npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

passport-reverseproxy

v0.1.0

Published

HTTP reverse proxy authentication strategies for Passport.

Downloads

1,342

Readme

Passport-ReverseProxy

HTTP reverse proxy authentication strategies for Passport.

This module lets you authenticate HTTP requests using HTTP header values injected by a HTTP reverse proxy server in front of your application server. Reverse proxy authentication is a technique for enterprise networks to provide Single Sign On (SSO) for enterprise users.

By plugging into Passport, support for these schemes can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express.

Install

$ npm install passport-reverseproxy

Usage of HTTP

Using Apache as a reverse proxy

Here is an example of configuring Apache for use as a reverse proxy using a local passwd file.

Credit: Jenkins Reverse Proxy Auth Plugin

<Location />
    AuthName "Please sign in with your Apache user name and password"
    AuthType BASIC
    AuthUserFile /etc/apache2/passwd
    Require valid-user

    # prevent the client from setting this header
    RequestHeader unset X-Forwarded-User

    # Adds the X-Forwarded-User header that indicates the current user name.
    # this portion came from http://old.nabble.com/Forcing-a-proxied-host-to-generate-REMOTE_USER-td2911573.html#a2914465
    RewriteEngine On
    # see the Apache documentation on why this has to be lookahead
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    # this actually doesn't rewrite anything. what we do here is to set RU to the match above
    RewriteRule .* - [E=RU:%1]
    RequestHeader set X-Forwarded-User %{RU}e
</Location>

Notes:

  • Make sure that clients cannot bypass the reverse proxy. If they can send requests directly to Jenkins, then a malicious client can send in arbitrary header name with arbitrary value, thus compromising the security of Jenkins
  • Make sure you configure the reverse proxy to erase the header that you use to pass the authenticated user name. This prevents malicious client from setting the header name with arbitrary value, which would ruin the security.

Configure Strategy

The HTTP Reverse proxy authentication strategy authenticates users by inspecting a configurable set of HTTP request headers.

By default, the strategy will look for a request header named 'X-Forwarded-User', which will be used as the value for req.user.username.

Optionally, you can specify the request headers that should participate in authentication decisions via the options.headers map:

var express = require('express'),
    passport = require('passport'),
    ReverseProxyStrategy = require('passport-reverseproxy');

passport.use(new ReverseProxyStrategy({
    headers: {
      'X-Forwarded-User': { alias: 'username', required: true },
      'X-Forwarded-UserEmail': { alias: 'email', required: false }
    }
  })
);

// require authentication for all requests except favicon.ico
app.configure(function() {
  app.use(express.favicon())
  app.use(express.bodyParser());
  app.use(passport.initialize());
  app.use(passport.authenticate('reverseproxy', { session: false }));
  app.use(express.static(path.join(__dirname, 'public')));
});

You can also specify a network range as a whitelist of allowed client connections to your app. The whitelist is a cursory security check to verify the end user did not circumvent the reverse proxy server. Your deployment should use this setting merely as a defense in depth layer alongside more robust network access control techniques (e.g., IPSec tunnels, VLANs, firewall rules). Advanced enterprise reverse proxy appliances may also include a non-repudiatable token, like a digital signature, that you should validate in the verify function.

passport.use(new ReverseProxyStrategy({
    headers: {
      'X-Forwarded-User': { alias: 'username', required: true },
      'X-Forwarded-UserId': { alias: 'id', required: false }
    },
     // only allow localhost to proxy requests
    whitelist: '127.0.0.1/0'
  })
);

Unlike most Passport authentication strategies, it is unlikely you will need session caching of the authentication ticket, since the reverse proxy should inject the headers into every request to your server.

The strategy optinally supports a verify callback, which accepts these reverse proxy header values and calls done providing a user.

passport.use(new ReverseProxyStrategy({
   headers: { 
      'X-Forwarded-User': { alias: 'username', required: true },
      'X-Forwarded-UserId': { alias: 'id', required: false }
   },
   // only allow localhost to proxy requests
   whitelist: '127.0.0.1/0'
  },
  function(headers, user, done) {
    var err = null;

    // verify that the username is an email address
    if (! /^.*@.*$/.test(headers['X-Forwarded-User'])) { return done(err, false, 401); }

    return done(err, user);
  })
);

Authenticate Requests

Use passport.authenticate(), specifying the 'reverseproxy' strategy, to authenticate requests. Requests relying on request header values are inherently stateless, and should not require session support, so the session option can be set to false.

For example, as route middleware in an Express application:

app.get('/private', 
  passport.authenticate('reverseproxy', { session: false }),
  function(req, res) {
    res.json(req.user);
  });

Examples

For a complete, working example, refer to the Reverse Proxy example.

Credits

License

The MIT License