Digest authentication with Express 4
While adding digest authentication to a Node.js / Express 4 site, I ran into an issue. I was using Passport middleware for authentication, along with the passport-http strategy. Authentication worked fine with an Express router for my root path, but when I added authentication to a sub path (e.g. /api/cats) every request failed with an HTTP 400.
After some debugging, I found that digest.js from passport-http checks that the request URL matches the URI that was supplied with the authentication credentials. This is a problem because a mounted route handler sets req.url to a path relative to the mounted path, so in the example above req.url is '/' while creds.url is '/api/cats/', and the string comparison fails.
It turns out I'm not the first to encounter this, and there's already a pull request for a fix, but it hasn't been merged yet. In the meantime, I didn't want to modify the passport-http code, so I made a change in my code to work around the issue. I added a custom middleware function that was called immediately before calling passport.authenticate that updates req.url using the same approach as in the pull request fix. Of course a side effect of this is that now req.url is no longer relative to the mounted path, but that isn't an issue for my code.
// Middleware to ensure req.url works with digest auth function (req, res, next) { req.url = (req.baseUrl ? req.baseUrl : "") + req.url; next(); }