWS	✓	✓
Bearer/OAuth	✓	✓
RFC7235	✓	✓

Note: If you're looking for an all-on-one solution to do authentication against these headers check out express-authentication-header which uses this library behind the scenes.

The HTTP Authorization and WWW-Authenticate family of headers are both pretty nightmareish; there has been, up until recently, no wide consensus about how they should be formatted and so parsing them is lots of fun if fun is pulling your hair out.

This library provides an implementation of RFC7235 which allows for the parsing of many known existing authorization headers (like Basic and Digest) as well as any future ones which follow the standard. Noteably, this library is less strict than it could be to parse some of these legacy formats.

In addition to the format of the header itself being in flux, WWW-Authenticate has its own nasty surprise: sometimes multiple authentication prompts can appear in one header, sometimes they can appear in multiple headers; we ONLY support the latter case since trying to disambiguate between a second prompt and parameters for the first is just about impossible.

import * as authorization from 'auth-header';
import express from 'express';

const app = express();

app.get('/', function(req, res) {

	// Something messed up.
	function fail() {
		res.set('WWW-Authenticate', authorization.format('Basic'));
		res.status(401).send();
	}

	// Get authorization header.
	var auth = authorization.parse(req.get('authorization'));

	// No basic authentication provided.
	if (auth.scheme !== 'Basic') {
		return fail();
	}

	// Get the basic auth component.
	var [un, pw] = Buffer(auth.token, 'base64').toString().split(':', 2);

	// Verify authentication.
	if (pw !== 'admin') {
		return fail();
	}

	// We've reached the promise land.
	res.send('Hello world.');
});