How to use http-auth with Sails

Question

I have deployed my Sails app to a PaaS, and I'd like to have simple password protect so that no one can access my staging server.

What's the simplest way to do that?

Looks like http-auth, the doc explains how to implement for ExpressJS, but with SailsJS I don't find app.use()

what I have tried

In my policies.js file

module.exports.policies = {

  // '*': true,
    '*': require('http-auth').basic({
      realm: 'admin area'
    }, function customAuthMethod (username, password, onwards) {
      return onwards(username === "Tina" && password === "Bullock");
    }),

which leads to

info: Starting app...

error: Cannot map invalid policy:  { realm: 'admin area',
  msg401: '401 Unauthorized',
  msg407: '407 Proxy authentication required',
  contentType: 'text/plain',
  users: [] }

also it looks like Policies can't apply to views, but to actions only hm...

If you really are interested in using [http-auth](http://http-auth.info), look my answer. Obviously SailsJS documentation is incorrect and caused your problem. — gevorg, Jun 04 '16 at 19:27
I just [created pull request](https://github.com/balderdashy/sails-docs/pull/701), so Sails team update their docs. — gevorg, Jun 04 '16 at 20:02

gevorg · Accepted Answer · 2016-06-04T20:00:17.620

Reason

I think your problem comes from this page http://sailsjs.org/documentation/concepts/middleware that uses incorrect pattern for http-auth module.

Solution

SailsJS uses connect/express style middleware, so the only thing that you need to do is to provide proper middleware to it.

// Authentication module.
var auth = require('http-auth');
var basic = auth.basic({
        realm: "Simon Area."
    }, function (username, password, callback) { // Custom authentication.
        callback(username === "Tina" && password === "Bullock");
    }
});

// Use proper middleware.
module.exports.policies = {
    '*': auth.connect(basic)
    ...

Todo

Makes sense to notify SailsJS team, so they remove wrong sample.

Related links

score 2 · Answer 2 · edited Jun 04 '16 at 19:12

The way I did it was using config/http.js file. Creating custom middleware there...

This is my http.js file:

var basicAuth = require('basic-auth'),
    auth = function (req, res, next) {
        var user = basicAuth(req);
        if (user && user.name === "username" && user.pass === "password") return next();
        res.set('WWW-Authenticate', 'Basic realm=Authorization Required');
        return res.send(401);
    };

module.exports.http = {

    customMiddleware: function (app) {
        app.use('/protected', auth);
    },

    middleware: {

        order: [
            'startRequestTimer',
            'cookieParser',
            'session',
            // 'requestLogger',
            'bodyParser',
            'handleBodyParserError',
            'compress',
            'methodOverride',
            'poweredBy',
            '$custom',
            'router',
            'www',
            'favicon',
            '404',
            '500'
        ],

        requestLogger: function (req, res, next) {
            console.log("Requested :: ", req.method, req.url);
            console.log('=====================================');
            return next();
        }

    }
};

Just realized that you are using http-auth and mine example shows basic-auth... But logic is the same, it will work will http-auth on the same way also... — hlozancic, Jun 04 '16 at 09:21
Worked! Thank you for sharing. `/protected` is the folder where you put the pages you want to protect right? thank you for voting up the question if you find it interesting. — zabumba, Jun 04 '16 at 19:11
/protected is a route that will use that middleware... You can put anything to that route... This was just an example... In real use case I have served static files (docs for api generated by apidoc) on that route and then also added this auth to it. — hlozancic, Jun 05 '16 at 20:35

score 0 · Answer 3 · answered May 06 '22 at 07:27

The author of the package http-auth moved the function connect to another package called http-auth-connect, implementing basic auth like this works for me.

However, I am facing one problem, how to not hardcode username and password, and use it in form of environment config.

var httpAuth = require('http-auth');
var authConnect = require('http-auth-connect');

var basic = httpAuth.basic({
  realm: 'admin area'
}, function (username, password, onwards) {
  return onwards(username === "username" && password === "password");
});

module.export.policies = {

    ...

    'controllerpath/': [authConnect(basic)],

    ...

}