The package-based Basic Auth solution presented in this post leaves DDP endpoints exposed to unauthorized users. For more information, read my follow-up post on Bypassing Package-Based Basic Auth.

Recently I’ve been playing with techniques for sharing private Meteor applications with others. An example of this may be showing a beta version of an application to a client. That client may not want any of the application exposed to the public, including splash pages or login screens.

I’ve found that a quick solution to this problem is to use good old basic authentication.

Adding basic auth to a Meteor application is incredibly simple thanks to a handful of packages that have wrapped the basic-auth-connect npm package. I’ve whipped up a quick example using kit:basic-auth and deployed it to basic-auth.meteor.com. Use username/password for your login credentials.

Adding this basic level of protection was as simple as adding the package to my project:

meteor add kit:basic-auth

And updating my settings.json file with the credentials:

{
    "basicAuth": {
        "username": "username",
        "password": "password"
    }
}

Basic authentication isn’t seen much anymore, and it’s not a particularly useful security paradigm, especially for Meteor applictations. However, it can be incredibly useful when trying to quickly lock down a web asset, or in our case, a single-page web application.