Which, RFC 7617 forbids.

RFC 7617 — “Basic” HTTP Authentication Scheme

The user-id and password MUST NOT contain any control characters (see “CTL” in Appendix B.1 of RFC5234).

Using http://visionmedia.github.io/superagent as such:

return request
    .get('/')
    .auth('username');

Shouldn't this package be able to parse it? It seems to me that either superagent needs to add a : or node-basic-auth needs to support parsing without the : delimiter.

I cannot find any example code implementing this - there were lots of basic-auth for Express 3.0 - and I cannot get any help on Stack Overflow http://stackoverflow.com/questions/24583908/express-basic-authentication-for-one-route

** removed description of security issue was that not responsibly disclosed in a private forum **

it returns undefined

Not able to install Basic-auth on windows 10.

E:\basic-auth-master>npm install basic-auth
npm ERR! Windows_NT 10.0.10586
npm ERR! argv "C:\\Program Files\\nodejs\\node.exe" "C:\\Users\\Lalli\\AppData\\Roaming\\npm\\node_modules\\npm\\bin\\npm-cli.js" "install" "basic-auth"
npm ERR! node v4.4.5
npm ERR! npm  v3.9.3
npm ERR! code ENOSELF

npm ERR! Refusing to install basic-auth as a dependency of itself
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR!     <https://github.com/npm/npm/issues>

npm ERR! Please include the following file with any support request:
npm ERR!     E:\basic-auth-master\npm-debug.log

E:\basic-auth-master>

thx for any help.

Is there a way to determine how long the validation token will last? What is the default? Is there an option to determine the length of time it stays valid?

Where is this information stored on the client?

For example, if you wanted the validation to only last for the session (in other words, when the window is closed, they would have to revalidate on a new window to get back in), how would you indicate that?

I have de/re-installed npm basic-auth a few times already. I had no problems until today.
This is a new bug, basic-auth is erroring out which is keeping my app from starting in Nodejitsu, see:

error:   Error running command deploy
error:   Errors occured while starting the application
error:   Error output from application. This is usually a user error.
error:   
error:   /opt/run/snapshot/package/node_modules/basic-auth/index.js:13
error:     var auth = req.headers.authorization;
error:                           ^
error:   TypeError: Cannot read property 'authorization' of undefined
error:       at module.exports (/opt/run/snapshot/package/node_modules/basic-auth/index.js:13:25)
error:       at Object.<anonymous> (/opt/run/snapshot/package/app.js:51:33)
error:       at Module._compile (module.js:456:26)
error:       at Object.Module._extensions..js (module.js:474:10)
error:       at Module.load (module.js:356:32)
error:       at Function.Module._load (module.js:312:12)
error:       at Function.Module.runMain (module.js:497:10)
error:       at startup (node.js:119:16)
error:       at node.js:901:3

@visionmedia how would you fee about moving this repo into the expressjs organization for adoption by the team?

Good Afternoon basic-auth team,

We were performing a scan on the basic-auth Javascript library and the Fortify application has picked up the following items that are discovered as vulnerabilities.
(Reason being our project has imported this library as a dependency and part of our deliverable would requires the scanning of the full source code and identify/remove the vulnerable.)

(Low) Password Management: Password in Comment
No of items picked by the Fortify Scan: 1
Kindly refer to the following image, scanImage1.png

Do give us a heads up on when the team is planning to fix these vulnerabilities and/or the possible workarounds to prevent the same items to be picked up by the Fortify Scans again.

I think

/^ *(?:[Bb][Aa][Ss][Ii][Cc]) +([A-Za-z0-9\-\._~\+\/]+=*) *$/

should be

/^ *(?:[Bb][Aa][Ss][Ii][Cc]) +([A-Za-z0-9\-\._~\+\/]+=.*) *$/

The final =* is matching multiple '=' rather than the password value

Hello,
I got a strange behavior using even the example code:

var http = require('http')
var auth = require('basic-auth')
 
// Create server 
var server = http.createServer(function (req, res) {
  var credentials = auth(req)
  console.log(credentials); 
  if (!credentials || credentials.name !== 'john' || credentials.pass !== 'secret') {
    res.statusCode = 401
    res.setHeader('WWW-Authenticate', 'Basic realm="example"')
    res.end('Access denied')
  } else {
    res.end('Access granted')
  }
})
 
// Listen 
server.listen(3000)

If I login with chrome everything is fine, using IE (7,8,9) the special char "£" is not converted correctly.

