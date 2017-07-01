passport.js strategy for TLS client certificate authentication and authorisation.

passport-client-cert is for TLS connections direct to a Node.js application.

Usage

The strategy constructor requires a verify callback, which will be executed on each authenticated request. It is responsible for checking the validity of the certificate and user authorisation.

Options

passReqToCallback - optional. Causes the request object to be supplied to the verify callback as the first parameter.

The verify callback is passed with the client certificate object and a done callback. The done callback must be called as per the passport.js documentation.

var passport = require ( 'passport' ); var ClientCertStrategy = require ( 'passport-client-cert' ).Strategy; passport.use( new ClientCertStrategy( function ( clientCert, done ) { var cn = clientCert.subject.cn, user = null ; if (cn === 'test-cn' ) { user = { name : 'Test User' } } done( null , user); }));

The verify callback can be supplied with the request object by setting the passReqToCallback option to true , and changing callback arguments accordingly.

passport.use( new ClientCertStrategy({ passReqToCallback : true }, function ( req, clientCert, done ) { var cn = clientCert.subject.cn, user = null ; if (cn === 'test-cn' ) { user = { name : 'Test User' } } done( null , user); }));

Examples

Install and start the example server app:

npm install cd example node example-server.js

Submit a request with a client certificate:

$ curl -k --cert certs/joe .crt --key certs/joe .key --cacert certs/ca .crt https:

If curl fails and you are using OSX Mavericks or newer (where support for ad-hoc CA certifcates is broken, try wget instead:

$ wget -qSO - --no-check-certificate --certificate=certs/joe .crt --private-key=certs/joe .key --ca-certificate=certs/ca .crt https:

Requests submitted with joe.crt are authorised because joe is in the list of valid users. Requests submitted without a certificate, or with bob.crt will fail with a HTTP 401 .

Test

npm install npm test

Licence

The MIT Licence