jshttp / basic-auth Goto Github PK
View Code? Open in Web Editor NEWGeneric basic auth Authorization header field parser
License: MIT License
Generic basic auth Authorization header field parser
License: MIT License
Line 46 in e8a29f9
Lines 114 to 115 in e8a29f9
Which, RFC 7617 forbids.
RFC 7617 — “Basic” HTTP Authentication Scheme
The
user-id
andpassword
MUST NOT contain any control characters (see “CTL
” in Appendix B.1 of RFC5234).
Using http://visionmedia.github.io/superagent as such:
return request
.get('/')
.auth('username');
Shouldn't this package be able to parse it? It seems to me that either superagent needs to add a :
or node-basic-auth
needs to support parsing without the :
delimiter.
I cannot find any example code implementing this - there were lots of basic-auth for Express 3.0 - and I cannot get any help on Stack Overflow http://stackoverflow.com/questions/24583908/express-basic-authentication-for-one-route
** removed description of security issue was that not responsibly disclosed in a private forum **
it returns undefined
Not able to install Basic-auth on windows 10.
E:\basic-auth-master>npm install basic-auth
npm ERR! Windows_NT 10.0.10586
npm ERR! argv "C:\\Program Files\\nodejs\\node.exe" "C:\\Users\\Lalli\\AppData\\Roaming\\npm\\node_modules\\npm\\bin\\npm-cli.js" "install" "basic-auth"
npm ERR! node v4.4.5
npm ERR! npm v3.9.3
npm ERR! code ENOSELF
npm ERR! Refusing to install basic-auth as a dependency of itself
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR! <https://github.com/npm/npm/issues>
npm ERR! Please include the following file with any support request:
npm ERR! E:\basic-auth-master\npm-debug.log
E:\basic-auth-master>
thx for any help.
Is there a way to determine how long the validation token will last? What is the default? Is there an option to determine the length of time it stays valid?
Where is this information stored on the client?
For example, if you wanted the validation to only last for the session (in other words, when the window is closed, they would have to revalidate on a new window to get back in), how would you indicate that?
I have de/re-installed npm basic-auth a few times already. I had no problems until today.
This is a new bug, basic-auth is erroring out which is keeping my app from starting in Nodejitsu, see:
error: Error running command deploy
error: Errors occured while starting the application
error: Error output from application. This is usually a user error.
error:
error: /opt/run/snapshot/package/node_modules/basic-auth/index.js:13
error: var auth = req.headers.authorization;
error: ^
error: TypeError: Cannot read property 'authorization' of undefined
error: at module.exports (/opt/run/snapshot/package/node_modules/basic-auth/index.js:13:25)
error: at Object.<anonymous> (/opt/run/snapshot/package/app.js:51:33)
error: at Module._compile (module.js:456:26)
error: at Object.Module._extensions..js (module.js:474:10)
error: at Module.load (module.js:356:32)
error: at Function.Module._load (module.js:312:12)
error: at Function.Module.runMain (module.js:497:10)
error: at startup (node.js:119:16)
error: at node.js:901:3
@visionmedia how would you fee about moving this repo into the expressjs organization for adoption by the team?
Good Afternoon basic-auth team,
We were performing a scan on the basic-auth Javascript library and the Fortify application has picked up the following items that are discovered as vulnerabilities.
(Reason being our project has imported this library as a dependency and part of our deliverable would requires the scanning of the full source code and identify/remove the vulnerable.)
(Low) Password Management: Password in Comment
No of items picked by the Fortify Scan: 1
Kindly refer to the following image, scanImage1.png
Do give us a heads up on when the team is planning to fix these vulnerabilities and/or the possible workarounds to prevent the same items to be picked up by the Fortify Scans again.
I think
/^ *(?:[Bb][Aa][Ss][Ii][Cc]) +([A-Za-z0-9\-\._~\+\/]+=*) *$/
should be
/^ *(?:[Bb][Aa][Ss][Ii][Cc]) +([A-Za-z0-9\-\._~\+\/]+=.*) *$/
The final =*
is matching multiple '=' rather than the password value
Hello,
I got a strange behavior using even the example code:
var http = require('http')
var auth = require('basic-auth')
// Create server
var server = http.createServer(function (req, res) {
var credentials = auth(req)
console.log(credentials);
if (!credentials || credentials.name !== 'john' || credentials.pass !== 'secret') {
res.statusCode = 401
res.setHeader('WWW-Authenticate', 'Basic realm="example"')
res.end('Access denied')
} else {
res.end('Access granted')
}
})
// Listen
server.listen(3000)
If I login with chrome everything is fine, using IE (7,8,9) the special char "£" is not converted correctly.
