Merge pull request http-party#245 from neoeno/master

Add HTTP Basic Auth

Author: thornjad

README.md

@@ -61,6 +61,10 @@ Using `npx` you can run the script without installing it first:
 
 `-P` or `--proxy` Proxies all requests which can't be resolved locally to the given url. e.g.: -P http://someurl.com
 
+`--username` Username for basic authentication [none]
+
+`--password` Password for basic authentication [none]
+
 `-S` or `--ssl` Enable https.
 
 `-C` or `--cert` Path to ssl cert file (default: `cert.pem`).

bin/http-server

@@ -36,6 +36,11 @@ if (argv.h || argv.help) {
     '',
     '  -P --proxy   Fallback proxy if the request cannot be resolved. e.g.: http://someurl.com',
     '',
+    '  --username   Username for basic authentication [none]',
+    '               Can also be specified with the env variable NODE_HTTP_SERVER_USERNAME',
+    '  --password   Password for basic authentication [none]',
+    '               Can also be specified with the env variable NODE_HTTP_SERVER_PASSWORD',
+    '',
     '  -S --ssl     Enable https.',
     '  -C --cert    Path to ssl cert file (default: cert.pem).',
     '  -K --key     Path to ssl key file (default: key.pem).',
@@ -108,7 +113,9 @@ function listen(port) {
     ext: argv.e || argv.ext,
     logFn: logger.request,
     proxy: proxy,
-    showDotfiles: argv.dotfiles
+    showDotfiles: argv.dotfiles,
+    username: argv.username || process.env.NODE_HTTP_SERVER_USERNAME,
+    password: argv.password || process.env.NODE_HTTP_SERVER_PASSWORD
   };
 
   if (argv.cors) {

lib/http-server.js

@@ -3,8 +3,10 @@
 var fs = require('fs'),
     union = require('union'),
     ecstatic = require('ecstatic'),
+    auth = require('basic-auth'),
     httpProxy = require('http-proxy'),
-    corser = require('corser');
+    corser = require('corser'),
+    secureCompare = require('secure-compare');
 
 //
 // Remark: backwards compatibility for previous
@@ -72,6 +74,27 @@ function HttpServer(options) {
     res.emit('next');
   });
 
+  if (options.username || options.password) {
+    before.push(function (req, res) {
+      var credentials = auth(req);
+
+      // We perform these outside the if to avoid short-circuiting and giving
+      // an attacker knowledge of whether the username is correct via a timing
+      // attack.
+      if (credentials) {
+        var usernameEqual = secureCompare(options.username, credentials.name);
+        var passwordEqual = secureCompare(options.password, credentials.pass);
+        if (usernameEqual && passwordEqual) {
+          return res.emit('next');
+        }
+      }
+
+      res.statusCode = 401;
+      res.setHeader('WWW-Authenticate', 'Basic realm=""');
+      res.end('Access denied');
+    });
+  }
+
   if (options.cors) {
     this.headers['Access-Control-Allow-Origin'] = '*';
     this.headers['Access-Control-Allow-Headers'] = 'Origin, X-Requested-With, Content-Type, Accept, Range';

package.json

@@ -70,13 +70,15 @@
 	}
   ],
   "dependencies": {
+    "basic-auth": "^1.0.3",
     "colors": "^1.3.3",
     "corser": "^2.0.1",
     "ecstatic": "^3.3.0",
     "http-proxy": "^1.17.0",
     "opener": "^1.5.1",
     "optimist": "~0.6.1",
     "portfinder": "^1.0.20",
+    "secure-compare": "3.0.1",
     "union": "~0.5.0"
   },
   "devDependencies": {

test/http-server-test.js

@@ -157,5 +157,137 @@ vows.describe('http-server').addBatch({
         assert.ok(res.headers['access-control-allow-headers'].split(/\s*,\s*/g).indexOf('X-Test') >= 0, 204);
       }
     }
+  },
+  'When http-server is listening on 8083 with username "good_username" and password "good_password"': {
+    topic: function () {
+      var server = httpServer.createServer({
+        root: root,
+        robots: true,
+        headers: {
+          'Access-Control-Allow-Origin': '*',
+          'Access-Control-Allow-Credentials': 'true'
+        },
+        username: 'good_username',
+        password: 'good_password'
+      });
+
+      server.listen(8083);
+      this.callback(null, server);
+    },
+    'and the user requests an existent file with no auth details': {
+      topic: function () {
+        request('http://127.0.0.1:8083/file', this.callback);
+      },
+      'status code should be 401': function (res) {
+        assert.equal(res.statusCode, 401);
+      },
+      'and file content': {
+        topic: function (res, body) {
+          var self = this;
+          fs.readFile(path.join(root, 'file'), 'utf8', function (err, data) {
+            self.callback(err, data, body);
+          });
+        },
+        'should be a forbidden message': function (err, file, body) {
+          assert.equal(body, 'Access denied');
+        }
+      }
+    },
+    'and the user requests an existent file with incorrect username': {
+      topic: function () {
+        request('http://127.0.0.1:8083/file', {
+          auth: {
+            user: 'wrong_username',
+            pass: 'good_password'
+          }
+        }, this.callback);
+      },
+      'status code should be 401': function (res) {
+        assert.equal(res.statusCode, 401);
+      },
+      'and file content': {
+        topic: function (res, body) {
+          var self = this;
+          fs.readFile(path.join(root, 'file'), 'utf8', function (err, data) {
+            self.callback(err, data, body);
+          });
+        },
+        'should be a forbidden message': function (err, file, body) {
+          assert.equal(body, 'Access denied');
+        }
+      }
+    },
+    'and the user requests an existent file with incorrect password': {
+      topic: function () {
+        request('http://127.0.0.1:8083/file', {
+          auth: {
+            user: 'good_username',
+            pass: 'wrong_password'
+          }
+        }, this.callback);
+      },
+      'status code should be 401': function (res) {
+        assert.equal(res.statusCode, 401);
+      },
+      'and file content': {
+        topic: function (res, body) {
+          var self = this;
+          fs.readFile(path.join(root, 'file'), 'utf8', function (err, data) {
+            self.callback(err, data, body);
+          });
+        },
+        'should be a forbidden message': function (err, file, body) {
+          assert.equal(body, 'Access denied');
+        }
+      }
+    },
+    'and the user requests a non-existent file with incorrect password': {
+      topic: function () {
+        request('http://127.0.0.1:8083/404', {
+          auth: {
+            user: 'good_username',
+            pass: 'wrong_password'
+          }
+        }, this.callback);
+      },
+      'status code should be 401': function (res) {
+        assert.equal(res.statusCode, 401);
+      },
+      'and file content': {
+        topic: function (res, body) {
+          var self = this;
+          fs.readFile(path.join(root, 'file'), 'utf8', function (err, data) {
+            self.callback(err, data, body);
+          });
+        },
+        'should be a forbidden message': function (err, file, body) {
+          assert.equal(body, 'Access denied');
+        }
+      }
+    },
+    'and the user requests an existent file with correct auth details': {
+      topic: function () {
+        request('http://127.0.0.1:8083/file', {
+          auth: {
+            user: 'good_username',
+            pass: 'good_password'
+          }
+        }, this.callback);
+      },
+      'status code should be 200': function (res) {
+        assert.equal(res.statusCode, 200);
+      },
+      'and file content': {
+        topic: function (res, body) {
+          var self = this;
+          fs.readFile(path.join(root, 'file'), 'utf8', function (err, data) {
+            self.callback(err, data, body);
+          });
+        },
+        'should match content of served file': function (err, file, body) {
+          assert.equal(body.trim(), file.trim());
+        }
+      }
+    }
   }
 }).export(module);