node.js - Cannot use basic authentication while serving static files using express

Question

Using the Express framework for node.js, I'm trying to serve up static files contained in a directory while also putting basic authentication on it. When I do so, I am prompted for the username and password (as expected), but after I correctly enter them, I'm given a 404. If I remove the authentication check and serve up the same directory, I actually get the pages contained within it.

Here's a quick server I whipped up as a proof-of-concept:

var express = require('express');

var app = express();

var auth = express.basicAuth(function(user,pass) {
  return 'user' === user && 'pass' === pass;
});

app.use('/admin', auth, express.static(__dirname + '/admin'));
app.use('/adminNoAuth', express.static(__dirname + '/admin'));

app.listen(8082);

When I hit localhost:8082/admin I get the username/password, then a 404. When I hit localhost:8082/adminNoAuth it serves up the page.

I'm using Express 3.4.7 and node.js 0.10.22.

Answer 1

app.use doesn't let you chain middlewares in that way. The various app.VERB functions do, but app.use doesn't. That's for one middleware at a time.

If you split the 2 middlewares out into separate calls, you should get the results you want:

app.use('/admin', auth)
app.use('/admin', express.static(__dirname + '/admin'));

EDIT

As of express version 4.x you can pass in multiple middlewares as an array, or arguments, or mixture of both into app.use. Making static files authorization safe would now be:

app.use( "/admin", [ auth, express.static( __dirname + "/admin" ) ] );

But both ways are still perfectly valid.