hono/deno_dist/middleware/basic-auth/index.ts

import { HTTPException } from '../../http-exception.ts'
import type { HonoRequest } from '../../request.ts'
import type { MiddlewareHandler } from '../../types.ts'
import { timingSafeEqual } from '../../utils/buffer.ts'
import { decodeBase64 } from '../../utils/encode.ts'

const CREDENTIALS_REGEXP = /^ *(?:[Bb][Aa][Ss][Ii][Cc]) +([A-Za-z0-9._~+/-]+=*) *$/
const USER_PASS_REGEXP = /^([^:]*):(.*)$/
const utf8Decoder = new TextDecoder()
const auth = (req: HonoRequest) => {
  const match = CREDENTIALS_REGEXP.exec(req.headers.get('Authorization') || '')
  if (!match) {
    return undefined
  }

  let userPass = undefined
  // If an invalid string is passed to atob(), it throws a `DOMException`.
  try {
    userPass = USER_PASS_REGEXP.exec(utf8Decoder.decode(decodeBase64(match[1])))
  } catch {} // Do nothing

  if (!userPass) {
    return undefined
  }

  return { username: userPass[1], password: userPass[2] }
}

export const basicAuth = (
  options: { username: string; password: string; realm?: string; hashFunction?: Function },
  ...users: { username: string; password: string }[]
): MiddlewareHandler => {
  if (!options) {
    throw new Error('basic auth middleware requires options for "username and password"')
  }

  if (!options.realm) {
    options.realm = 'Secure Area'
  }
  users.unshift({ username: options.username, password: options.password })

  return async function basicAuth(ctx, next) {
    const requestUser = auth(ctx.req)
    if (requestUser) {
      for (const user of users) {
        const usernameEqual = await timingSafeEqual(
          user.username,
          requestUser.username,
          options.hashFunction
        )
        const passwordEqual = await timingSafeEqual(
          user.password,
          requestUser.password,
          options.hashFunction
        )
        if (usernameEqual && passwordEqual) {
          await next()
          return
        }
      }
    }
    const res = new Response('Unauthorized', {
      status: 401,
      headers: {
        'WWW-Authenticate': 'Basic realm="' + options.realm?.replace(/"/g, '\\"') + '"',
      },
    })
    throw new HTTPException(401, { res })
  }
}
feat: move http-exception out of utils (#883) 2023-02-11 10:05:50 +01:00			`import { HTTPException } from '../../http-exception.ts'`
feat: introduce HonoRequest with "wrapper pattern" (#733) * feat: HonoRequest * avoid `awaits` * use `raw` instead of `original` 2022-12-20 23:05:00 +01:00			`import type { HonoRequest } from '../../request.ts'`
feat(types): introduce `CustomHandler` interface (#637) 2022-10-31 16:07:56 +01:00			`import type { MiddlewareHandler } from '../../types.ts'`
feat: support Deno! (#336) 2022-07-02 08:09:45 +02:00			`import { timingSafeEqual } from '../../utils/buffer.ts'`
			`import { decodeBase64 } from '../../utils/encode.ts'`

			`const CREDENTIALS_REGEXP = /^ (?:[Bb][Aa][Ss][Ii][Cc]) +([A-Za-z0-9._~+/-]+=) *$/`
			`const USER_PASS_REGEXP = /^([^:]):(.)$/`
denoify 2023-03-19 10:19:01 +01:00			`const utf8Decoder = new TextDecoder()`
feat: introduce HonoRequest with "wrapper pattern" (#733) * feat: HonoRequest * avoid `awaits` * use `raw` instead of `original` 2022-12-20 23:05:00 +01:00			`const auth = (req: HonoRequest) => {`
feat: support Deno! (#336) 2022-07-02 08:09:45 +02:00			`const match = CREDENTIALS_REGEXP.exec(req.headers.get('Authorization') \|\| '')`
			`if (!match) {`
			`return undefined`
			`}`

fix(basic-auth): handle passing invalid value to `atob()` (#1122) * fix(basic-auth): handle passing invalid value to `atob()` * chore: denoify 2023-05-21 13:48:35 +02:00			`let userPass = undefined`
			// If an invalid string is passed to atob(), it throws a `DOMException`.
			`try {`
			`userPass = USER_PASS_REGEXP.exec(utf8Decoder.decode(decodeBase64(match[1])))`
			`} catch {} // Do nothing`
feat: support Deno! (#336) 2022-07-02 08:09:45 +02:00
			`if (!userPass) {`
			`return undefined`
			`}`

			`return { username: userPass[1], password: userPass[2] }`
			`}`

			`export const basicAuth = (`
			`options: { username: string; password: string; realm?: string; hashFunction?: Function },`
			`...users: { username: string; password: string }[]`
fix(types): add types to middleware correctly (#521) 2022-09-14 01:17:20 +02:00			`): MiddlewareHandler => {`
feat: support Deno! (#336) 2022-07-02 08:09:45 +02:00			`if (!options) {`
			`throw new Error('basic auth middleware requires options for "username and password"')`
			`}`

			`if (!options.realm) {`
			`options.realm = 'Secure Area'`
			`}`
			`users.unshift({ username: options.username, password: options.password })`

feat(helper/dev): Introduce `inspectRoutes()` and `showRoutes()` (#1716) * feat(dev): Introduce "dev" helper * feat(dev): Expose "dev" helper * refactor: Use "named function" in some middleware. * feat: `app.showRoutes()` is now deprecated. Use `showRoutes()` in `helper` instead. * refactor: export RouterRoute interface for utility * refactor: remove captureRouteStackTrace, add inspectRoutes `captureRouteStackTrace` will be implemented after some more thought. Instead, I added `inspectRoutes` to get routes as data. * test: add tests for helper/dev/index.ts * fix: run `format:fix` * refactor: use named functions for middleware * chore: denoify * docs: tweaks deprecation warning message * refactor(dev): Simplification of showList options * chore: denoify 2023-11-29 11:22:09 +01:00			`return async function basicAuth(ctx, next) {`
feat: support Deno! (#336) 2022-07-02 08:09:45 +02:00			`const requestUser = auth(ctx.req)`
			`if (requestUser) {`
			`for (const user of users) {`
			`const usernameEqual = await timingSafeEqual(`
			`user.username,`
			`requestUser.username,`
			`options.hashFunction`
			`)`
			`const passwordEqual = await timingSafeEqual(`
			`user.password,`
			`requestUser.password,`
			`options.hashFunction`
			`)`
			`if (usernameEqual && passwordEqual) {`
			`await next()`
			`return`
			`}`
			`}`
			`}`
feat: introduce `HTTPException` (#796) * feat: introduce `HTTPException` * denoify and fixed tests for Lagon 2023-01-12 10:53:13 +01:00			`const res = new Response('Unauthorized', {`
feat: support Deno! (#336) 2022-07-02 08:09:45 +02:00			`status: 401,`
			`headers: {`
			`'WWW-Authenticate': 'Basic realm="' + options.realm?.replace(/"/g, '\\"') + '"',`
			`},`
			`})`
feat: introduce `HTTPException` (#796) * feat: introduce `HTTPException` * denoify and fixed tests for Lagon 2023-01-12 10:53:13 +01:00			`throw new HTTPException(401, { res })`
feat: support Deno! (#336) 2022-07-02 08:09:45 +02:00			`}`
			`}`