{"id":16174,"library":"passport-http","title":"Passport HTTP Basic & Digest Strategies","description":"This package provides authentication strategies for HTTP Basic and HTTP Digest schemes, designed to integrate with the Passport.js authentication middleware for Node.js. It allows applications to secure endpoints using standard HTTP authentication headers, often used for API access or intranet applications. The current stable version is 0.3.0, last published nine years ago. This package is part of the original Passport ecosystem and differentiates itself by offering direct implementations of these fundamental HTTP authentication methods, enabling their use with any Connect/Express-style middleware. Its release cadence is non-existent, suggesting a mature but abandoned state, with focus on core functionality without frequent updates. While functional, developers should consider its age and lack of recent security patches.","status":"abandoned","version":"0.3.0","language":"javascript","source_language":"en","source_url":"git://github.com/jaredhanson/passport-http","tags":["javascript","passport","http","basic","digest","auth","authn","authentication"],"install":[{"cmd":"npm install passport-http","lang":"bash","label":"npm"},{"cmd":"yarn add passport-http","lang":"bash","label":"yarn"},{"cmd":"pnpm add passport-http","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"This package implements strategies for Passport.js, which is a required peer dependency for its functionality.","package":"passport","optional":false}],"imports":[{"note":"BasicStrategy is a named export. Ensure you import the specific class.","wrong":"const BasicStrategy = require('passport-http').Strategy;","symbol":"BasicStrategy","correct":"import { BasicStrategy } from 'passport-http';"},{"note":"DigestStrategy is a named export. Use named import syntax.","wrong":"const DigestStrategy = require('passport-http').DigestStrategy;","symbol":"DigestStrategy","correct":"import { DigestStrategy } from 'passport-http';"},{"note":"The `passport` object itself comes from the `passport` package, not `passport-http`.","wrong":"const passport = require('passport-http');","symbol":"passport","correct":"import passport from 'passport';"}],"quickstart":{"code":"import express from 'express';\nimport passport from 'passport';\nimport { BasicStrategy, DigestStrategy } from 'passport-http';\n\nconst app = express();\nconst PORT = process.env.PORT || 3000;\n\n// A mock user database for demonstration\nconst users = [\n { id: 1, username: 'john', password: 'password', secret: 'shared-secret' },\n { id: 2, username: 'jane', password: 'secure', secret: 'another-secret' }\n];\n\n// Basic Strategy Configuration\npassport.use(new BasicStrategy(\n function(userid, password, done) {\n const user = users.find(u => u.username === userid);\n if (!user) { return done(null, false); }\n if (user.password !== password) { return done(null, false); }\n return done(null, user);\n }\n));\n\n// Digest Strategy Configuration\npassport.use(new DigestStrategy({ qop: 'auth' },\n function(username, done) {\n const user = users.find(u => u.username === username);\n if (!user) { return done(null, false); }\n // For Digest, 'done' needs to provide the user and the shared secret (password)\n return done(null, user, user.secret);\n },\n function(params, done) {\n // Optional: Validate nonce and other parameters to prevent replay attacks\n // For simplicity, we just accept for this example.\n done(null, true);\n }\n));\n\napp.use(passport.initialize());\n\n// Routes for HTTP Basic Authentication\napp.get('/basic-private', \n passport.authenticate('basic', { session: false }),\n function(req, res) {\n res.json({ message: 'Welcome to the basic private area!', user: req.user.username });\n }\n);\n\n// Routes for HTTP Digest Authentication\napp.get('/digest-private', \n passport.authenticate('digest', { session: false }),\n function(req, res) {\n res.json({ message: 'Welcome to the digest private area!', user: req.user.username });\n }\n);\n\napp.get('/', (req, res) => {\n res.send('Hello! Try accessing /basic-private or /digest-private with auth.');\n});\n\napp.listen(PORT, () => {\n console.log(`Server running on http://localhost:${PORT}`);\n console.log('Test Basic Auth with: curl -u john:password http://localhost:3000/basic-private');\n console.log('Test Digest Auth with: curl --digest -u jane:another-secret http://localhost:3000/digest-private');\n});\n","lang":"javascript","description":"This example demonstrates configuring and using both HTTP Basic and HTTP Digest authentication strategies with Passport.js and Express, showcasing how to protect routes without requiring session management."},"warnings":[{"fix":"Consider more modern authentication approaches (e.g., JWT, OAuth 2.0) or actively maintained Passport strategies, especially for new projects. If using, thoroughly test compatibility and review its source for potential security concerns.","message":"This package (v0.3.0) has not been updated in over nine years. While it may still function, it's not actively maintained, which can lead to compatibility issues with newer Node.js versions, updated Passport.js versions, or expose unpatched security vulnerabilities.","severity":"gotcha","affected_versions":">=0.3.0"},{"fix":"Always include `{ session: false }` in `passport.authenticate('strategy', { session: false })` when using stateless HTTP authentication schemes.","message":"When using HTTP Basic or Digest authentication for APIs, sessions are typically not desired. Forgetting to set `session: false` in `passport.authenticate()` can lead to unexpected session creation or persistence behavior.","severity":"gotcha","affected_versions":">=0.1.0"},{"fix":"Always deploy applications using Basic or Digest authentication with HTTPS/TLS enabled. For new applications, prefer token-based authentication (like JWT) over Digest for better security and flexibility.","message":"HTTP Basic Authentication sends credentials in plain text (Base64 encoded) and should *only* be used over HTTPS/TLS to prevent eavesdropping. HTTP Digest offers some protection but is considered less secure and more complex than modern token-based methods.","severity":"gotcha","affected_versions":">=0.1.0"},{"fix":"Ensure `done` is called correctly: `done(null, user)` on success, `done(null, false)` for failed authentication (e.g., wrong password), and `done(error)` for server errors.","message":"The `done` callback in strategy verification functions has a specific signature: `done(error, user, info)`. Incorrectly calling `done` (e.g., `done(user)`) can lead to authentication failures, server errors, or incorrect user context.","severity":"gotcha","affected_versions":">=0.1.0"}],"env_vars":null,"last_verified":"2026-04-21T00:00:00.000Z","next_check":"2026-07-20T00:00:00.000Z","problems":[{"fix":"Ensure `passport.use(new BasicStrategy(...))` is called and executed before any routes attempt to use the 'basic' strategy.","cause":"The Passport BasicStrategy has not been properly configured or registered with `passport.use()` before `passport.authenticate('basic')` is called.","error":"Error: Unknown authentication strategy \"basic\""},{"fix":"Use `new BasicStrategy(...)` to instantiate the strategy. For CommonJS, ensure `const { BasicStrategy } = require('passport-http');` or `const BasicStrategy = require('passport-http').BasicStrategy;` is used. For ESM, `import { BasicStrategy } from 'passport-http';` is correct.","cause":"This error typically occurs when attempting to call `BasicStrategy` as a function or if the import statement is incorrect (e.g., trying to default import a named export).","error":"TypeError: BasicStrategy is not a constructor"},{"fix":"Replace `User.findOne` and `user.verifyPassword` with your actual user retrieval and password verification logic from your database or authentication system.","cause":"The examples in the README use `User.findOne` and `user.verifyPassword` as placeholders, which assume you have a `User` model or equivalent logic defined to retrieve and validate user credentials.","error":"ReferenceError: User is not defined"}],"ecosystem":"npm"}