Skip to content

Latest commit

 

History

History
144 lines (90 loc) · 4.34 KB

README.md

File metadata and controls

144 lines (90 loc) · 4.34 KB

sequelize-authentication Bitdeli Badge Build Status

A connect module for authentication against a database.

Usage

var app            = express()
  , authentication = require('sequelize-authentication')
  , Sequelize      = require('sequelize')
  , sequelize      = new Sequelize('database', 'user', 'password')

app.configure(function() {
  // express.static would go here
  app.use(authentication(sequelize[, options]))
  // express router would go here
})

Note: If you are serving static files (e.g. via express.static), make sure, that authentication is added afterwards. Also you should make sure, that the router is added after the authentication module.

Options

The second parameter of the authentication function is an object with options. Let's assume an application, that delivers hello world if the a user has authenticated successfully for the following description. You might want to check the example application under example/app.js. My local database has a root user without password.

Option: via

via defines, where the module will find the credentials.

Credentials in the params (default)

authentication(sequelize, { via: 'params' })

This will tell the module, that the credentials are either in the URL of the request or the body (POST). If you don't want to use headers, this is most likely what you want.

curl "http://localhost:3000?user=root&password="
# => hello world

curl "http://localhost:3000?user=root&password=fnord"
# => Unauthorized

curl -d "user=root&password=" "http://localhost:3000"
# => hello world

curl -d "user=root&password=fnord" "http://localhost:3000"
# => Unauthorized

Credentials in the headers

authentication(sequelize, { via: 'headers' })

This defines, that the credentials are in the headers of the request.

curl "http://localhost:3000?user=root&password="
# => Unauthorized

curl "http://localhost:3000?user=root&password=fnord"
# => Unauthorized

curl -d "user=root&password=" "http://localhost:3000"
# => Unauthorized

curl -d "user=root&password=fnord" "http://localhost:3000"
# => Unauthorized

curl -H "user: root" -H "password: " http://localhost:3000
# => hello world

curl -H "user: root" -H "password: fnord" http://localhost:3000
# => Unauthorized

Credentials in the URL

authentication(sequelize, { via: 'query' })

Credentials are in the URL of the request only.

curl "http://localhost:3000?user=root&password="
# => hello world

curl "http://localhost:3000?user=root&password=fnord"
# => Unauthorized

curl -d "user=root&password=" "http://localhost:3000"
# => Unauthorized

curl -d "user=root&password=fnord" "http://localhost:3000"
# => Unauthorized

Credentials in the post body

authentication(sequelize, { via: 'body' })

Credentials are in the body of the request only.

curl "http://localhost:3000?user=root&password="
# => Unauthorized

curl "http://localhost:3000?user=root&password=fnord"
# => Unauthorized

curl -d "user=root&password=" "http://localhost:3000"
# => hello world

curl -d "user=root&password=fnord" "http://localhost:3000"
# => Unauthorized

Option: scope

scope defines, which urls should receive protection via the module.

authentication(sequelize, { scope: '/api' })

This will protect each url that starts with /api.

curl http://localhost:3000
# => hello world

curl http://localhost:3000/api/secret
# => Unauthorized

curl http://localhost:3000/api/secret?user=root&password=
# => hello world

Option: param

param defines a parameter name which scopes the credentials. The default is none.

authentication(sequelize, { param: 'credentials' })

The module will now check, if the credentials are located in the credentials object.

curl "http://localhost:3000?credentials\[user\]=root&credentials\[password\]="
# => hello world

Hm? So, what's next?

The server will send each request through the authentication module. If the request authenticates correctly, it will be passed to the router. If authentication fails, the module will response with a 401 and the message 'Unauthorized'.

License

Hereby placed under MIT license.