When installing this module axios requests subsequent to the login get sent with the wrong credentials.
Instead of using credentials stored within an .env file, the requests get sent with the credentials that where used for the basic-auth dialogue.

const auth = {
  username: process.env.kirbyEmail,
  password: process.env.kirbyAuth
}

async getPages({ commit }, locale) {
    try {
      const pages = await this.$axios.$get(baseURL + '/rest/site/children', {
        auth,
        headers: { 'x-language': locale },
        params: { select: 'content, id, children, status, template' }
      })
      return commit('setPages', pages)
    } catch (error) {
      console.error(error)
    }
  }

async nuxtServerInit({ dispatch, state }) {
    const locale = state.i18n.locale
    await dispatch('getPages', locale)
  }

Any idea how this could be fixed?

So yeah, basically this module is working great while nuxt dev.

But when nuxt generate then nuxt start, so it's giving me

Environment: production
Rendering: server-side
Target: static

It just ignore the whole security even with enabled: true.

Wanted to be sure what is happening there. 😄

Works great on localhost, but in production does not prompt for authentication after build or generate.

after input the userName and password, it will bring the basic html page.
but if it calls some more api, it will show the basic-auth again, and the username and password do not work anymore.

Hi, I'm interested in using this in a production environment as part of a Nuxt JS project. I'm concerned about the security of this and whether it can be bypassed or easily hacked?

When a proxy is used (i.e. with axios) the auth-module also restricts access to the proxy routes, which makes a api call impossible.
Is there a way do disable the authentication for all proxy routes?

I tried it with regex (/^((?!api-route1|api-route2).)*$/) in the match option, but this seems not to work.

When giving the "enabled" option "undefined" as value, for example when using ENV variables that are not present on all environments, the module is still activated.

I would propose to change this so that "undefined" also skips the registration. Thoughts? I can make a pull request if this sounds good to everyone.

Hi!

I am having an error when trying to get this plugin to work with Nuxt3. Should be working, or is this plugin only intended to run with Nuxt2?

ℹ Register basic auth module to server middleware  

 ERROR  Cannot start nuxt:  Cannot read properties of undefined (reading 'handle')                                                                                                              

  at Function.use (node_modules/connect/index.js:87:21)
  at Object.set [as setLegacyMiddleware] (node_modules/@nuxt/nitro/dist/index.mjs:1875:13)
  at node_modules/nuxt3/dist/index.mjs:852:17
  at async initNuxt (node_modules/nuxt3/dist/index.mjs:945:3)
  at async load (node_modules/nuxi/dist/chunks/dev.mjs:6717:9)
  at async Object.invoke (node_modules/nuxi/dist/chunks/dev.mjs:6756:5)
  at async _main (node_modules/nuxi/dist/chunks/index.mjs:384:7)

This is my nuxt.config.js

export default defineNuxtConfig({
  modules: [
    [
      'nuxt-basic-auth-module'
    ]
  ],
  alias: {
    images: resolve(__dirname, './public/images')
  },
  vite: {
    build: {
      chunkSizeWarningLimit: 1000
    }
  },
  basic: {
    name: 'AUTH USER NAME HERE',
    pass: 'AUTH PASSWORD HERE',
    enabled: 'true' // require boolean value(nullable)
  },
})

https://github.com/potato4d/nuxt-basic-auth-module/blob/master/test/system/module.test.js

Since this module registers a server middleware, it's pretty clear why it can never work on SPA and SSG.

The [Enable] & [Message] prop in nuxt.config.js do not work.

I wonder how this module handle client's data because when I enter username and password for basic auth on Firefox, I could open the page on Safari without basic auth.

Hey !

Would be nice to allow function for name & pass option.
That way we would be able to adapt credentials for each route or each domain/subdomain if wanted (like in my use case).

