@cap-js/ord 1.3.13 → 1.4.0

package/README.md

@@ -24,34 +24,48 @@ npm install @cap-js/ord
 
 ### Authentication
 
-To enforce authentication in the ORD Plugin, set the following environment variables:
+The ORD Plugin supports multiple authentication strategies that can be configured through environment variables or `.cdsrc.json`. Authentication types are automatically detected based on the presence of their configuration - no explicit `types` array is needed.
 
-- `ORD_AUTH_TYPE`: Specifies the authentication types.
-- `BASIC_AUTH`: Contains credentials for `basic` authentication.
+**Supported Authentication Methods:**
 
-If `ORD_AUTH_TYPE` is not set, the application starts without authentication. This variable accepts `open` and `basic` (UCL-mTLS is also planned).
+- **Open**: No authentication (default when no other auth is configured)
+- **Basic**: HTTP Basic Authentication with bcrypt-hashed passwords
+- **CF mTLS**: Cloud Foundry mutual TLS authentication
 
-> Note: `open` cannot be combined with `basic` or any other (future) authentication types.
+**Multiple Authentication Strategies**: You can configure multiple authentication methods simultaneously (e.g., both `basic` and `cf-mtls`). The plugin implements an Express-like middleware pattern that tries each configured strategy in order until one succeeds.
+
+> Note: When any secure authentication method is configured, open authentication is automatically disabled to ensure security. The ORD document will reflect all active authentication strategies.
 
 #### Open
 
-The `open` authentication type bypasses authentication checks.
+The `open` authentication type is the default and bypasses authentication checks. It is automatically used when no other authentication is configured.
 
 #### Basic Authentication
 
-The server supports Basic Authentication through an environment variable that contains a JSON string mapping usernames to bcrypt-hashed passwords:
+Configure Basic Authentication using environment variables or `.cdsrc.json`:
+
+**Option 1: Environment Variable**
 
 ```bash
-BASIC_AUTH='{"admin":"***"}'
+BASIC_AUTH='{"admin":"$2y$05$..."}'
 ```
 
-Alternatively, configure authentication in `.cdsrc.json`:
+**Option 2: Configuration File**
+
+Add to your `.cdsrc.json`:
 
 ```json
-"authentication": {
-    "types": ["basic"],
-    "credentials": {
-        "admin": "***"
+{
+    "cds": {
+        "ord": {
+            "authentication": {
+                "basic": {
+                    "credentials": {
+                        "admin": "$2y$05$..."
+                    }
+                }
+            }
+        }
     }
 }
 ```
@@ -98,6 +112,77 @@ This will output something like `admin:$2y$05$...` - use only the hash part (sta
 
 </details>
 
+#### CF mTLS Authentication
+
+Configure Cloud Foundry mutual TLS authentication in `.cdsrc.json`:
+
+```json
+{
+    "cds": {
+        "ord": {
+            "authentication": {
+                "cfMtls": {
+                    "certs": [
+                        {
+                            "issuer": "CN=SAP PKI Certificate Service Client CA,OU=SAP BTP Clients,O=SAP SE,C=DE",
+                            "subject": "CN=my-service,OU=SAP Cloud Platform Clients,O=SAP SE,C=DE"
+                        }
+                    ],
+                    "rootCaDn": ["CN=SAP Cloud Root CA,O=SAP SE,C=DE"]
+                }
+            }
+        }
+    }
+}
+```
+
+Or use the environment variable:
+
+```bash
+CF_MTLS_TRUSTED_CERTS='{"certs":[...],"rootCaDn":[...]}'
+```
+
+#### Multiple Authentication Strategies
+
+You can configure multiple authentication methods simultaneously to support different client types. Authentication types are detected automatically based on configuration presence:
+
+**Configuration in `.cdsrc.json`:**
+
+```json
+{
+  "cds": {
+    "ord": {
+      "authentication": {
+        "basic": {
+          "credentials": {
+            "admin": "$2y$05$..."
+          }
+        },
+        "cfMtls": {
+          "certs": [...],
+          "rootCaDn": [...]
+        }
+      }
+    }
+  }
+}
+```
+
+**How it works:**
+
+- Authentication types are detected based on what you configure (no `types` array needed)
+- The plugin tries each configured authentication strategy in order
+- The first strategy that successfully authenticates the request is used
+- If a request includes Basic auth headers, Basic authentication is attempted
+- If a request includes mTLS certificate headers, CF mTLS authentication is attempted
+- The ORD document automatically includes all configured authentication methods in its `accessStrategies`
+
+**Example scenarios:**
+
+- **Basic + CF mTLS**: Supports both API clients using Basic auth and services using mTLS certificates
+- **Basic only**: Only clients with valid Basic auth credentials can access
+- **CF mTLS only**: Only clients with trusted certificates can access
+
 ### Usage
 
