Search

6/26/2013

http basic auth

https://gist.github.com/charlesdaniel/1686663

  1. server send 'WWW-Authenticate', 'Basic realm="Secure Area"' header
  2. get 'authorization' header from request
  3. base64 decode req.headers['authorization']
var http = require('http');
 
var server = http.createServer(function(req, res) {
        // console.log(req);   // debug dump the request
 
        // If they pass in a basic auth credential it'll be in a header called "Authorization" (note NodeJS lowercases the names of headers in its request object)
 
        var auth = req.headers['authorization'];  // auth is in base64(username:password)  so we need to decode the base64
        console.log("Authorization Header is: ", auth);
 
        if(!auth) {     // No Authorization header was passed in so it's the first time the browser hit us
 
                // Sending a 401 will require authentication, we need to send the 'WWW-Authenticate' to tell them the sort of authentication to use
                // Basic auth is quite literally the easiest and least secure, it simply gives back  base64( username + ":" + password ) from the browser
                res.statusCode = 401;
                res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"');
 
                res.end('Need some creds son');
        }
 
        else if(auth) {    // The Authorization was passed in so now we validate it
 
                var tmp = auth.split(' ');   // Split on a space, the original auth looks like  "Basic Y2hhcmxlczoxMjM0NQ==" and we need the 2nd part
 
                var buf = new Buffer(tmp[1], 'base64'); // create a buffer and tell it the data coming in is base64
                var plain_auth = buf.toString();        // read it back out as a string
 
                console.log("Decoded Authorization ", plain_auth);
 
                // At this point plain_auth = "username:password"
 
                var creds = plain_auth.split(':');      // split on a ':'
                var username = creds[0];
                var password = creds[1];
 
                if((username == 'hack') && (password == 'thegibson')) {   // Is the username/password correct?
 
                        res.statusCode = 200;  // OK
                        res.end('Congratulations you just hax0rd teh Gibson!');
                }
                else {
                        res.statusCode = 401; // Force them to retry authentication
                        res.setHeader('WWW-Authenticate', 'Basic realm="Secure Area"');
 
                        // res.statusCode = 403;   // or alternatively just reject them altogether with a 403 Forbidden
 
                        res.end('You shall not pass');
                }
        }
});
 
 
server.listen(5000, function() { console.log("Server Listening on http://localhost:5000/"); });
or use http-auth npm module
or use express framework
app.use(express.basicAuth('username', 'password'));

沒有留言: