{"id":16293,"library":"auth-header","title":"HTTP Authorization Header Parser and Formatter","description":"The `auth-header` library provides a robust solution for parsing and formatting HTTP `Authorization` and `WWW-Authenticate` headers. It supports various authentication schemes, including Basic, Digest, AWS, and Bearer/OAuth, adhering primarily to RFC7235 while also accommodating certain legacy formats by being less strict in its parsing. Currently at version 1.0.0, the library offers a stable API, though it appears to be in a maintenance state with no new feature development or active bug fixes since 2017. Its core differentiator lies in abstracting the complexities of these historically inconsistent HTTP headers, offering a standardized programmatic interface for their manipulation, which is a significant improvement over manual string parsing.","status":"maintenance","version":"1.0.0","language":"javascript","source_language":"en","source_url":"https://github.com/izaakschroeder/auth-header","tags":["javascript","http","express","basic","auth","authorization"],"install":[{"cmd":"npm install auth-header","lang":"bash","label":"npm"},{"cmd":"yarn add auth-header","lang":"bash","label":"yarn"},{"cmd":"pnpm add auth-header","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"The library primarily uses a namespace import pattern for its functions. While Node.js's CJS-ESM interop might allow `require`, `import * as` is the idiomatic way.","wrong":"const authorization = require('auth-header');","symbol":"authorization","correct":"import * as authorization from 'auth-header';"},{"note":"Access `parse` as a property of the `authorization` namespace object, not as a direct named export.","wrong":"import { parse } from 'auth-header';","symbol":"authorization.parse","correct":"const parsedHeader = authorization.parse(req.get('authorization'));"},{"note":"Similar to `parse`, `format` is a property of the `authorization` namespace object.","wrong":"import { format } from 'auth-header';","symbol":"authorization.format","correct":"res.set('WWW-Authenticate', authorization.format('Basic'));"}],"quickstart":{"code":"import * as authorization from 'auth-header';\nimport express from 'express';\n\nconst app = express();\n\napp.get('/', function(req, res) {\n\n\t// Helper function for authentication failure\n\tfunction fail() {\n\t\tres.set('WWW-Authenticate', authorization.format('Basic'));\n\t\tres.status(401).send();\n\t}\n\n\t// Get authorization header from request\n\tconst authHeader = req.get('authorization');\n\n\t// If no header, fail immediately\n\tif (!authHeader) {\n\t\treturn fail();\n\t}\n\n\t// Parse the authorization header\n\tconst auth = authorization.parse(authHeader);\n\n\t// No basic authentication provided or wrong scheme\n\tif (!auth || auth.scheme !== 'Basic') {\n\t\treturn fail();\n\t}\n\n\t// Get the basic auth component (username:password)\n\t// Using Buffer for base64 decoding, which is Node.js specific.\n\tlet [un, pw] = ['', ''];\n\tif (auth.token) {\n\t\t[un, pw] = Buffer.from(auth.token, 'base64').toString('utf8').split(':', 2);\n\t}\n\n\t// Verify authentication (simple hardcoded example)\n\tif (pw !== 'admin') {\n\t\treturn fail();\n\t}\n\n\t// Authentication successful\n\tres.send('Hello world.');\n});\n\napp.listen(3000, () => {\n  console.log('Server running on port 3000');\n});","lang":"javascript","description":"This quickstart demonstrates how to use `auth-header` within an Express application to parse an incoming `Authorization` header and format a `WWW-Authenticate` header for basic authentication. It checks for a 'Basic' scheme, decodes the credentials, and performs a simple password verification."},"warnings":[{"fix":"Ensure that your server responds with separate `WWW-Authenticate` headers for each challenge if this scenario is applicable.","message":"The library explicitly only supports `WWW-Authenticate` headers where multiple authentication challenges appear in multiple distinct headers, not when they are concatenated into a single header. Attempting to parse a single `WWW-Authenticate` header with multiple challenges may lead to incomplete or incorrect results.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Be aware that parsed output might come from non-standard or slightly malformed input. Implement additional validation on the parsed `scheme` and `token` if strict adherence to standards is critical for your application.","message":"While adhering to RFC7235, the library is intentionally 'less strict' than it could be to parse some legacy authorization header formats. This leniency might allow parsing of malformed headers that a stricter parser would reject.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Evaluate the stability requirements for your project. If ongoing support or new standards compliance is crucial, consider alternatives or be prepared to maintain a fork.","message":"The `auth-header` project appears to be in a maintenance or abandoned state. The last significant commit was in February 2017, meaning no new features, active bug fixes, or security updates are to be expected. While stable, consider this for long-term project viability.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"For browser environments, use `atob()` for base64 decoding, or include a `Buffer` polyfill if targeting broader compatibility.","message":"The `quickstart` example and common use cases involving basic authentication often require base64 decoding (e.g., `Buffer.from(auth.token, 'base64').toString()`). `Buffer` is a Node.js global object. If using this library in a browser environment or a runtime without `Buffer`, you will encounter a `ReferenceError`.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Always check if the result of `authorization.parse()` is a valid object before attempting to access its properties. For example: `const auth = authorization.parse(headerValue); if (!auth) { /* handle unparseable header */ }`","cause":"The `authorization.parse()` method returned `undefined` because the input header string was null, undefined, empty, or completely unparseable, and subsequent code attempted to access properties of the `undefined` result.","error":"TypeError: Cannot read properties of undefined (reading 'scheme')"},{"fix":"Ensure you are using the correct import pattern: `import * as authorization from 'auth-header';` and then access `authorization.parse()` and `authorization.format()`.","cause":"This typically occurs when attempting to use a CommonJS `require()` pattern (`const authorization = require('auth-header');`) for a module primarily designed for ES module `import` syntax, or vice-versa, or when incorrectly trying to destructure named exports (`import { parse } from 'auth-header';`) instead of using the namespace import.","error":"TypeError: authorization.parse is not a function"},{"fix":"If running in a browser, use `atob(auth.token)` for base64 decoding. If targeting universal environments, consider a polyfill or a library like `js-base64` for encoding/decoding operations.","cause":"The `Buffer` global object, commonly used for base64 encoding/decoding in Node.js, is not available in browser environments or other JavaScript runtimes.","error":"ReferenceError: Buffer is not defined"}],"ecosystem":"npm"}