HTTP authentication

VSGI provide implementations of both basic and digest authentication schemes respectively defined in RFC 7617 and RFC 7616.

Both Authentication and Authorization objects are provided to produce and interpret their corresponding HTTP headers. The typical authentication pattern is highlighted in the following example:

var authentication = BasicAuthentication ("realm");

var authorization_header = req.headers.get_one ("Authorization");

if (authorization_header != null) {
    if (authentication.parse_authorization_header (authorization_header,
                                                   out authorization)) {
        var user = User.from_username (authorization.username);
        if (authorization.challenge (user.password)) {
            return res.expand_utf8 ("Authentication successful!");

res.headers.replace ("WWW-Authenticate", authentication.to_authenticate_header ());


The Basic authentication scheme is the simplest one and expect the user agent to provide username and password in plain text. It should be used exclusively on a secured transport (e.g. HTTPS).