Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
passport-http
Advanced tools
The passport-http npm package provides HTTP Basic and Digest authentication strategies for Passport, a popular authentication middleware for Node.js. It allows you to authenticate requests using the HTTP Basic and Digest authentication schemes, which are often used for simple username and password authentication.
HTTP Basic Authentication
This feature allows you to authenticate users using HTTP Basic Authentication. The code sample demonstrates how to set up a BasicStrategy with Passport and protect an Express route.
const passport = require('passport');
const BasicStrategy = require('passport-http').BasicStrategy;
passport.use(new BasicStrategy(
function(username, password, done) {
User.findOne({ username: username }, function (err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false); }
if (!user.verifyPassword(password)) { return done(null, false); }
return done(null, user);
});
}
));
// Express route
app.get('/protected',
passport.authenticate('basic', { session: false }),
function(req, res) {
res.json({ message: 'Access granted' });
}
);
HTTP Digest Authentication
This feature allows you to authenticate users using HTTP Digest Authentication. The code sample demonstrates how to set up a DigestStrategy with Passport and protect an Express route.
const passport = require('passport');
const DigestStrategy = require('passport-http').DigestStrategy;
passport.use(new DigestStrategy({ qop: 'auth' },
function(username, done) {
User.findOne({ username: username }, function (err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false); }
return done(null, user, user.password);
});
},
function(params, done) {
// Validate nonces as necessary
done(null, true);
}
));
// Express route
app.get('/protected',
passport.authenticate('digest', { session: false }),
function(req, res) {
res.json({ message: 'Access granted' });
}
);
The passport-local package provides a simple username and password authentication strategy for Passport. Unlike passport-http, which uses HTTP Basic and Digest authentication schemes, passport-local is designed for form-based authentication, making it more suitable for web applications where users log in through a form.
The passport-jwt package allows you to authenticate users using JSON Web Tokens (JWT). This is different from passport-http, which uses HTTP Basic and Digest authentication. JWT is often used for stateless authentication in modern web applications, providing a more secure and scalable solution compared to HTTP Basic and Digest.
The passport-oauth2 package provides OAuth 2.0 authentication strategies for Passport. Unlike passport-http, which uses HTTP Basic and Digest authentication, passport-oauth2 is designed for OAuth 2.0, a more complex and secure authentication protocol often used for third-party authentication (e.g., logging in with Google or Facebook).
HTTP Basic and Digest authentication strategies for Passport.
This module lets you authenticate HTTP requests using the standard basic and digest schemes in your Node.js applications. By plugging into Passport, support for these schemes can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express.
$ npm install passport-http
The HTTP Basic authentication strategy authenticates users using a userid and
password. The strategy requires a verify
callback, which accepts these
credentials and calls done
providing a user.
passport.use(new BasicStrategy(
function(userid, password, done) {
User.findOne({ username: userid }, function (err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false); }
if (!user.verifyPassword(password)) { return done(null, false); }
return done(null, user);
});
}
));
Use passport.authenticate()
, specifying the 'basic'
strategy, to
authenticate requests. Requests containing an 'Authorization' header do not
require session support, so the session
option can be set to false
.
For example, as route middleware in an Express application:
app.get('/private',
passport.authenticate('basic', { session: false }),
function(req, res) {
res.json(req.user);
});
For a complete, working example, refer to the Basic example.
The HTTP Digest authentication strategy authenticates users using a username and
password (aka shared secret). The strategy requires a secret
callback, which
accepts a username
and calls done
providing a user and password known to the
server. The password is used to compute a hash, and authentication fails if it
does not match that contained in the request.
The strategy also accepts an optional validate
callback, which receives
nonce-related params
that can be further inspected to determine if the request
is valid.
passport.use(new DigestStrategy({ qop: 'auth' },
function(username, done) {
User.findOne({ username: username }, function (err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false); }
return done(null, user, user.password);
});
},
function(params, done) {
// validate nonces as necessary
done(null, true)
}
));
Use passport.authenticate()
, specifying the 'digest'
strategy, to
authenticate requests. Requests containing an 'Authorization' header do not
require session support, so the session
option can be set to false
.
For example, as route middleware in an Express application:
app.get('/private',
passport.authenticate('digest', { session: false }),
function(req, res) {
res.json(req.user);
});
For a complete, working example, refer to the Digest example.
$ npm install --dev
$ make test
Copyright (c) 2011-2013 Jared Hanson <http://jaredhanson.net/>
FAQs
HTTP Basic and Digest authentication strategies for Passport.
The npm package passport-http receives a total of 131,028 weekly downloads. As such, passport-http popularity was classified as popular.
We found that passport-http demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.