
Authentication middleware for APIs using cf-auth-provider

Usage no npm install needed!

<script type="module">
  import cfAuthMiddleware from '';



Authentication middleware for APIs using cf-auth-provider


npm install --save cf-auth-middleware


var express = require('express')
  , createAuthMiddleware = require('cf-auth-middleware')
  , authProvider = require('cf-auth-provider')(myCollection, hashFn)

var app = express()
  , authMiddleware = createAuthMiddleware(authProvider)

app.get('/private', authMiddleware, function (req, res) {
  // This route is only accessible to users that are
  // able to authenticate with the given authProvider

An authenticated request must contain either the following headers:

Content-Type: 'application/json'
x-cf-date: 'Tue, 05 Nov 2013 12:22:23 GMT'
authorization: 'Catfish {authorizing entity id}:{signed request}'


It must contain the following query string keys:

?authorization={authorizing entity id}:{signed request}&x-cf-date=1423481045233

You can also specifiy a custom TTL for the request. This can be sent in either the headers or the query string:

Content-Type: 'application/json'
x-cf-date: 'Tue, 05 Nov 2013 12:22:23 GMT'
x-cf-ttl: '120000'
authorization: 'Catfish {authorizing entity id}:{signed request}'
?authorization={authorizing entity id}:{signed request}&x-cf-date=1423481045233&x-cf-ttl=120000

The client must sign requests with the cf-signature module.


var createMiddleware = require('cf-auth-middleware')

var middleware = createMiddleware(AuthProvider: authProvider, Object: options)

authProvider is an instance of cf-auth-provider.


  • options.logger: an object with debug(), info(), warn(), error(). Defaults to console.
  • options.reqProperty: the authed client's id is stored on the request object: req[options.reqProperty]. Defaults to authedClient.
  • options.ignoreQueryKeys: an array of keys to ignore when comparing the request to the signature. This is useful when requests get augmented by unknown cache-busting values. Defaults to [].


Built by developers at Clock.


Licensed under the New BSD License