{"id":17324,"library":"passport-http-header-token","title":"Passport HTTP Header Token","description":"Passport HTTP Header Token is a Node.js authentication strategy for the Passport.js middleware, designed to authenticate users based on a raw token provided directly in an HTTP header. This strategy, currently at version 1.1.0, was last published in 2016 and has not received updates since, indicating it is an abandoned package. Its simple design requires a `verify` callback to validate the submitted token against a user store. Unlike the more commonly used `passport-http-bearer` strategy, `passport-http-header-token` expects a raw token value in the header rather than parsing a 'Bearer <token>' format, which can lead to confusion if standard RFC 6750 bearer tokens are expected. Due to its unmaintained status, developers should carefully consider potential security implications and evaluate more actively supported alternatives like `passport-http-bearer` or `passport-jwt` for modern applications.","status":"abandoned","version":"1.1.0","language":"javascript","source_language":"en","source_url":"git://github.com/peralmq/passport-http-header-token","tags":["javascript","passport","auth","authn","authentication","header","token"],"install":[{"cmd":"npm install passport-http-header-token","lang":"bash","label":"npm"},{"cmd":"yarn add passport-http-header-token","lang":"bash","label":"yarn"},{"cmd":"pnpm add passport-http-header-token","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"This package is a strategy for the Passport.js authentication middleware.","package":"passport","optional":false}],"imports":[{"note":"The package is CommonJS-only and does not provide an ESM export for `Strategy`.","wrong":"import { Strategy } from 'passport-http-header-token';","symbol":"Strategy","correct":"const HTTPHeaderTokenStrategy = require('passport-http-header-token').Strategy;"},{"note":"Passport.js itself, like this strategy, is primarily CommonJS and typically imported via `require` in older Node.js projects.","wrong":"import passport from 'passport';","symbol":"passport","correct":"const passport = require('passport');"},{"note":"The strategy is typically instantiated and passed directly to `passport.use()` or named explicitly (e.g., `'token'`) as the first argument.","wrong":"passport.use('http-header-token', /* ... */);","symbol":"configure strategy","correct":"passport.use(new HTTPHeaderTokenStrategy( /* ... */ ));"}],"quickstart":{"code":"const express = require('express');\nconst passport = require('passport');\nconst HTTPHeaderTokenStrategy = require('passport-http-header-token').Strategy;\n\nconst app = express();\n\n// Mock User database for demonstration\nconst users = [{\n  id: 1,\n  username: 'testuser',\n  token: 'mysecrettoken123'\n}];\n\npassport.use(new HTTPHeaderTokenStrategy(\n  function(token, done) {\n    // In a real application, you would query your database here\n    // for a user associated with the provided token.\n    console.log(`Attempting to authenticate with token: ${token}`);\n    const user = users.find(u => u.token === token);\n\n    if (!user) {\n      return done(null, false, { message: 'Incorrect token.' });\n    }\n    return done(null, user);\n  }\n));\n\napp.use(passport.initialize());\n\napp.get('/api/protected', \n  passport.authenticate('http-header-token', { session: false, failureMessage: true }),\n  function(req, res) {\n    res.json({ message: `Access granted, user: ${req.user.username}` });\n  }\n);\n\napp.get('/', (req, res) => {\n  res.send('Welcome! Try GET /api/protected with an Authorization header like: Authorization: mysecrettoken123');\n});\n\nconst PORT = process.env.PORT || 3000;\napp.listen(PORT, () => {\n  console.log(`Server running on http://localhost:${PORT}`);\n  console.log('Test with: curl -H \"Authorization: mysecrettoken123\" http://localhost:3000/api/protected');\n  console.log('Test failure with: curl -H \"Authorization: wrongtoken\" http://localhost:3000/api/protected');\n});","lang":"javascript","description":"Demonstrates how to set up and use `passport-http-header-token` in an Express application to authenticate requests using a token provided in the 'Authorization' header."},"warnings":[{"fix":"Consider migrating to actively maintained alternatives like `passport-http-bearer` (for standard bearer tokens) or `passport-jwt` (for JSON Web Tokens). If custom header token behavior is required, `passport-http-custom-bearer` is another option. Evaluate the security implications carefully if continued use is unavoidable.","message":"This package is effectively abandoned, with the last publish date over 10 years ago (June 2016). It has not received any updates or security patches since. Using unmaintained software carries significant security risks and may not be compatible with modern Node.js versions or best practices.","severity":"breaking","affected_versions":">=1.1.0"},{"fix":"Ensure your client sends only the raw token value (e.g., `Authorization: mysecrettoken123`) or modify your `verify` callback to parse the incoming header string if it includes a scheme. For standard bearer token parsing (e.g., `Authorization: Bearer <token>`), use `passport-http-bearer` instead.","message":"Unlike `passport-http-bearer`, this strategy expects the raw token value directly in the specified HTTP header (defaulting to 'Authorization'). It does not parse standard 'Bearer <token>' or other scheme-prefixed formats. Providing 'Bearer <token>' will pass 'Bearer <token>' as the token value to your verify callback.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Use CommonJS `require` syntax: `const HTTPHeaderTokenStrategy = require('passport-http-header-token').Strategy;` in your Node.js application.","message":"This package is CommonJS-only and does not provide native ESM exports. Attempting to `import { Strategy } from 'passport-http-header-token'` in an ESM module will result in an error.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Create a `d.ts` declaration file (e.g., `passport-http-header-token.d.ts`) with basic types for the strategy. Example: `declare module 'passport-http-header-token' { class Strategy extends require('passport').Strategy { constructor(verify: (token: string, done: (err: any, user?: any, info?: any) => void) => void); } export { Strategy }; }`","message":"This package does not ship with TypeScript type definitions, nor are official types available on `@types/passport-http-header-token`. This necessitates manual type declarations or `@ts-ignore` usage in TypeScript projects.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"When authenticating requests, always specify `{ session: false }` in the `passport.authenticate()` options: `passport.authenticate('http-header-token', { session: false, ... })`.","message":"For API authentication using tokens, sessions are typically not needed and should be explicitly disabled to prevent unexpected behavior or session cookies being set. The default Passport behavior often involves sessions.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Ensure you are requiring the `Strategy` property from the package and instantiating it with `new`: `const HTTPHeaderTokenStrategy = require('passport-http-header-token').Strategy; passport.use(new HTTPHeaderTokenStrategy(...));`","cause":"The `HTTPHeaderTokenStrategy` was not properly imported or instantiated as a class before being passed to `passport.use()`.","error":"TypeError: Strategy must be a function"},{"fix":"Verify that `passport.use(new HTTPHeaderTokenStrategy(...))` is executed before any routes or middleware that use `passport.authenticate('http-header-token', ...)`. Also check for typos in the strategy name.","cause":"The `passport-http-header-token` strategy has not been registered with Passport using `passport.use()` before `passport.authenticate()` is called.","error":"Error: Unknown authentication strategy \"http-header-token\""},{"fix":"Check the token sent in the HTTP header by the client. Ensure your `verify` callback logic correctly retrieves and validates the token against your user data. Remember this strategy expects a raw token, not 'Bearer <token>' unless you parse it.","cause":"The token provided by the client does not match any known user, or the `verify` callback returned `done(null, false)`.","error":"Authentication Failed (or similar log/response for incorrect token)"}],"ecosystem":"npm","meta_description":null}