Using worker for basic auth

We are using the below worker for basic auth, but we must exclude some IPs from asking for basic auth.

async function handleRequest(request) {
const authorization = request.headers.get(‘authorization’)
if (!request.headers.has(‘authorization’)) {
return getUnauthorizedResponse(
‘Provide User Name and Password to access this page.’,
const credentials = parseCredentials(authorization)
if (credentials[0] !== USERNAME || credentials[1] !== PASSWORD) {
return getUnauthorizedResponse(
‘The User Name and Password combination you have entered is invalid.’,
return await fetch(request)
addEventListener(‘fetch’, (event) => {

  • Break down base64 encoded authorization string into plain-text username and password
  • @param {string} authorization
  • @returns {string}
    function parseCredentials(authorization) {
    const parts = authorization.split(’ ‘)
    const plainAuth = atob(parts[1])
    const credentials = plainAuth.split(’:')
    return credentials
  • Helper funtion to generate Response object
  • @param {string} message
  • @returns {Response}
    function getUnauthorizedResponse(message) {
    let response = new Response(message, {
    status: 401,
    response.headers.set(‘WWW-Authenticate’, Basic realm="${REALM}")
    return response
  • @param {string} USERNAME User name to access the page
  • @param {string} PASSWORD Password to access the page
  • @param {string} REALM A name of an area (a page or a group of pages) to protect.
  • Some browsers may show “Enter user name and password to access REALM”
    const USERNAME = ‘user’
    const PASSWORD = 'pass
    const REALM = ‘Secure Area’

Afraid that’s a question for StackOverflow. The forum here is not for custom JavaScript code.

As far as getting the address is concerned, you can access that via the HTTP header CF-Connecting-IP.

This topic was automatically closed 20 minutes after the last reply. New replies are no longer allowed.