{"id":15087,"library":"basic-auth-connect","title":"Connect Basic Authentication Middleware","description":"`basic-auth-connect` is a Connect/Express middleware that implements HTTP Basic Authentication, providing a straightforward way to secure web routes. It allows for user verification using either static username/password pairs or through synchronous or asynchronous callback functions for more dynamic authentication logic. The package is currently on version 1.1.0, with its most recent updates focusing primarily on security patches, notably addressing CVE-2024-47178. While functional and easy to use for common Basic Auth scenarios, the package's own documentation suggests that for more complex or highly custom authentication requirements, developers should consider using the underlying `basic-auth` package directly to build their own middleware. Its release cadence appears to be driven by critical security fixes rather than feature development, indicating it is in a maintenance status. Its key differentiator is its simplicity for direct integration into the Connect middleware stack.","status":"maintenance","version":"1.1.0","language":"javascript","source_language":"en","source_url":"https://github.com/expressjs/basic-auth-connect","tags":["javascript"],"install":[{"cmd":"npm install basic-auth-connect","lang":"bash","label":"npm"},{"cmd":"yarn add basic-auth-connect","lang":"bash","label":"yarn"},{"cmd":"pnpm add basic-auth-connect","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Added in v1.1.0 for timing-safe comparison to mitigate timing attacks (CVE-2024-47178).","package":"tsscmp","optional":false}],"imports":[{"note":"This package is CommonJS-only. Use `require()` for Node.js applications.","wrong":"import basicAuth from 'basic-auth-connect';","symbol":"basicAuth","correct":"const basicAuth = require('basic-auth-connect');"},{"note":"The package does not export named exports; it provides a default CommonJS export.","wrong":"import { basicAuth } from 'basic-auth-connect';","symbol":"basicAuth (named import)","correct":"const basicAuth = require('basic-auth-connect');"}],"quickstart":{"code":"const connect = require('connect');\nconst basicAuth = require('basic-auth-connect');\nconst http = require('http');\nconst crypto = require('crypto');\n\nconst app = connect();\n\n// Simulate a database user check with timing-safe comparison\nconst users = {\n  'tj': 'wahoo',\n  'admin': 'secret'\n};\n\nfunction verifyUser(user, pass, done) {\n  setTimeout(() => {\n    const storedPass = users[user];\n    if (storedPass) {\n      // Crucial for security: timing-safe comparison\n      const userBuffer = Buffer.from(pass);\n      const storedBuffer = Buffer.from(storedPass);\n      if (userBuffer.length === storedBuffer.length && crypto.timingSafeEqual(userBuffer, storedBuffer)) {\n        console.log(`User '${user}' authenticated successfully.`);\n        return done(null, user);\n      }\n    }\n    console.log(`Failed authentication for user '${user}'.`);\n    done(null, false); // Failed authentication\n  }, 100);\n}\n\n// Basic auth with static username/password\napp.use('/protected-static', basicAuth('staticuser', 'staticpass'));\n\n// Basic auth with async callback verification\napp.use('/protected-async', basicAuth(verifyUser));\n\napp.use('/protected-static', (req, res) => {\n  res.end('Accessed protected static route!');\n});\n\napp.use('/protected-async', (req, res) => {\n  res.end('Accessed protected async route!');\n});\n\napp.use('/', (req, res) => {\n  res.end('Welcome! Try /protected-static or /protected-async');\n});\n\nhttp.createServer(app).listen(3000, () => {\n  console.log('Server running on http://localhost:3000');\n  console.log('Try accessing http://localhost:3000/protected-static with staticuser/staticpass');\n  console.log('Try accessing http://localhost:3000/protected-async with tj/wahoo');\n});\n","lang":"javascript","description":"Demonstrates basic HTTP authentication for a Connect application using both static credentials and an asynchronous callback function with a timing-safe comparison."},"warnings":[{"fix":"Upgrade to `basic-auth-connect@1.1.0` or higher.","message":"Version 1.1.0 fixed CVE-2024-47178, a timing attack vulnerability. All previous versions are affected. Update immediately to ensure secure password comparison.","severity":"breaking","affected_versions":"<1.1.0"},{"fix":"Implement `crypto.timingSafeEqual(Buffer.from(providedPass), Buffer.from(storedPass))` when comparing user-provided passwords with stored ones in your verification callback.","message":"When using callback verification for authentication, it is critical to employ a time-safe comparison function (e.g., `crypto.timingSafeEqual`) for passwords to prevent timing attacks. Direct string comparison (`==` or `===`) is insecure.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"For complex or highly customized basic authentication logic, consider directly using `basic-auth` to build your middleware, providing more control and flexibility.","message":"The README suggests considering direct usage of the `basic-auth` package for custom middleware. This implies `basic-auth-connect` might be less actively developed for new features and more maintained for security, making `basic-auth` a better choice for highly customized or long-term solutions.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-21T00:00:00.000Z","next_check":"2026-07-20T00:00:00.000Z","problems":[{"fix":"Ensure your project is configured for CommonJS, or use a tool like `createRequire` from the `module` package if you must import CommonJS modules within an ESM file (`import { createRequire } from 'module'; const require = createRequire(import.meta.url); const basicAuth = require('basic-auth-connect');`).","cause":"Attempting to use `require('basic-auth-connect')` in an ES module (ESM) context in Node.js without proper setup.","error":"ReferenceError: require is not defined"},{"fix":"Use the CommonJS `require()` syntax: `const basicAuth = require('basic-auth-connect');`. This package does not provide ES module exports.","cause":"Attempting to use `import basicAuth from 'basic-auth-connect';` which incorrectly assumes a default ES module export for a CommonJS module.","error":"TypeError: basicAuth_1.default is not a function"}],"ecosystem":"npm"}