Chrome:

Credentials { name: 'hello', pass: '£there' }

IE:

Credentials { name: 'hello', pass: '�there' }

This isn't so much an issue as it is a feature request. My understanding is that the basic HTTP authentication scheme allows for usernames and passwords to be sent in the URI like so:

https://username:[email protected]

Was it a deliberate decision to leave this feature out? It can be very helpful when trying to test authentication, because you can send requests through your browser and see the results without having to modify headers.

I was wondering if it would be possible to add module.exports.default = auth; to add support to the default es6 style import import auth from "basic-auth"

Thanks

I understand what a realm is (I think) and in the example I see one is added to the header: res.setHeader('WWW-Authenticate', 'Basic realm="example"'). Is there any information on how this works or how to define different realms in node.js/express servers?

Hi,

could you please explain how to logout a user after successfull login?

i try run my app with koa-basic auth.
And i get this error:

  TypeError: Cannot read property 'authorization' of undefined
      at auth (/home/aleksandr/work/promomachine/node_modules/koa-basic-auth/node_modules/basic-auth/index.js:57:27)
      at Object.basicAuth (/home/aleksandr/work/promomachine/node_modules/koa-basic-auth/index.js:28:16)
      at GeneratorFunctionPrototype.next (native)
      at next (/home/aleksandr/work/promomachine/node_modules/koa/node_modules/co/index.js:83:21)
      at Object.<anonymous> (/home/aleksandr/work/promomachine/node_modules/koa/node_modules/co/index.js:56:5)
      at next (/home/aleksandr/work/promomachine/node_modules/koa/node_modules/co/index.js:99:21)
      at Object.<anonymous> (/home/aleksandr/work/promomachine/node_modules/koa/node_modules/co/index.js:56:5)
      at next (/home/aleksandr/work/promomachine/node_modules/koa/node_modules/co/index.js:99:21)
      at Object.<anonymous> (/home/aleksandr/work/promomachine/node_modules/koa/node_modules/co/index.js:56:5)
      at Server.<anonymous> (/home/aleksandr/work/promomachine/node_modules/koa/lib/application.js:123:8)
      at emitTwo (events.js:87:13)
      at Server.emit (events.js:169:7)
      at HTTPParser.parserOnIncoming [as onIncoming] (_http_server.js:471:12)
      at HTTPParser.parserOnHeadersComplete (_http_common.js:88:23)
      at Socket.socketOnData (_http_server.js:322:22)
      at emitOne (events.js:77:13)
      at Socket.emit (events.js:166:7)
      at readableAddChunk (_stream_readable.js:145:16)
      at Socket.Readable.push (_stream_readable.js:109:10)
      at TCP.onread (net.js:508:20)

In my opinion, this error occurs because the index.js contain this lines:

    // get header
    var header = (req.req || req).headers.authorization
    // parse header
    var header = req.headers.authorization
    var match = credentialsRegExp.exec(header || '')

Currently the examples suggest comparing the supplied username and password against the true values with ===, which will take a different amount of time based on how far along the string the difference is, potentially allowing an attacker to reverse engineer the username and password.

It would be better to either hash the supplied password and true password and compare the hashes, or use crypto.timinSafeEqual for comparison.

While debugging some code running in a lambda environment I figured that basic-auth is not working since Authorization is used with a capital 'A'.

Instead of retrieving the value with headers.authorization something like this should work:

headers [Object.keys(headers).find(key => key.toLowerCase() === 'authorization')]

This would comply with the spec, headers should not be case sensitive: https://stackoverflow.com/questions/5258977/are-http-headers-case-sensitive

removed

i want to remove this pop-up and make a custom html page with this

Not sure if this is an issue with this package but I get an error trying to install it!

$ node -v
v6.0.0
$ npm -v
3.8.9

Error message:

$ npm install basic-auth --save
npm ERR! Darwin 15.6.0
npm ERR! argv "/usr/local/Cellar/node/6.0.0/bin/node" "/usr/local/bin/npm" "install" "basic-auth" "--save"
npm ERR! node v6.0.0
npm ERR! npm  v3.8.9

npm ERR! Cannot read property 'nodemon' of undefined
npm ERR! 
npm ERR! If you need help, you may report this error at:
npm ERR!     <https://github.com/npm/npm/issues>

npm ERR! Please include the following file with any support request:
npm ERR!     /Users/connorleech/Projects/adonis-tutorial/npm-debug.log

See Wikipedia: Basic access authentication

Basically I'd like the http://user@pass:domain.tld format to be parsed as well, not only the auth header.

It would be nice to pass an option rawBuffer: true or something to get the raw buffers returned as user and pass instead of String's via toString(), that way we can use crypto.timingSafeEqual(a, b) for comparison?

References:
https://nodejs.org/api/crypto.html#crypto_crypto_timingsafeequal_a_b
nodejs/node#17178