I tried to do it myself the hard way like below, and it seems to be working like a charm :

middleware.js

const createMiddleware = options => {
  return (req, res, next) => {
    try {
      let enabled = true
      let match = options.match
      let name = options.name
      let pass = options.pass

      if (typeof name === 'function') {
          options.name = name(req)
      }

      if (typeof pass === 'function') {
          options.pass = pass(req)
      }

      if (typeof match === 'function') {
        enabled = match(req)
      }
      else if (match instanceof RegExp) {
        enabled = match.test(req.url)
      }
      else if (typeof match === 'string') {
        enabled = match === req.url 
      }
      
      if (!enabled || auth(options, req)) {
        return next()
      }
    } catch (e) {
      //
    }
    res.statusCode = 401
    res.setHeader('WWW-Authenticate', createBasicMessage(options))
    return res.end()
  }
}

nuxt.config.js

basic: {
        name({headers}){
            const currentHostname = headers['x-forwarded-host'] ? headers['x-forwarded-host'] : headers.host;
            switch (currentHostname) {
                case 'myhost.com':
                    return 'my_login'
                default:
                    return 'my_default_login';
            }
        },
        pass({headers}){
            const currentHostname = headers['x-forwarded-host'] ? headers['x-forwarded-host'] : headers.host;
            switch (currentHostname) {
                case 'myhost.com':
                    return 'my_password'
                default:
                    return 'my_default_password';
            }
        },
        match({headers}) {
            const enabledAuthHostnames = [
                'myhost.com',
                // ...
            ]
            const currentHostname = headers['x-forwarded-host'] ? headers['x-forwarded-host'] : headers.host;
            return enabledAuthHostnames.includes(currentHostname)
        }
}

Maybe my case is quite specific with the hostname conditions i added (i need to enable the basic Auth only on a few hostnames that my multisites application can hold), but it would at least give the choice for the developer to set whatever he want as condition within the function (route / domain / ...).
As well as the current match option, the classic string format would still be the default usage of the options for the simple use case.

What do you think to this possible improvement ?

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Other Branches

These updates are pending. To force PRs open, click the checkbox below.

• chore(deps): update actions/cache action to v4
• chore(deps): update actions/checkout action to v4
• chore(deps): update actions/setup-node action to v4

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update dependency nuxt to v2.17.3
• chore(deps): update dependency prettier to v2.8.8
• chore(deps): update dependency jest to v29
• chore(deps): update dependency jsdom to v24
• chore(deps): update dependency nuxt to v3
• chore(deps): update dependency prettier to v3
• chore(deps): update dependency puppeteer to v22
• fix(deps): update dependency consola to v3
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Hello,

I have noticed that this middleware doesn't cover files like Nuxt.js runtime/chunk files or static assets.
If this is being used in an admin panel for example, then some important data may be leaked.
In my opinion it should cover the whole application, not only the pages.

To reproduce:
Try viewing file like 127.0.0.1:3000/_nuxt/runtime.js or some static asset.

Here's how I fixed it myself:
Running this middleware using native Express instead of Nuxt middleware will make it run before anything else,
therefore protecting internal Nuxt files or static assets.

It can be done by chaning the way of creating middleware from:
this.addServerMiddleware(middleware)
to this:
this.nuxt.server.app.use(middleware)
(nuxt.server doesn't exist on build time, so it needs to be null checked)

Unfortunately I have no time to make a pull request.

If this is not an issue, then I believe it should be mentioned in the documentation that this middleware doesn't cover files like that.

In my case, I have a demand to auth some paths like /admin.

Could we have a field in config to specific which routes should be managed by this module?

Something like this:

module.exports = {
  modules: [
    'nuxt-basic-auth-module'
  ],
  basic: {
    name: 'AUTH USER NAME HERE',
    pass: 'AUTH PASSWORD HERE',
    match(route) {
        // return true to enable basic auth
        return route.path.startsWith('/admin')
    },
  },
  // ...
}

After deploying the application protected by this module, the site will not render the Basic Auth login dialog unless a hard reload is done.

The request for / hits the server and gets a 401 response with a www-authenticate: Basic realm, but no login dialog.

How can I access this auth with axios in a form of headers and Base64?

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

Hi all,

I've read the docs - there aren't many as its simple! But I've been trying to get this working for the last couple of hours, I had yarn add'd the module, listed the module under 'modules' in the nuxt config file, added the following to the project:

basic: { name: 'AUTH USER NAME HERE', pass: 'AUTH PASSWORD HERE', enabled: process.env.BASIC_ENABLED === 'true' // require boolean value(nullable) },

And no prompts are showing on app refresh, I've cleared the cache, restarted the app, nothign to seems to work and I'm not sure where to go from here. Any and all help appreciated.

EDIT: No errors are appearing in console.

Many thanks,
Kurtis Rogers