Chrome:
Credentials { name: 'hello', pass: '£there' }
IE:
Credentials { name: 'hello', pass: '�there' }
This isn't so much an issue as it is a feature request. My understanding is that the basic HTTP authentication scheme allows for usernames and passwords to be sent in the URI like so:
https://username:[email protected]
Was it a deliberate decision to leave this feature out? It can be very helpful when trying to test authentication, because you can send requests through your browser and see the results without having to modify headers.
I was wondering if it would be possible to add module.exports.default = auth;
to add support to the default es6 style import import auth from "basic-auth"
Thanks
I understand what a realm is (I think) and in the example I see one is added to the header: res.setHeader('WWW-Authenticate', 'Basic realm="example"')
. Is there any information on how this works or how to define different realms in node.js/express servers?
Hi,
could you please explain how to logout a user after successfull login?
i try run my app with koa-basic auth.
And i get this error:
TypeError: Cannot read property 'authorization' of undefined
at auth (/home/aleksandr/work/promomachine/node_modules/koa-basic-auth/node_modules/basic-auth/index.js:57:27)
at Object.basicAuth (/home/aleksandr/work/promomachine/node_modules/koa-basic-auth/index.js:28:16)
at GeneratorFunctionPrototype.next (native)
at next (/home/aleksandr/work/promomachine/node_modules/koa/node_modules/co/index.js:83:21)
at Object.<anonymous> (/home/aleksandr/work/promomachine/node_modules/koa/node_modules/co/index.js:56:5)
at next (/home/aleksandr/work/promomachine/node_modules/koa/node_modules/co/index.js:99:21)
at Object.<anonymous> (/home/aleksandr/work/promomachine/node_modules/koa/node_modules/co/index.js:56:5)
at next (/home/aleksandr/work/promomachine/node_modules/koa/node_modules/co/index.js:99:21)
at Object.<anonymous> (/home/aleksandr/work/promomachine/node_modules/koa/node_modules/co/index.js:56:5)
at Server.<anonymous> (/home/aleksandr/work/promomachine/node_modules/koa/lib/application.js:123:8)
at emitTwo (events.js:87:13)
at Server.emit (events.js:169:7)
at HTTPParser.parserOnIncoming [as onIncoming] (_http_server.js:471:12)
at HTTPParser.parserOnHeadersComplete (_http_common.js:88:23)
at Socket.socketOnData (_http_server.js:322:22)
at emitOne (events.js:77:13)
at Socket.emit (events.js:166:7)
at readableAddChunk (_stream_readable.js:145:16)
at Socket.Readable.push (_stream_readable.js:109:10)
at TCP.onread (net.js:508:20)
In my opinion, this error occurs because the index.js contain this lines:
// get header
var header = (req.req || req).headers.authorization
// parse header
var header = req.headers.authorization
var match = credentialsRegExp.exec(header || '')
Currently the examples suggest comparing the supplied username and password against the true values with ===
, which will take a different amount of time based on how far along the string the difference is, potentially allowing an attacker to reverse engineer the username and password.
It would be better to either hash the supplied password and true password and compare the hashes, or use crypto.timinSafeEqual for comparison.
While debugging some code running in a lambda environment I figured that basic-auth
is not working since Authorization
is used with a capital 'A'.
Instead of retrieving the value with headers.authorization
something like this should work:
headers [Object.keys(headers).find(key => key.toLowerCase() === 'authorization')]
This would comply with the spec, headers should not be case sensitive: https://stackoverflow.com/questions/5258977/are-http-headers-case-sensitive
removed
Not sure if this is an issue with this package but I get an error trying to install it!
$ node -v
v6.0.0
$ npm -v
3.8.9
Error message:
$ npm install basic-auth --save
npm ERR! Darwin 15.6.0
npm ERR! argv "/usr/local/Cellar/node/6.0.0/bin/node" "/usr/local/bin/npm" "install" "basic-auth" "--save"
npm ERR! node v6.0.0
npm ERR! npm v3.8.9
npm ERR! Cannot read property 'nodemon' of undefined
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR! <https://github.com/npm/npm/issues>
npm ERR! Please include the following file with any support request:
npm ERR! /Users/connorleech/Projects/adonis-tutorial/npm-debug.log
See Wikipedia: Basic access authentication
Basically I'd like the http://user@pass:domain.tld
format to be parsed as well, not only the auth header.
It would be nice to pass an option rawBuffer: true
or something to get the raw buffers returned as user
and pass
instead of String's via toString()
, that way we can use crypto.timingSafeEqual(a, b)
for comparison?
References:
https://nodejs.org/api/crypto.html#crypto_crypto_timingsafeequal_a_b
nodejs/node#17178
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.