 #### Programmatic API

package/cds-plugin.js

@@ -1,15 +1,9 @@
 const cds = require("@sap/cds");
-const { getAuthConfig } = require("./lib/authentication");
 
 if (cds.cli.command === "build") {
     cds.build?.register?.("ord", require("./lib/build"));
 }
 
-// load auth config before any service is started
-cds.on("bootstrap", async () => {
-    getAuthConfig();
-});
-
 function _lazyRegisterCompileTarget() {
     const ord = require("./lib/index").ord;
     Object.defineProperty(this, "ord", { ord });

package/lib/access-strategies.js

@@ -0,0 +1,172 @@
+const cds = require("@sap/cds");
+const { AUTHENTICATION_TYPE, ORD_ACCESS_STRATEGY } = require("./constants");
+const Logger = require("./logger");
+
+/**
+ * Mapping from internal authentication types to ORD access strategy values.
+ * This is the single source of truth for auth type to ORD document mapping.
+ *
+ * @private
+ */
+const AUTH_TYPE_ORD_ACCESS_STRATEGY_MAP = Object.freeze({
+    [AUTHENTICATION_TYPE.Open]: ORD_ACCESS_STRATEGY.Open,
+    [AUTHENTICATION_TYPE.Basic]: ORD_ACCESS_STRATEGY.Basic,
+    [AUTHENTICATION_TYPE.CfMtls]: ORD_ACCESS_STRATEGY.CfMtls,
+});
+
+/**
+ * Derives ORD access strategies from authentication configuration.
+ * This function is the main entry point for converting auth config to ORD document format.
+ *
+ * @param {Object} authConfig - Authentication configuration object
+ * @param {string[]} authConfig.types - Array of authentication types (from AUTHENTICATION_TYPE)
+ * @returns {Array<{type: string}>} Array of access strategy objects for ORD document
+ *
+ * @example
+ * // With Basic auth configured
+ * const authConfig = { types: ['basic'] };
+ * const strategies = getAccessStrategiesFromAuthConfig(authConfig);
+ * // Returns: [{ type: 'basic-auth' }]
+ *
+ * @example
+ * // With multiple auth types
+ * const authConfig = { types: ['basic', 'cf-mtls'] };
+ * const strategies = getAccessStrategiesFromAuthConfig(authConfig);
+ * // Returns: [{ type: 'basic-auth' }, { type: 'sap:cmp-mtls:v1' }]
+ */
+function getAccessStrategiesFromAuthConfig(authConfig) {
+    if (!authConfig || !Array.isArray(authConfig.types)) {
+        Logger.warn("getAccessStrategiesFromAuthConfig:", "Invalid authConfig, defaulting to 'open'");
+        return [{ type: ORD_ACCESS_STRATEGY.Open }];
+    }
+
+    const strategies = authConfig.types
+        .map((type) => {
+            const ordType = AUTH_TYPE_ORD_ACCESS_STRATEGY_MAP[type];
+            if (!ordType) {
+                Logger.warn("getAccessStrategiesFromAuthConfig:", `Unknown auth type '${type}', skipping`);
+                return null;
+            }
+            return { type: ordType };
+        })
+        .filter(Boolean); // Remove null entries
+
+    // If no valid strategies found, default to open
+    if (strategies.length === 0) {
+        return [{ type: ORD_ACCESS_STRATEGY.Open }];
+    }
+
+    return strategies;
+}
+
+/**
+ * Checks if access strategies contain any non-open strategies.
+ *
+ * @param {Array<{type: string}>} accessStrategies - Array of access strategy objects
+ * @returns {boolean} True if any non-open strategy is present
+ */
+function hasNonOpenStrategies(accessStrategies) {
+    if (!Array.isArray(accessStrategies)) {
+        return false;
+    }
+    return accessStrategies.some((s) => s.type !== ORD_ACCESS_STRATEGY.Open);
+}
+
+/**
+ * Validates that 'open' strategy does not coexist with non-open strategies.
+ * According to ORD specification, 'open' should not be mixed with authenticated strategies.
+ *
+ * @param {Array<{type: string}>} accessStrategies - Array of access strategy objects
