npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

htpasswd-js

v1.0.2

Published

Pure JS htpasswd authentication

Downloads

10,460

Readme

htpasswd-js

Pure JS htpasswd authentication.

This is based on htpasswd-auth, except that it uses bcryptjs for bcrypt hashes. This module does not depend on any C++ node add-ons, making it more portable. It is inevitably slower, however.

Usage

Simply provide the necessary arguments to the ::authenticate method:

const htpasswd = require('htpasswd-js');

htpasswd.authenticate({
	username: 'username',
	password: 'password',
	file: '/absolute/path/to/file.htpasswd'
})
	.then((result) => {
		// Result will be true if and only if
		// username and password were correct.
	});

It is also possible to provide htpasswd data directly, instead of reading it from a file:

const htpasswd = require('htpasswd-js');

htpasswd.authenticate({
	username: 'username',
	password: 'password',
	data: 'username: {SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=\n'
})
	.then((result) => {
		// Result will be true if and only if
		// username and password were correct.
	});

Note on Asynchronous Authentication

It may not seem like the authenticate method needs to be asynchronous, especially when the data is provided directly. No disk operations or interactions with other processes are necessary that case.

The reason why it is asynchronous, however, is because the bcryptjs module allows it:

Note: Under the hood, asynchronisation splits a crypto operation into small chunks. After the completion of a chunk, the execution of the next chunk is placed on the back of JS event loop queue, thus efficiently sharing the computational resources with the other operations in the queue.

This is the most desirable behavior, because you may need to consume high-cost bcrypt hashes. Synchronous operation would be possible, but it is rarely a good idea to block execution for potentially long periods of time.

Plain Text Passwords

Unlike htpasswd-auth and other similar modules, plain text passwords are not supported by htpasswd-js. The reason for this is that there's no real way in the htpasswd format of telling the difference between a crypt(3) hash and plain text. This is because the plain text and crypt(3) passwords are never supported by the same Apache instance. You get one or the other, based on which operating system you're running on.

Some other modules will check the unhashed password for equality with the hash before checking it with crypt(3). This is a bad idea, because it potentially allows an attacker to enter crypt(3) hashes directly, without even needing to do cryptanalysis to obtain the password.

Also, you really shouldn't be storing passwords as plain text. Or crypt(3). Or really anything but bcrypt at this point. Why? See below.

Please Use bcrypt

bcrypt is the only htpasswd-supported password format that still holds up to modern cryptanalysis.

  • MD5 was declared cryptographically broken in 2008. Attacks against it can run on an average computer in less then a second.
  • SHA1 has its own vulnerabilities, and the algorithm used by htpasswd does not use a random salt, making it additionally vulnerable to lookup tables and rainbow tables.
  • crypt(3)'s traditional DES-based algorithm, which is used by htpasswd, is very old and does not hold up to dictionary attacks on modern hardware.
  • Plain text of course doesn't require any cryptanalysis because it's plain text.

I supported the others for sake of completeness and also because you won't always be able to control which formats are used in your organization. If you can, however, make sure to use bcrypt and only bcrypt.

Editing Files

htpasswd-js only supports authentication. To actually edit htpasswd files, you may want to use Apache's htpasswd utility itself, or its node port. Fortunately, the node port also uses bcryptjs, so it doesn't need any C++ add-ons, either.