passport-client-cert
v2.1.0
Published
Passport.js strategy for TLS client certificate authentication
Downloads
12,672
Maintainers
Readme
passport-client-cert
passport.js strategy for TLS client certificate authentication and authorisation.
passport-client-cert is for TLS connections direct to a Node.js application.
Usage
The strategy constructor requires a verify callback, which will be executed on each authenticated request. It is responsible for checking the validity of the certificate and user authorisation.
Options
passReqToCallback
- optional. Causes the request object to be supplied to the verify callback as the first parameter.
The verify callback is passed with the client certificate object and a done
callback. The done
callback must be called as per the passport.js documentation.
var passport = require('passport');
var ClientCertStrategy = require('passport-client-cert').Strategy;
passport.use(new ClientCertStrategy(function(clientCert, done) {
var cn = clientCert.subject.cn,
user = null;
// The CN will typically be checked against a database
if(cn === 'test-cn') {
user = { name: 'Test User' }
}
done(null, user);
}));
The verify callback can be supplied with the request
object by setting the passReqToCallback
option to true
, and changing callback arguments accordingly.
passport.use(new ClientCertStrategy({ passReqToCallback: true }, function(req, clientCert, done) {
var cn = clientCert.subject.cn,
user = null;
// The CN will typically be checked against a database
if(cn === 'test-cn') {
user = { name: 'Test User' }
}
done(null, user);
}));
Examples
Install and start the example server app:
$ npm install
$ cd example
$ node example-server.js
Submit a request with a client certificate:
$ curl -k --cert certs/joe.crt --key certs/joe.key --cacert certs/ca.crt https://localhost:3443
If curl
fails and you are using OSX Mavericks or newer (where support for ad-hoc CA certifcates is broken, try wget
instead:
$ wget -qSO - --no-check-certificate --certificate=certs/joe.crt --private-key=certs/joe.key --ca-certificate=certs/ca.crt https://localhost:3443/
Requests submitted with joe.crt
are authorised because joe
is in the list of valid users. Requests submitted without a certificate, or with bob.crt
will fail with a HTTP 401
.
Test
$ npm install
$ npm test