How to protect static folder in express with passport

Update for [email protected]+, [email protected], and [email protected]

First setup a passport auth strategy. If you use a jwt, you can take a token from a query parameter, if not you can use another Extract function (or multiple using Jwt.ExtractJwt.fromExtractors())

passport.use('basic-user',
    new Jwt.Strategy({
        ...jwtConfig.options,
        jwtFromRequest: Jwt.ExtractJwt.fromUrlQueryParameter('token')
    }, verifyUser)
);

Then you can use a passport authenticate function before serving static files

app.use('/files', [
    passport.authenticate(['basic-user'], { session: false }),
    express.static(path.join(__dirname, 'files')) //make sure you access proper directory
])

You can check the route using middleware and redirect them if they aren't logged in and are hitting admin pages, something like (untested):

app.use(function(req, res, next) {
    if (req.user == null && req.path.indexOf('/admin') === 0)
    {
        res.redirect('/login');
    }
    next(); 
});

Ran into same issue, this is what I ended up doing!

app.use doesn't let you chain middlewares in that way. The various app.VERB functions do, but app.use doesn't. That's for one middleware at a time.

If you split the 2 middlewares out into separate calls, you should get the results you want:

app.use('/admin', ensureAuthenticated);
app.use('/admin', express.static(path.join(__dirname, 'admin')));

Cannot use basic authentication while serving static files using express


app.use('/admin', function(req,res,next){
 if(req.user){
   return express.static(path.join(__dirname, 'public'));
 } else {
   res.render(403, 'login', {message:'Please, login!'});
 }
});

//serve routes
app.use(app.router);