implemented custom response bodies

Leon Strauss · Leon Strauss · commit 17da2dae114e · 2016-10-18T14:14:25.000+02:00
diff --git a/README.md b/README.md
@@ -32,7 +32,8 @@ The middleware will now check incoming requests to match the credentials
 The middleware will check incoming requests for a basic auth (`Authorization`)
 header, parse it and check if the credentials are legit.
 
-**If a request is found to not be authorized**, it will respond with HTTP 401 and an empty body.
+**If a request is found to not be authorized**, it will respond with HTTP 401
+and a configurable (default empty) body.
 
 **If a request is successfully authorized**, an `auth` property will be added to the request,
 containing an object with `user` and `password` properties, filled with the credentials.
@@ -96,6 +97,26 @@ function myAsyncAuthorizer(username, password, cb) {
 }
 ```
 
+### Unauthorized Response Body
+
+Per default, the response body for unauthorized responses will be empty. It can
+be configured using the `unauthorizedResponse` option. You can either pass a
+simple string, which will be used as the response body, or a function that gets
+passed the express request object and is expected to return the response body:
+
+```js
+app.use(basicAuth({
+    users: { 'Foo': 'bar' },
+    unauthorizedResponse: getUnauthorizedResponse
+}));
+
+function getUnauthorizedResponse(req) {
+    return req.auth
+        ? ('Credentials ' + req.auth.user + ':' + req.auth.password + ' rejected')
+        : 'No credentials provided';
+}
+```
+
 ### Challenge
 
 Per default the middleware will not add a `WWW-Authenticate` challenge header to
@@ -125,8 +146,7 @@ try out the requests and play around with the options.
 
 ## To Do
 
-- Allow customization of unauthorized response body
+- Allow response body to be JSON (auto detect?)
 - Allow to set a realm for the challenge
 - Some kind of automated testing with the example server
-- Maybe add some optional callback to be called for unauthorized requests (for security logging)
 - Decide what should be included in `1.0.0`
diff --git a/example.js b/example.js
@@ -42,6 +42,16 @@ var asyncAuth = basicAuth({
     authorizeAsync: true
 });
 
+//Uses a custom response body function
+var customBodyAuth = basicAuth({
+    users: { 'Foo': 'bar' },
+    unauthorizedResponse: getUnauthorizedResponse
+});
+
+//Uses a static response body
+var staticBodyAuth = basicAuth({
+    unauthorizedResponse: 'Haaaaaha'
+});
 
 app.get('/static', staticUserAuth, function(req, res) {
     res.status(200).send('You passed');
@@ -59,6 +69,14 @@ app.get('/async', asyncAuth, function(req, res) {
     res.status(200).send('You passed');
 });
 
+app.get('/custombody', customBodyAuth, function(req, res) {
+    res.status(200).send('You passed');
+});
+
+app.get('/staticbody', staticBodyAuth, function(req, res) {
+    res.status(200).send('You passed');
+});
+
 app.listen(8080, function() {
     console.log("Listening!");
 });
@@ -75,3 +93,7 @@ function myAsyncAuthorizer(username, password, cb) {
     else
         return cb(null, false)
 }
+
+function getUnauthorizedResponse(req) {
+    return req.auth ? ('Credentials ' + req.auth.user + ':' + req.auth.password + ' rejected') : 'No credentials provided';
+}
diff --git a/index.js b/index.js
@@ -6,7 +6,14 @@ function buildMiddleware(options) {
     var users = options.users || {};
     var authorizer = options.authorizer || staticUsersAuthorizer;
     var isAsync = options.authorizeAsync != undefined ? !!options.authorizeAsync : false;
+    var getResponseBody = options.unauthorizedResponse;
 
+    if(!getResponseBody)
+        getResponseBody = function() { return ''; };
+    else if(typeof getResponseBody == 'string')
+        getResponseBody = function() { return options.unauthorizedResponse };
+
+    assert(typeof getResponseBody == 'function', 'Expected a string or function for the unauthorizedResponse option');
     assert(typeof users == 'object', 'Expected an object for the basic auth users, found ' + typeof users + ' instead');
     assert(typeof authorizer == 'function', 'Expected a function for the basic auth authorizer, found ' + typeof authorizer + ' instead');
 
@@ -24,16 +31,16 @@ function buildMiddleware(options) {
         if(!authentication)
             return unauthorized();
 
-        if(isAsync)
-            return authorizer(authentication.name, authentication.pass, authorizerCallback);
-        else if(!authorizer(authentication.name, authentication.pass))
-            return unauthorized();
-
         req.auth = {
             user: authentication.name,
             password: authentication.pass
         };
 
+        if(isAsync)
+            return authorizer(authentication.name, authentication.pass, authorizerCallback);
+        else if(!authorizer(authentication.name, authentication.pass))
+            return unauthorized();
+
         next();
 
         function unauthorized() {
@@ -42,7 +49,7 @@ function buildMiddleware(options) {
             if(challenge)
                 res.set('WWW-Authenticate', 'Basic');
 
-            return res.send('');
+            return res.send(getResponseBody(req));
         }
 
         function authorizerCallback(err, approved) {
