Express basic authentication for serving static files

Question

I'm using Express 4 framework and I need basic authentication for serving static files. This is what I have now:

app.use('/files', auth);
app.use('/files', express.static(path.join(__dirname, 'files')));

This works great if I try to access /files but if I wrote URL ../files/somefile.txt authentication is not needed and I'm able to access that file. I would want all the files under the "files"-directory to be accessible only by authenticated user.

Answer 1

var basicAuth = require('basic-auth');
var auth = function(req, res, next){
    var user = basicAuth(req);
    if(user && user.name == "admin" && user.pass == "admin")
        return next();
    else{
        res.set('WWW-Authenticate', 'Basic realm=Authorization Required');
        return res.send(401);
    }
}

app.use(function(req, res, next){
    if(req.url.indexOf('ftp') != -1){
        console.log(req.url);
        return auth(req, res, next);
    }
    else
        next();
});
app.use(express.static(path.join(__dirname, 'public')));
app.use('/ftp', serveIndex('public/ftp', {'icons': true, 'hidden': true, 'view': 'details'}))

Here is my code, it works fine for me, you can try it.

Answer 2

您是否尝试过以下方法：

app.use('/files/*', auth);

Answer 3

Okay, now my code looks like this:

app.use(function(req, res, next){
    if(req.url.indexOf('files') != -1) {
        return auth(req, res, next);
    } else {
        next();
    }
});

app.use('/files', auth);
app.use('/files', express.static(path.join(__dirname, 'files')));

But the problem exists still. That middleware seems to be used when I try to access "files" but If I try to access the file like /files/somefile.txt for some reason that middleware is skipped and I have access without authentication.

Answer 4

It's an old thread but I just came across the same issue. I'm using http-auth package to restrict the access to a folder in my public directory.

The middleware was working fine when requesting the protected directory (get /protectedFolder shows the prompt for the authentication), but it skips the files when they're requested directly (get /protectedFolder/file.txt displays the content of file.txt)

I solved it by switching the order of middlewares, I initially had

  app.use('/protected', express.static(path.join(__dirname, '../../../protected')));
  app.use('/protected', auth.connect(basic), (req, res, next) => {
      next();
  });

But the correct order should be:

  app.use('/protected', auth.connect(basic), (req, res, next) => {
      next();
  });
  app.use('/protected', express.static(path.join(__dirname, '../../../protected')));

I hope this helps someone.