+ * @throws {Error} If 'open' coexists with non-open strategies
+ */
+function ensureNoOpenWhenNonOpenPresent(accessStrategies) {
+    if (!Array.isArray(accessStrategies) || accessStrategies.length === 0) {
+        return;
+    }
+
+    const hasOpen = accessStrategies.some((s) => s.type === ORD_ACCESS_STRATEGY.Open);
+    const hasNonOpen = hasNonOpenStrategies(accessStrategies);
+
+    if (hasOpen && hasNonOpen) {
+        throw new Error(
+            "Invalid access strategies: 'open' cannot coexist with authenticated strategies (basic-auth, sap:cmp-mtls:v1)",
+        );
+    }
+}
+
+/**
+ * Ensures access strategies are valid and present, with configurable strict mode.
+ * In non-strict mode (default), missing/empty strategies fallback to 'open' with error log.
+ * In strict mode, missing/empty strategies throw an error.
+ *
+ * @param {Array<{type: string}>|undefined} accessStrategies - Array of access strategy objects
+ * @param {Object} options - Validation options
+ * @param {string} [options.resourceName] - Name of the resource (for error messages)
+ * @param {boolean} [options.strict] - If true, throw error instead of fallback (default: reads from cds.env.ord.strictAccessStrategies)
+ * @returns {Array<{type: string}>} Validated access strategies array
+ * @throws {Error} In strict mode, if accessStrategies is missing or empty
+ *
+ * @example
+ * // Non-strict mode (default) - fallback to open
+ * const strategies = ensureAccessStrategies(undefined, { resourceName: 'MyAPI' });
+ * // Logs error and returns: [{ type: 'open' }]
+ *
+ * @example
+ * // Strict mode - throws error
+ * const strategies = ensureAccessStrategies(undefined, {
+ *   resourceName: 'MyAPI',
+ *   strict: true
+ * });
+ * // Throws: Error with message about missing accessStrategies
+ */
+function ensureAccessStrategies(accessStrategies, options = {}) {
+    const { resourceName = "unknown resource", strict } = options;
+
+    // Determine strict mode: explicit parameter > config > default false
+    const isStrict = strict !== undefined ? strict : cds.env.ord?.strictAccessStrategies === true;
+
+    if (!Array.isArray(accessStrategies) || accessStrategies.length === 0) {
+        const message = `[ORD] accessStrategies missing or empty for resource "${resourceName}"`;
+
+        if (isStrict) {
+            throw new Error(`${message}. Strict mode is enabled.`);
+        } else {
+            Logger.error("ensureAccessStrategies:", `${message}. Falling back to 'open'.`);
+            return [{ type: ORD_ACCESS_STRATEGY.Open }];
+        }
+    }
+
+    // Validate no mixing of 'open' with non-open strategies
+    ensureNoOpenWhenNonOpenPresent(accessStrategies);
+
+    return accessStrategies;
+}
+
+/**
+ * Validates that access strategies array contains only known ORD access strategy types.
+ *
+ * @param {Array<{type: string}>} accessStrategies - Array of access strategy objects
+ * @returns {boolean} True if all strategies are valid
+ */
+function isValidAccessStrategies(accessStrategies) {
+    if (!Array.isArray(accessStrategies) || accessStrategies.length === 0) {
+        return false;
+    }
+
+    const validTypes = Object.values(ORD_ACCESS_STRATEGY);
+    return accessStrategies.every((s) => s.type && validTypes.includes(s.type));
+}
+
+module.exports = {
+    // Main API
+    getAccessStrategiesFromAuthConfig,
+    ensureAccessStrategies,
+
+    // Helper functions
+    hasNonOpenStrategies,
+    ensureNoOpenWhenNonOpenPresent,
+    isValidAccessStrategies,
+
+    // Constants (re-exported for convenience)
+    AUTH_TYPE_ORD_ACCESS_STRATEGY_MAP,
+};

