$remote_passwd

Description

The $remote_passwd variable is part of the NGINX CoolKit module and plays a pivotal role in handling Basic HTTP Authentication. Specifically, it extracts the decoded password that is included in the Authorization header of the HTTP request when a client authenticates with a username and password. When a client sends an authentication request, the username and password are typically base64-encoded and sent in the format 'Authorization: Basic base64(username:password)'. NGINX, with the help of the CoolKit module, decodes this information so that the password can be used in subsequent processing. The variable is set during the processing of HTTP requests that include an Authorization header. If the header is not present, or if it does not follow the expected format for Basic Authentication, the value of $remote_passwd will be empty. This means that in secure applications where authorization and identity verification are important, the variable must be used cautiously, ensuring that the presence of valid credentials is checked before using the password in any logic. In practice, $remote_passwd can be a crucial piece of data when working with backend authentication against databases or services that require username/password verification, as exemplified in the example configurations provided in the module's documentation.

Config Example

location = /auth {
    internal;
    set_quote_sql_str  $user $remote_user;
    set_quote_sql_str  $pass $remote_passwd;
    postgres_pass      database;
    postgres_query     "SELECT login FROM users WHERE login=$user AND pass=$pass";
    postgres_rewrite   no_rows 403;
    postgres_output    none;
}