{"id":14623,"library":"htpasswd","title":"htpasswd","description":"The `htpasswd` package provides a Node.js implementation of Apache's `htpasswd` utility, designed for managing HTTP Basic Authentication password files. It functions primarily as a command-line interface tool, offering various password encryption methods including MD5 (default), bcrypt, SHA, crypt(), and plaintext. The current stable version is 2.4.6. Its release cadence appears to be infrequent, with recent updates mainly addressing ownership and minor version bumps rather than continuous feature additions. Key differentiators include its direct emulation of the Apache utility's CLI and support for multiple hashing algorithms, making it suitable for environments where direct `htpasswd` file manipulation is required programmatically or via script.","status":"active","version":"2.4.6","language":"javascript","source_language":"en","source_url":"ssh://git@github.com/gevorg/htpasswd","tags":["javascript","htpasswd","http","basic","access","authentication"],"install":[{"cmd":"npm install htpasswd","lang":"bash","label":"npm"},{"cmd":"yarn add htpasswd","lang":"bash","label":"yarn"},{"cmd":"pnpm add htpasswd","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"The `Htpasswd` class provides the main API for programmatic file management. While primarily a CommonJS package, Node.js's interoperability allows this ESM syntax. For strict CommonJS, use `const { Htpasswd } = require('htpasswd');`.","wrong":"import Htpasswd from 'htpasswd';","symbol":"Htpasswd","correct":"import { Htpasswd } from 'htpasswd';"},{"note":"A direct utility function for hashing a password, exported alongside the `Htpasswd` class. For CommonJS: `const { createHash } = require('htpasswd');`.","wrong":"const createHash = require('htpasswd').createHash;","symbol":"createHash","correct":"import { createHash } from 'htpasswd';"},{"note":"For CommonJS environments, multiple named exports like `Htpasswd`, `createHash`, and `verifyPassword` can be destructured directly from the main package export.","symbol":"CommonJS named exports","correct":"const { Htpasswd, createHash, verifyPassword } = require('htpasswd');"}],"quickstart":{"code":"import { Htpasswd } from 'htpasswd';\nimport * as path from 'path';\nimport * as fs from 'fs/promises';\n\nasync function runHtpasswdExample() {\n  const filePath = path.join(__dirname, 'example.htpasswd');\n  const username = 'testuser';\n  const password = 'securePassword123';\n  const wrongPassword = 'wrongPassword';\n\n  try {\n    // 1. Create a new htpasswd file and add a user (using bcrypt by default)\n    // Default bcrypt cost is 5. Using 10 here for better security.\n    const htpasswd = new Htpasswd(filePath, { create: true, bcrypt: true, cost: 10 });\n    await htpasswd.add(username, password);\n    console.log(`User '${username}' added to '${filePath}' with bcrypt hash.`);\n    const content = await fs.readFile(filePath, 'utf8');\n    console.log('File content:\\n', content);\n\n    // 2. Verify the correct password\n    const isCorrect = await htpasswd.verify(username, password);\n    console.log(`Password for '${username}' is correct: ${isCorrect}`);\n\n    // 3. Try to verify with a wrong password\n    const isWrong = await htpasswd.verify(username, wrongPassword);\n    console.log(`Password for '${username}' with wrong input: ${isWrong}`);\n\n    // 4. Delete the user\n    await htpasswd.delete(username);\n    console.log(`User '${username}' deleted from '${filePath}'.`);\n    const updatedContent = await fs.readFile(filePath, 'utf8');\n    console.log('File content after deletion:\\n', updatedContent);\n\n  } catch (error: any) {\n    console.error('Error during htpasswd operations:', error.message);\n  } finally {\n    // Clean up the created file\n    try {\n      await fs.unlink(filePath);\n      console.log(`Cleaned up '${filePath}'.`);\n    } catch (e) {\n      // Ignore if file doesn't exist or permissions issue during cleanup\n    }\n  }\n}\n\nrunHtpasswdExample();","lang":"typescript","description":"This quickstart demonstrates programmatic usage of the `htpasswd` library to create a new password file, add a user with bcrypt encryption, verify passwords, and delete the user."},"warnings":[{"fix":"For script usage, utilize the `-i` option to read passwords from `stdin` to prevent exposure. For programmatic use, pass passwords directly to the API methods.","message":"Using the `-b` option to pass passwords directly on the command line is insecure, as the password becomes visible in shell history and process lists (e.g., `ps aux`).","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Always prefer the `-B` (bcrypt) option for hashing passwords, which is currently considered very secure. When using bcrypt, ensure the `-C` cost parameter is set appropriately for your security needs (default is 5, but higher values like 10-12 are recommended).","message":"The `-d` (crypt), `-s` (SHA), and `-p` (plaintext) encryption algorithms are considered insecure by modern standards. Using them can compromise the security of your authentication.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Adjust the `-C` parameter to a higher value (e.g., 10-12) to increase the computational cost and enhance security, balancing it with acceptable response times for your system.","message":"When using bcrypt with the `-C` option (cost), note that the default cost of 5 might be too low for high-security applications. Higher costs increase computational time, making brute-force attacks more difficult.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-19T00:00:00.000Z","next_check":"2026-07-18T00:00:00.000Z","problems":[{"fix":"Install the package globally using `npm install -g htpasswd`.","cause":"The `htpasswd` CLI tool has not been installed globally or is not in your system's PATH.","error":"htpasswd: command not found"},{"fix":"To overwrite an existing file (which will delete all existing users), you must manually remove the old file first or confirm the overwrite via CLI prompt (if available) or programmatic option. If you intend to add a user to an existing file, omit the `-c` flag.","cause":"Attempting to create a new htpasswd file using the `-c` option when a file with the same name already exists.","error":"Error: file already exists"},{"fix":"Ensure that the verification process uses the correct algorithm that matches how the password was originally stored. If using deprecated algorithms, consider migrating users to bcrypt. Check the actual hash in the `.htpasswd` file to confirm the algorithm used (e.g., `$2y$`, `$apr1$`, `$sha1$` prefixes indicate bcrypt, MD5, SHA respectively).","cause":"This often happens if the password was originally hashed with an insecure or deprecated algorithm (e.g., MD5, SHA, crypt) or a different bcrypt cost than what is currently being used for verification attempts, or if the password was truncated by an old algorithm.","error":"Password mismatch during verification, even though the password seems correct."}],"ecosystem":"npm"}