{"id":17322,"library":"passport-http-bearer-sl","title":"Passport HTTP Bearer Strategy (SuperLogin Fork)","description":"passport-http-bearer-sl is an HTTP Bearer authentication strategy specifically for the Passport.js middleware, forked from the original `passport-http-bearer` package. It enables Node.js applications to authenticate requests using bearer tokens, typically for protecting API endpoints and often in conjunction with OAuth 2.0. The key differentiation of this fork (version 1.0.4, last published in 2013) is the change in the expected query parameter for the token from 'access_token' to 'bearer_token'. This modification was made to prevent conflicts with reserved 'access_token' parameters used by certain OAuth providers, particularly within the context of the SuperLogin project. Due to its age and lack of recent updates (last GitHub commit in 2017), it is largely considered abandoned, with no active development or defined release cadence, making it suitable only for legacy systems or specific SuperLogin environments where this exact behavior is required. The original `passport-http-bearer` (actively maintained) or other `passport-http-custom-bearer` forks are generally preferred for new projects.","status":"abandoned","version":"1.0.4","language":"javascript","source_language":"en","source_url":"git://github.com/colinskow/passport-http-bearer-sl","tags":["javascript","passport","auth","authn","authentication","authz","authorization","http","bearer"],"install":[{"cmd":"npm install passport-http-bearer-sl","lang":"bash","label":"npm"},{"cmd":"yarn add passport-http-bearer-sl","lang":"bash","label":"yarn"},{"cmd":"pnpm add passport-http-bearer-sl","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Core dependency for any Passport strategy. The strategy registers itself with Passport and uses its authentication flow.","package":"passport","optional":false}],"imports":[{"note":"The package exports a named `Strategy` class. For clarity, it's common practice to rename it to `BearerStrategy`. Primarily designed for CommonJS due to its age.","wrong":"import BearerStrategy from 'passport-http-bearer-sl';\n// or:\nconst BearerStrategy = require('passport-http-bearer-sl');","symbol":"BearerStrategy","correct":"import { Strategy as BearerStrategy } from 'passport-http-bearer-sl';\n// or for CommonJS:\nconst BearerStrategy = require('passport-http-bearer-sl').Strategy;"},{"note":"When using bearer tokens for APIs, sessions are typically not required, so `session: false` should be explicitly set for stateless authentication.","wrong":"app.get('/api/resource', passport.authenticate('bearer'), (req, res) => { /* ... */ });","symbol":"passport.authenticate","correct":"app.get('/api/resource', passport.authenticate('bearer', { session: false }), (req, res) => { /* ... */ });"},{"note":"While you can name the strategy, 'bearer' is the conventional name for HTTP Bearer strategies, allowing `passport.authenticate('bearer')` to work without specifying the custom name.","wrong":"passport.use('bearer-sl', new BearerStrategy(function(token, done) { /* ... */ }));","symbol":"passport.use","correct":"passport.use(new BearerStrategy(function(token, done) { /* ... */ }));"}],"quickstart":{"code":"const express = require('express');\nconst passport = require('passport');\nconst { Strategy: BearerStrategy } = require('passport-http-bearer-sl');\n\nconst app = express();\napp.use(passport.initialize());\n\n// Simulate a User database\nconst users = [{\n  id: 1,\n  username: 'testuser',\n  token: 'supersecrettoken123',\n  scope: ['read', 'write']\n}];\n\npassport.use(new BearerStrategy(\n  function(token, done) {\n    // In a real application, you would fetch the user from a database\n    // based on the provided bearer token.\n    const user = users.find(u => u.token === token);\n    if (!user) { return done(null, false); }\n    // Optional info can be passed, typically including associated scope\n    return done(null, user, { scope: user.scope });\n  }\n));\n\napp.get('/profile', \n  passport.authenticate('bearer', { session: false }),\n  function(req, res) {\n    // req.user contains the authenticated user\n    // req.authInfo contains the optional info from the strategy (e.g., scope)\n    res.json({\n      message: `Welcome, ${req.user.username}!`, \n      user: req.user,\n      authInfo: req.authInfo\n    });\n  }\n);\n\napp.listen(3000, () => {\n  console.log('Server running on http://localhost:3000');\n  console.log('Test with: curl -H \"Authorization: Bearer supersecrettoken123\" http://localhost:3000/profile');\n  console.log('Test with invalid token: curl -H \"Authorization: Bearer wrongtoken\" http://localhost:3000/profile');\n});","lang":"javascript","description":"This quickstart demonstrates how to configure and use `passport-http-bearer-sl` with Express.js to protect an API endpoint using a bearer token, showing token verification and access to user data."},"warnings":[{"fix":"Ensure clients send the bearer token in the `Authorization` header as `Bearer <token>` or as a `bearer_token` query/body parameter, not `access_token`.","message":"This fork changes the expected query parameter for the bearer token from `access_token` (used by the original `passport-http-bearer`) to `bearer_token` to avoid conflicts with OAuth providers. Code expecting `access_token` in query parameters will break.","severity":"breaking","affected_versions":">=1.0.0"},{"fix":"For new projects, consider using the original `passport-http-bearer` (which is actively maintained) or a more recent alternative. If you must use this package, thoroughly audit its code and dependencies for security flaws.","message":"The package is effectively abandoned with no recent updates or maintenance since 2017. This implies potential compatibility issues with newer Node.js versions or security vulnerabilities that will not be patched.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Always provide a `verify` callback function to the `BearerStrategy` constructor that handles token validation and calls the `done` callback.","message":"Like all Passport strategies, `passport-http-bearer-sl` requires a `verify` callback function. Failing to provide this callback will result in a `TypeError` during strategy initialization.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Ensure your core `passport` package dependency is updated to version `0.6.0` or later to mitigate session fixation vulnerabilities. Even with `session: false` this is good practice.","message":"Passport's core `session` vulnerability (CVE-2022-25896) affects Passport versions prior to 0.6.0. While this package is a strategy, its usage with an outdated Passport core could expose applications to session fixation attacks.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Pass a function as the second argument (or first, if no options object) to the `BearerStrategy` constructor: `new BearerStrategy(function(token, done) { /* ... */ })`.","cause":"The `BearerStrategy` constructor was called without providing the essential `verify` callback function.","error":"TypeError: HTTPBearerStrategy requires a verify callback"},{"fix":"For CommonJS, use `const { Strategy: BearerStrategy } = require('passport-http-bearer-sl');`. For ESM (if transpiled), use `import { Strategy as BearerStrategy } from 'passport-http-bearer-sl';`.","cause":"The `BearerStrategy` class was used without being correctly imported or required from the package.","error":"ReferenceError: BearerStrategy is not defined"},{"fix":"Send the token via the `Authorization: Bearer <token>` header or use the `bearer_token` query/body parameter instead of `access_token`.","cause":"This fork expects `bearer_token` in the query string or `Authorization` header, not `access_token`, due to its specific modification for SuperLogin.","error":"Unauthorized / 401 response when providing `access_token` in URL query"}],"ecosystem":"npm","meta_description":null}