Skip to content

Add HTTP Basic Auth #245

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 15, 2019
Merged

Add HTTP Basic Auth #245

merged 3 commits into from
Apr 15, 2019

Conversation

neoeno
Copy link

@neoeno neoeno commented Feb 12, 2016

Built on the work of @jondlm in #51. Using what I figured was the most popular basic auth library: https://www.npmjs.com/package/basic-auth

Can be configured with CLI options or env variables (separated out into its own commit in case you don't want that).

I've erred on the generous side when it comes to tests, as people will probably be pretty peeved if this stops working in some non-obvious way!

@jondlm
Copy link

jondlm commented Feb 12, 2016

Cool, thanks for taking the torch on this one!

bryce-gibson
bryce-gibson reviewed Mar 8, 2016
View reviewed changes
lib/http-server.js Outdated
before.push(function (req, res) {
var credentials = auth(req);

if (credentials && credentials.name === options.username && credentials.pass === options.password) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be worth using something like secure-compare rather than a simple string comparison? (Secure compare is designed to avoid timing attacks.)

To my mind, I wouldn't be too stress about security (because if I was concerned about security, I probably wouldn't be using basic auth...) but it feels like a good idea to "do it right" (and demonstrate better security practices), and it's quite simple to use a simple secure comparison rather than a ===.

Feel free to ignore me :-) (I'm just some random on the internet :-p ) Just something that came to mind when I saw this :-)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think in my head I was thinking 'better not make it secure or people might actually use it to secure things!' but that is obviously unhelpful because a) most people won't know what a timing attack is and so won't benefit from knowing it's not secure, and b) well, it just is.

So: great idea, good reasoning. I'll implement it this week.

@neoeno
Copy link
Author

neoeno commented Mar 9, 2016

Implemented @bryce-gibson's idea to use secure-compare.

Since it didn't seem too widely used, I looked into it in some depth and wrote some caveats in the commit message (there's a JSPerf that might make some of it clearer here: http://jsperf.com/secompare/7). I've also pinned to the exact version. Obvious disclaimer, I'm no security expert.

[Edit: Rebased onto master also]

@svperfecta
Copy link

Nice!

@sublimino
Copy link

Would love to see this merged if a maintainer has the time :) cc @indexzero

@roccomuso
Copy link

+1 #270

@kamasheto

This comment has been minimized.

Sign in to view
1 similar comment
@zerob4wl

This comment has been minimized.

Sign in to view
@Alex-Werner
Copy link

Alex-Werner commented Dec 7, 2016
edited
Loading

Nice !
BTW Saw a typo (but do we care?) : authenication => authentication

EDIT : It might worth knowing that on linux, if you set a password with something like : "foo$bar", the retained password (in options.password) will be : foo, the $ is not taken into account. On windows no problem about it.
Thus, the characters need to be escaped : --password "foo$bar"

@neoeno
Copy link
Author

neoeno commented Dec 8, 2016

Whoops — good catch, thanks @Alex-Werner!

Fixed the typo, squashed in, and rebased on latest master for good measure

@christianbundy christianbundy mentioned this pull request Feb 26, 2017
Closed
@BigBlueHat BigBlueHat added this to the v0.10.0 milestone Apr 25, 2017
@BigBlueHat BigBlueHat mentioned this pull request Apr 25, 2017
Closed
@BigBlueHat BigBlueHat modified the milestones: v0.10.0, v0.11.0 Apr 25, 2017
@jglick
Copy link

jglick commented May 25, 2017

Any relation to http-server-with-auth?

@Alex-Werner
Copy link

Yeah, sorry about that. But read the disclaimer I put on, whenerver this will be merge I delete the npm repo.
I copypasted the code here with little to none quick things and setup this for my needs I hope no-one being hurt with that :/

@neoeno
Copy link
Author

neoeno commented May 28, 2017

No objections from me @Alex-Werner!

Rebased onto upstream master to fix merge conflicts.

@piecioshka
Copy link

@Alex-Werner can you rebase onto upstream master?
@indexzero can you merge this PR?

Kay Lovelace added 3 commits January 6, 2018 22:33
@neoeno
Add HTTP Basic Auth
5113a57 
Using https://www.npmjs.com/package/basic-auth

Inspired and built on the work of jondlm in
http-party#51
@neoeno
Add Basic Auth configuration with env varaible
b8101bd
@neoeno
Use secure comparison for Basic Auth credentials
45add9c 
Note that the order of arguments to secureCompare
will have an effect upon the running time — though
not in a way that leaks information about whether
the passwords match.

These:

```javascript
compare("short", "short");
compare("short", "loooo<...>ng");
```

Will run faster than these:

```javascript
compare("loooo<...>ng", "short");
compare("loooo<...>ng", "loooo<...>ng");
```

If someone could duplicate your exact set-up, they
could possibly discover how long your secret
password is by testing how long yours takes to run
compared to how long their identical server takes
to run given passwords of a known length.

Given that this isn't the US Govt (I hope), it's
not a huge concern, and I don't know enough to do
it better. However, given that `http-server`
typically runs on its own (without any other
software that would 'pad out' the timing), you
might want to consider and mitigate this vector of
attack.
@neoeno
Copy link
Author

neoeno commented Jan 6, 2018

Rebased this one in case that's what you meant @piecioshka

@BigBlueHat BigBlueHat modified the milestones: v0.11.0, v0.12.0 Jan 10, 2018
@mingyuan-xia
Copy link

@BigBlueHat can you merge this PR?

@ryanmjacobs
Copy link

Please merge this!

@BigBlueHat BigBlueHat added the minor version non-breaking, non-trivial change label Jun 22, 2018
@BigBlueHat BigBlueHat removed this from the v0.12.0 milestone Jun 22, 2018
@LuisMayo
Copy link

Bumping thread. I'd want to see it merged

@BigBlueHat BigBlueHat requested a review from thornjad February 27, 2019 19:40
@thornjad thornjad added this to the v0.12.0 milestone Feb 28, 2019
catphat added a commit to catphat/http-server that referenced this pull request Mar 25, 2019
@catphat
Merge pull request #1 from neoeno/master
8779cb0 
Add HTTP Basic Auth http-party#245
@thornjad thornjad merged commit 45add9c into http-party:master Apr 15, 2019
thornjad added a commit that referenced this pull request Apr 15, 2019
@thornjad
Merge pull request #245 from neoeno/master
456f7ff 
Add HTTP Basic Auth
thornjad added a commit that referenced this pull request Apr 15, 2019
@thornjad
add basic auth pkgs to lock
597c126 
relates to #245
@thornjad thornjad mentioned this pull request Apr 16, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thornjad thornjad thornjad approved these changes

Assignees
No one assigned
Labels
minor version non-breaking, non-trivial change
Projects
None yet
Milestone
v0.12.0
Development

Successfully merging this pull request may close these issues.