It seems likely that most users of this module will want to know which user actually authenticated, which requires parsing the Authorization header, which this module is already doing.
I suggest setting req.authUser to the username part of the decoded header upon a successful authentication. Including it on failed auths seems like a security bug magnet, so I'd be inclined not to do that.
It seems likely that most users of this module will want to know which user actually authenticated, which requires parsing the Authorization header, which this module is already doing.
I suggest setting req.authUser to the username part of the decoded header upon a successful authentication. Including it on failed auths seems like a security bug magnet, so I'd be inclined not to do that.