package/lib/auth/authentication.js

@@ -0,0 +1,351 @@
+/**
+ * Authentication Middleware Module
+ *
+ * This module implements an Express-like middleware pattern for handling multiple
+ * authentication strategies. It supports:
+ *
+ * 1. Strategy Registration: Authentication methods are registered as strategies
+ * 2. Multiple Authentication: Basic, CF mTLS, and other methods can coexist
+ * 3. Request Routing: Automatically detects request type and routes to appropriate strategy
+ * 4. Auto-filtering: When non-open strategies exist, open is automatically ignored
+ *
+ * Architecture:
+ * - Each strategy is a function that returns { success, handled, error }
+ * - Strategies are tried in order until one succeeds
+ * - Similar to Express middleware chain behavior
+ *
+ * Supported Authentication Types:
+ * - open: No authentication (filtered when combined with secure methods)
+ * - basic: HTTP Basic Authentication with bcrypt password hashing
+ * - cf-mtls: Cloud Foundry mTLS authentication
+ *
+ * @module lib/auth/authentication
+ */
+
+const cds = require("@sap/cds");
+const { AUTHENTICATION_TYPE, BASIC_AUTH_HEADER_KEY, AUTH_STRINGS, CF_MTLS_HEADERS } = require("../constants");
+const Logger = require("../logger");
+const { getAccessStrategiesFromAuthConfig } = require("../access-strategies");
+const bcrypt = require("bcryptjs");
+const { createCfMtlsConfig, handleCfMtlsAuthentication } = require("./cf-mtls");
+
+/**
+ * Compares a plain text password with a hashed password
+ * @param {string} password Plain text password to check
+ * @param {string} hashedPassword Hashed password to compare against
+ * @returns {Promise<boolean>} Promise resolving to true if passwords match, false otherwise
+ */
+async function _comparePassword(password, hashedPassword) {
+    if (!password || !hashedPassword) {
+        throw new Error("Password and hashed password are required");
+    }
+    return await bcrypt.compare(password, hashedPassword.replace(/^\$2y/, "$2a"));
+}
+
+/**
+ * Validates if a string is a bcrypt hash
+ * @param {string} hash String to validate
+ * @returns {boolean} boolean indicating if the string is a bcrypt hash
+ */
+function _isBcryptHash(hash) {
+    return /^\$2[ayb]\$\d{2}\$[A-Za-z0-9./]{53}$/.test(hash);
+}
+
+/**
+ * Lazy-loads and initializes the CF mTLS validator.
+ * Uses Promise caching to ensure initialization only happens once even with concurrent requests.
+ *
+ * @param {Object} authConfig - Authentication configuration object
+ * @returns {Promise<Function>} The CF mTLS validator function
+ * @throws {Error} If CF mTLS initialization fails
+ */
+async function ensureCfMtlsValidator(authConfig) {
+    // Already initialized
+    if (authConfig.cfMtlsValidator) {
+        return authConfig.cfMtlsValidator;
+    }
+
+    // Initialization in progress - wait for it
+    if (authConfig._cfMtlsInitPromise) {
+        await authConfig._cfMtlsInitPromise;
+        return authConfig.cfMtlsValidator;
+    }
+
+    // Start initialization
+    Logger.info("Initializing CF mTLS validator (lazy loading)...");
+
+    authConfig._cfMtlsInitPromise = (async () => {
+        try {
+            const cfMtlsConfig = await createCfMtlsConfig(cds, Logger);
+
+            if (cfMtlsConfig.error) {
+                throw new Error(cfMtlsConfig.error);
+            }
+
+            authConfig.cfMtlsValidator = cfMtlsConfig.cfMtlsValidator;
+            Logger.info("CF mTLS validator initialized successfully");
+        } catch (error) {
+            // Clean up on failure so retry is possible
+            authConfig._cfMtlsInitPromise = null;
+            throw error;
+        }
+    })();
+
+    await authConfig._cfMtlsInitPromise;
+    return authConfig.cfMtlsValidator;
+}
+
+/**
+ * Create authentication configuration based on environment variables or .cdsrc.json settings.
+ *
+ * Configuration Priority (highest to lowest):
+ * 1. Environment variables (BASIC_AUTH, CF_MTLS_TRUSTED_CERTS) - for production deployments
+ * 2. .cdsrc.json settings (cds.env.ord.authentication.basic, cds.env.ord.authentication.cfMtls) - for development and testing
+ *
+ * Authentication types are automatically detected based on the presence of configuration:
+ * - If cds.env.ord.authentication.basic exists → Basic authentication enabled
+ * - If cds.env.ord.authentication.cfMtls exists → CF mTLS authentication enabled
+ * - Multiple authentication types can coexist and are tried in order
+ * - Open authentication is the default when no secure authentication is configured
+ *
+ * This approach follows the 12-Factor App principles where environment variables
