Sign Up for Free

RunKit +

Try any Node.js package right in your browser

This is a playground to test code. It runs a full Node.js environment and already has all of npm’s 1,000,000+ packages pre-installed, including serverless-basic-authentication with all npm packages installed. Try it out:

var serverlessBasicAuthentication = require("serverless-basic-authentication")

This service is provided by RunKit and is not affiliated with npm, Inc or the package authors.

serverless-basic-authentication v0.14.1

Serverless Basic Authentication (http basic auth)

Sometimes you need to integrate your api with some outside system, and you are not capable of setting up custom headers with keys. Almost all systems support Basic Authentication out of the box though. Which is where this plugin comes in.

This plugin will install a custom authenticator for the functions you specify as being private, and use the API Keys (so no user management required) as http basic username and password.

When using this plugin, you can use both the x-api-key header, or the Authorization header for authentication.


npm install serverless-basic-authentication

Add the plugin to your settings:

  - serverless-basic-authentication

And give access so that the plugin can check the api keys:

  name: aws
    - Effect: Allow
        - apigateway:GET
      Resource: "*"


Add some keys to your service:

  name: aws
    - foobar
    - platypus

For each function that responds to http events and is marked as private: true, the custom authenticator will be inserted, like so:

    handler: handler.foobar
      - http:
          path: foo/bar
          method: get
          private: true

To send the correct header so that browsers will prompt for username and password, add a GatewayResponse to the resources:

      Type: 'AWS::ApiGateway::GatewayResponse'
          gatewayresponse.header.WWW-Authenticate: "'Basic'"
        ResponseType: UNAUTHORIZED
          Ref: 'ApiGatewayRestApi'
        StatusCode: '401'

If you are whitelisting files to be packaged, ensure you add to the list otherwise the authorizer will fail:

    - "./**/**"

Note: The plugin checks if a custom authorizer is already set. So if you provide a custom authorizer it will not override your custom authorizer.

After deploying, you can call the endpoint with a basic auth username/password:

curl -u [key-name]:[key-value]

How does this work?

In Api Gateway, the custom authorizer function can also be used to supply the api key for a request. In this case, we lookup the api key on the fly through the api-gateway api, and check if the key matches. If so, we tell Api Gateway to use that key for handling the calls.

PR's are appreciated!

RunKit is a free, in-browser JavaScript dev environment for prototyping Node.js code, with every npm package installed. Sign up to share your code.
Sign Up for Free