Commit 3ec8ae4

aubergine10aubergine10

aubergine10

authored and

aubergine10

committed

Updated readme.md for review - totaljs#43

Added note on caching credentials to avoid excessive db lookups, also added note on req.uri.auth

1 parent 5ea05d4 commit 3ec8ae4Copy full SHA for 3ec8ae4

File tree

1 file changed

+73

-7

lines changed

authorization-www-basic
- readme.md

1 file changed

+73

-7

lines changed

`‎authorization-www-basic/readme.md`

Lines changed: 73 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,8 @@ Features covered by this example:`
`9`	`9`
`10`	`10`	See the `/controllers/default.js` for sample code.
`11`	`11`
	`12`	`+> Note: BAA doesn't attempt to encrypt credentials and as such should only be used on HTTPS connections.`
	`13`	`+`
`12`	`14`	`### Reading credentials`
`13`	`15`
`14`	`16`	To read credentials, use the `.baa()` method in a route handler function:
`@@ -39,7 +41,7 @@ function authorization() {`
`39`	`41`	`// ...`
`40`	`42`
`41`	`43`	`if (auth.empty) { // ask user to login`
`42`		`- this.baa('Log in, bro.'); // or whatever prompt you want the user to see`
	`44`	`+ this.baa('Admin Login Required.'); // or whatever prompt you want the user to see`
`43`	`45`	`return;`
`44`	`46`	`}`
`45`	`47`
`@@ -50,10 +52,10 @@ function authorization() {`
`50`	`52`	This sends a response back to the browser which has a `WWW-Authenticate` HTTP header like this:
`51`	`53`
`52`	`54`	```
`53`		`-WWW-Authenticate: Basic realm="Log in, bro."`
	`55`	`+WWW-Authenticate: Basic realm="Admin Login Required."`
`54`	`56`	```
`55`	`57`
`56`		-On seeing that header, the browser will display the prompt (`Log in, bro.`) along with a basic login form with fields for username and password. When the user submits the form, the browser will retry the request, only this time it will have the required `Authorization` HTTP header that we are looking for.
	`58`	+On seeing that header, the browser will display the prompt (`Admin Login Required.`) along with a basic login form with fields for username and password. When the user submits the form, the browser will retry the request, only this time it will have the required `Authorization` HTTP header that we are looking for.
`57`	`59`
`58`	`60`	`### Validating credentials`
`59`	`61`
`@@ -74,7 +76,7 @@ function authorization() {`
`74`	`76`	`} else {`
`75`	`77`
`76`	`78`	`// ask them to login again?`
`77`		`- this.baa('Wrong details, try again, bro.');`
	`79`	`+ this.baa('Admin Login Required.');`
`78`	`80`	`return;`
`79`	`81`
`80`	`82`	`// or maybe just throw a #401 error?`
`@@ -86,8 +88,72 @@ function authorization() {`
`86`	`88`	`}`
`87`	`89`	```
`88`	`90`
`89`		-> Note: The browser will keep sending the `Authorization` header on subsequent requests for about 15 minutes or more, effectively keeping the user logged in (from user perspective). Downside is that, server-side, you have to re-check the credentials on every request.
	`91`	`+### Bonus 1: Server-side caching`
	`92`	`+`
	`93`	+The browser will keep sending the `Authorization` header on subsequent requests for about 15 minutes, effectively keeping the user logged in (from user perspective). Downside is that, server-side, you have to re-check the credentials on every request. As such it's probably worth keeping a cache of validated credentials to avoid excessive database lookups, for example:
	`94`	`+`
	`95`	+```javascript
	`96`	`+var baaCache = {};`
	`97`	`+`
	`98`	`+function authorization() {`
	`99`	`+`
	`100`	`+ // ...`
	`101`	`+`
	`102`	`+ if ( (baaCache[auth.user] && baaCache[auth.user] === auth.password) \|\| isValidLogin( auth.user, auth.password ) ) {`
	`103`	`+`
	`104`	`+ baaCache[auth.user] = auth.password; // cache`
`90`	`105`
`91`		`-## Notes`
	`106`	`+ // do authorised stuff`
	`107`	`+`
	`108`	`+ } else {`
	`109`	`+ // ...`
	`110`	`+ }`
	`111`	`+}`
`92`	`112`
`93`		-BAA doesn't make any attempt to encrypt the login details it sends via the `Authorization` HTTP header so, ideally, you should only ever use BAA over HTTPS connections.
	`113`	`+function housekeeping(tick) {`
	`114`	`+ if (tick % 5 === 0) // every 5 mins clear cache`
	`115`	`+ baaCache = {};`
	`116`	`+}`
	`117`	`+`
	`118`	`+// add this to export.install() at top of script:`
	`119`	`+F.on('service', housekeeping)`
	`120`	`+`
	`121`	`+// also add an export.uninstall() to remove the listener`
	`122`	`+export.uninstall = function() {`
	`123`	`+ F.removeListener('service', housekeeping);`
	`124`	`+}`
	`125`	+```
	`126`	`+### Bonus 2: URI authentication`
	`127`	`+`
	`128`	+The `.baa()` method only checks request HTTP headers for credentials, it doesn't check for credentials in the URI like this:
	`129`	`+`
	`130`	+```
	`131`	`+https://user:password@www.example.com/`
	`132`	+```
	`133`	`+`
	`134`	+If you wish to accept credentials in the URI, use `.req.uri.auth`:
	`135`	`+`
	`136`	+```javascript
	`137`	`+function authorization() {`
	`138`	`+`
	`139`	`+ // ...`
	`140`	`+`
	`141`	`+ if (auth.empty) { // check for URI auth first, before asking user to login`
	`142`	`+`
	`143`	`+ if (this.req.uri.auth) { // found credentials on auth, use those instead`
	`144`	`+`
	`145`	`+ let creds = this.req.uri.auth.split(':');`
	`146`	`+ auth.user = creds[0];`
	`147`	`+ auth.password = creds[1];`
	`148`	`+ auth.empty = false;`
	`149`	`+`
	`150`	`+ } else {`
	`151`	`+ this.baa('Admin Login Required.'); // or whatever prompt you want the user to see`
	`152`	`+ return;`
	`153`	`+ }`
	`154`	`+`
	`155`	`+ }`
	`156`	`+`
	`157`	`+ // ...`
	`158`	`+}`
	`159`	+```

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 3ec8ae4

File tree

1 file changed

1 file changed

`‎authorization-www-basic/readme.md`

0 commit comments