HTTP Digest Authentication Server

A complete HTTP Digest Authentication server implementation in Node.js with support for RFC 2617 digest authentication.

Installation

# Clone or download the project
npm init -y  # Initialize package.json if needed

Usage

Start the Server

node server.js

The server will start on port 4444 and display:

Server is running on http://localhost:4444
Test users: admin/password, user/secret
Using nonce: nonce

Test with curl

# Test with admin user
curl -v --digest -u admin:password http://localhost:4444

# Test with user account
curl -v --digest -u user:secret http://localhost:4444

# Test with wrong credentials (should fail)
curl -v --digest -u admin:wrongpass http://localhost:4444

Expected Response

Successful Authentication:

HTTP/1.1 200 OK
Authorized - Welcome admin!

Failed Authentication:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="example.com", qop="auth", nonce="nonce", opaque="someopaquevalue"
Authentication required

Configuration

Users

Edit the users object in server.js to add/modify credentials:

const users = {
  'admin': 'password',
  'user': 'secret',
  'newuser': 'newpassword'  // Add more users here
};

Server Settings

Key configuration variables in server.js:

const realm = 'example.com';           // Authentication realm
const nonce = 'nonce';  // Server nonce
const opaque = 'someopaquevalue';      // Opaque value

Port

Change the server port:

server.listen(4444, () => {  // Change 4444 to desired port

Technical Details

Digest Authentication Flow

1. Initial Request: Client makes request without credentials
2. Challenge: Server responds with 401 + WWW-Authenticate header containing:
   • realm: Authentication realm
   • nonce: Server-generated random value
   • qop: Quality of protection ("auth")
   • opaque: Server-specific string
3. Response: Client calculates digest and sends Authorization header
4. Validation: Server validates the digest response

Digest Calculation

The server calculates the expected response using:

HA1 = MD5(username:realm:password)
HA2 = MD5(method:uri)
response = MD5(HA1:nonce:nc:cnonce:qop:HA2)

Where:

• nc: Nonce count (hex)
• cnonce: Client nonce
• qop: Quality of protection

Header Parsing

The implementation includes robust header parsing that handles:

• Quoted and unquoted parameter values
• Proper comma separation
• Whitespace normalization
• Escape sequence handling

Testing

Manual Testing

# Test authentication flow
curl -v --digest -u admin:password http://localhost:4444

# View detailed server logs for debugging
node server.js
# Then make requests in another terminal

Browser Testing

Visit http://localhost:4444 in your browser. You'll see a browser authentication dialog. Use:

• Username: admin, Password: password
• Username: user, Password: secret

Security Notes

⚠️ This is a demonstration server:

• Uses hardcoded credentials (use a database in production)
• Uses a static nonce (should be dynamic and expire)
• No HTTPS (digest auth should use HTTPS in production)
• Limited input validation

Troubleshooting

Port Already in Use

# Kill existing server
pkill -f "node server.js"

# Or use a different port in server.js

Authentication Fails

Check the server console for debug output showing:

• Parsed authentication parameters
• Expected vs actual digest values
• Username/nonce validation results

Header Parsing Issues

The server logs detailed parsing information. Common issues:

• Malformed Authorization header
• Missing required parameters (username, realm, nonce, response)
• Nonce mismatch

License

MIT License - Feel free to use and modify.