Reputation: 22440
How to setup basic authentication (w/generated value) for Express.js route?
My site is powered by node & using the Express framework. My goal is to setup a proxy to get data from the Yahoo Placefinder api (because they do not offer a JSONP response). I want to send jquery ajax requests to the proxy and get back the PlaceFinder api response.
Here is my express route:
app.get('/placefinder/:curr_address', function (req, res) {
var options = {
host: 'where.yahooapis.com',
port: 80,
path: '/geocode?location=' + req.params.curr_address + '&flags=J&appid=[put app id here]'
};
var req = http.get(options, function (res2) {
console.log("Got response: " + res2.statusCode);
res2.setEncoding('utf8');
res2.on('data', function (chunk) {
console.log('BODY: ' + chunk);
res.render('response', {
response: chunk
}); // res.render
}); // on
}); // req
req.on('error', function (e) {
console.log("Got error: " + e.message + "... path: " + options.host + options.path);
});
// write data to request body
req.write('data\n');
req.write('data\n');});
The above code is working. For example, I can visit mywebsite.com/placefinder/123+fake+street,90210 and the response from the PlaceFinder api will be displayed.
The issue is that everyone can visit that page and get the response from the PlaceFinder api. I don't want that. I only want my (ajax) scripts have access.
How can I use some basic authentication to permit only my ajax requests to access mywebsite.com/placefinder/123+fake+street,90210 ... I've never used basic authentication and I can't figure out how to apply it to this case.
Or, is there some way I can block the placefinder directory from all outside access (kind of like apache .htacess)?
Upvotes: 0
Views: 1980
Answers (1)
Reputation: 61793
How can I use some basic authentication to permit only my ajax requests to access mywebsite.com/placefinder/123+fake+street,90210 ... I've never used basic authentication and I can't figure out how to apply it to this case.
I don't think you should be using basic auth, but use sessions instead. TJ does have example available how to use session at https://github.com/visionmedia/express/tree/master/examples/session. There are a lot more examples available you should study. Connect does also have a middleware to handle basic auth though. I don't like this approach, because it is not that safe especially when not used behind SSL.
Or, is there some way I can block the placefinder directory from all outside access (kind of like apache .htacess)?
In node.js every app runs in a separate process. You could just bind to just that host instead of INADDR_ANY.
app.listen([port[, host]])
Bind the app server to the given port, which defaults to 3000. When host is omitted all connections will be accepted via INADDR_ANY.
app.listen(); app.listen(3000); app.listen(3000, 'n.n.n.n');
You could also Use node.js with NGinx. Than you for example use something like https://serverfault.com/questions/183884/nginx-protect-directory-with-password-except-for-specific-ips/183939#183939. NGinx is very powerful.
Upvotes: 1
Related Questions
- How to setup an authentication middleware in Express.js
- Express (NodeJS) - authentication for proxy app
- Bypassed authentication in route handling
- Node.js - How do I set up separate authentication for different routes?
- Expressjs authentication
- How do I set up routes in my node + express app to pass an authenticate method?
- NodeJS express basicAuth - how to pass username to the route function?
- Express JS routing based authentication
- Use Authentication function in express route
- Express: basic authentication for one route