skip to Main Content

In Apache2, I created an authenticated folder, made correctly with the following entry in my configuration file:

<Directory "/var/www/html/private">
     AuthType Basic
     AuthName "Restricted Content"
     AuthUserFile /etc/apache2/.htpasswd
     Require valid-user
</Directory>

Currently, when I try to navigate to a file I know is in that protected folder via a web browser, I get the prompt to enter my username and password, which is what I want to happen. However, when I go to anyone of my HTML files on my website (such as one in my HTML folder directly or another directory) that refers to javascript contained in that private folder, it also prompts me for a username and password, which is not what I want. How can I fix this?

3

Answers


  1. Chosen as BEST ANSWER

    In order to solve this issue, I decided to keep what I had, but I made the private directory the folder house the password-protected HTML file, as discussed on my previous post. I then deleted the javascript file that was responsible for asking for a password, replacing it with Apache's authentication. That way, any time I wanted to access this certain webpage, it would simply ask for a username and password, eliminating the need for a self-defined javascript function to handle this. Also, any other web pages I create that I want to be protected with some sort of authentication, I can just place it in my private folder.


  2. I’ve updated my answer because this isn’t really possible via basic authentication.

    Basic authentication is generally for front facing pages like HTML files, and will not work on external assets.

    In-order to solve the external asset folder you’d need to do something like this in the programming language of your choice, like Python, PHP or NodeJS.

    1. Ask user to login, they can choose to login or reject the login.
    2. If the user has logged in, check the login token against the backend language you have used. If the login token is valid, return the JS file. For example:

    Say we request /my/js-file.js; we can create a URL with this name, instead of publicly exposing the JS file itself. If the user is logged in, return the JS file contents through that URL. If not, return ‘Invalid token’ instead of the JS file contents.

    There are many assets on Stackoverflow that can help you create this. Search for ‘how to protect JS files with authentication’.

    Login or Signup to reply.
  3. I’m assuming you are not using a server-side application, as then you could authenticate a process user to enter that private folder.

    In your current setup this is expected behavior. You ARE requesting a file from a protected folder. htaccess guards HTTP browser requests. Requesting a js (or even an image) from a secured folder happens by HTTP request, even if it is done in your HTML on the public side.

    The easiest way is to put the js file in the public folder, but I have a feeling you want to keep the JS private/invisible. Unfortunately that’s not how JS works. No matter if it originates from the secure folder, once it is loaded into browser, anyone can view the js.

    If there is code you wish to keep obscure/inaccessible, you have to use server-side code. All JS that comes into the browser (for the sake of simplicity) is going to visible to anyone.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search