http basic auth
https://gist.github.com/charlesdaniel/1686663
- server send 'WWW-Authenticate', 'Basic realm="Secure Area"' header
- get 'authorization' header from request
- base64 decode req.headers['authorization']
var http = require('http'); var server = http.createServer(function(req, res) { // console.log(req); // debug dump the request // If they pass in a basic auth credential it'll be in a header called "Authorization" (note NodeJS lowercases the names of headers in its request object) var auth = req.headers['authorization']; // auth is in base64(username:password) so we need to decode the base64 console.log("Authorization Header is: ", auth); if(!auth) { // No Authorization header was passed in so it's the first time the browser hit us // Sending a 401 will require authentication, we need to send the 'WWW-Authenticate' to tell them the sort of authentication to use // Basic auth is quite literally the easiest and least secure, it simply gives back base64( username + ":" + password ) from the browser res.statusCode = 401; res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"'); res.end('Need some creds son'); } else if(auth) { // The Authorization was passed in so now we validate it var tmp = auth.split(' '); // Split on a space, the original auth looks like "Basic Y2hhcmxlczoxMjM0NQ==" and we need the 2nd part var buf = new Buffer(tmp[1], 'base64'); // create a buffer and tell it the data coming in is base64 var plain_auth = buf.toString(); // read it back out as a string console.log("Decoded Authorization ", plain_auth); // At this point plain_auth = "username:password" var creds = plain_auth.split(':'); // split on a ':' var username = creds[0]; var password = creds[1]; if((username == 'hack') && (password == 'thegibson')) { // Is the username/password correct? res.statusCode = 200; // OK res.end('Congratulations you just hax0rd teh Gibson!'); } else { res.statusCode = 401; // Force them to retry authentication res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"'); // res.statusCode = 403; // or alternatively just reject them altogether with a 403 Forbidden res.end('You shall not pass'); } } }); server.listen(5000, function() { console.log("Server Listening on http://localhost:5000/"); });or use http-auth npm module
or use express framework
app.use(express.basicAuth('username', 'password'));
沒有留言:
張貼留言