client-certificate-auth
middleware for Node.js implementing client SSL certificate authentication/authorization
Copyright © 2013 Tony Gies
April 30, 2013
installing
client-certificate-auth is available from npm.
$ npm install client-certificate-auth
requirements
client-certificate-auth is tested against Node.js versions 0.6, 0.8, and 0.10. It has no external dependencies (other than any middleware framework with which you may wish to use it); however, to run the tests, you will need mocha and should.
synopsis
client-certificate-auth provides HTTP middleware for Node.js (in particular
Connect/Express) to require that a valid, verifiable client SSL certificate is
provided, and passes information about that certificate to a callback which must
return true
for the request to proceed; otherwise, the client is considered
unauthorized and the request is aborted.
usage
The https server must be set up to request a client certificate and validate it against an issuer/CA certificate. What follows is a typical example using Express:
var express = ;var fs = ;var https = ;var clientCertificateAuth = ; var opts = // Server SSL private key and certificate key: fs cert: fs // issuer/CA certificate against which the client certificate will be // validated. A certificate that is not signed by a provided CA will be // rejected at the protocol layer. ca: fs // request a certificate, but don't necessarily reject connections from // clients providing an untrusted or no certificate. This lets us protect only // certain routes, or send a helpful error message to unauthenticated clients. requestCert: true rejectUnauthorized: false; var app = ; // add clientCertificateAuth to the middleware stack, passing it a callback// which will do further examination of the provided certificate.app;app;app; app; var { /* * allow access if certificate subject Common Name is 'Doug Prishpreed'. * this is one of many ways you can authorize only certain authenticated * certificate-holders; you might instead choose to check the certificate * fingerprint, or apply some sort of role-based security based on e.g. the OU * field of the certificate. You can also link into another layer of * auth or session middleware here; for instance, you might pass the subject CN * as a username to log the user in to your underlying authentication/session * management layer. */ return certsubjectCN === 'Doug Prishpreed';}; https;
Or secure only certain routes:
app; app;
checkAuth
can also be asynchronous:
{ ;} app;