+ * can override configuration files for deployment flexibility.
+ *
+ * Note: CF mTLS validator is lazily initialized on first use to avoid blocking
+ * service startup for users not using mTLS authentication.
+ *
+ * @returns {Object} Authentication configuration object or default configuration object as a fallback.
+ */
+function createAuthConfig() {
+    const defaultAuthConfig = {
+        types: [AUTHENTICATION_TYPE.Open],
+        accessStrategies: [{ type: AUTHENTICATION_TYPE.Open }],
+    };
+
+    try {
+        const authConfig = { types: [] };
+        const ordAuth = cds.env.ord?.authentication || {};
+
+        // Detect Basic authentication by checking for credentials
+        if (process.env.BASIC_AUTH || ordAuth.basic) {
+            const credentials = process.env.BASIC_AUTH
+                ? JSON.parse(process.env.BASIC_AUTH)
+                : ordAuth.basic?.credentials;
+
+            if (!credentials) {
+                Logger.error("createAuthConfig:", "Basic auth enabled but no credentials provided");
+                return Object.assign(defaultAuthConfig, { error: "Basic auth credentials not provided" });
+            }
+
+            // Check all passwords in credentials map
+            for (const [username, password] of Object.entries(credentials)) {
+                if (!_isBcryptHash(password)) {
+                    Logger.error("createAuthConfig:", `Password for user "${username}" must be a bcrypt hash`);
+                    return Object.assign(defaultAuthConfig, { error: "All passwords must be bcrypt hashes" });
+                }
+            }
+
+            authConfig.types.push(AUTHENTICATION_TYPE.Basic);
+            authConfig.credentials = credentials;
+        }
+
+        // Detect CF mTLS authentication by checking for cfMtls config
+        if (process.env.CF_MTLS_TRUSTED_CERTS || ordAuth.cfMtls) {
+            authConfig.types.push(AUTHENTICATION_TYPE.CfMtls);
+            // Mark for lazy initialization - validator will be loaded on first use
+            authConfig.cfMtlsValidator = null;
+            authConfig._cfMtlsInitPromise = null;
+        }
+
+        // If no authentication types detected, default to Open
+        if (authConfig.types.length === 0) {
+            Logger.info("createAuthConfig:", 'No authentication configured. Defaulting to "Open" authentication');
+            return defaultAuthConfig;
+        }
+
+        // Build accessStrategies for ORD document using centralized mapping logic
+        // This ensures consistent mapping between auth types and ORD access strategies
+        // All mapping logic is centralized in lib/access-strategies.js
+        authConfig.accessStrategies = getAccessStrategiesFromAuthConfig(authConfig);
+
+        Logger.info("createAuthConfig:", `Configured authentication types: ${authConfig.types.join(", ")}`);
+        return authConfig;
+    } catch (error) {
+        Logger.error("createAuthConfig:", `Configuration error: ${error.message}`);
+        return Object.assign(defaultAuthConfig, { error: error.message });
+    }
+}
+
+/**
+ * Authentication strategy handler for Basic authentication
+ */
+async function basicAuthStrategy(req, res, authConfig) {
+    const authHeader = req.headers[BASIC_AUTH_HEADER_KEY];
+
+    if (!authHeader) {
+        return { success: false, handled: false };
+    }
+
+    // Check if this is a Basic auth request
+    if (!authHeader.startsWith(AUTH_STRINGS.BASIC_PREFIX)) {
+        // Header exists but not Basic auth - this is an explicit rejection
+        return { success: false, handled: true, error: "Invalid authentication type" };
+    }
+
+    try {
+        const [username, password] = Buffer.from(authHeader.split(" ")[1], "base64").toString().split(":");
+        const credentials = authConfig.credentials;
+        const storedPassword = credentials[username];
+
+        if (storedPassword && (await _comparePassword(password, storedPassword))) {
+            return { success: true, handled: true };
+        }
+
+        return { success: false, handled: true, error: "Invalid credentials" };
+    } catch (error) {
+        Logger.error("Basic auth error:", error.message);
+        return { success: false, handled: true, error: "Invalid authentication format" };
+    }
+}
+
+/**
+ * Authentication strategy handler for CF mTLS authentication
+ */
+async function cfMtlsAuthStrategy(req, res, authConfig) {
+    // Check if request has mTLS indicators
+    const hasMtlsHeaders = Object.values(CF_MTLS_HEADERS).some((header) => req.headers[header.toLowerCase()]);
+
+    if (!hasMtlsHeaders) {
+        return { success: false, handled: false };
+    }
+
+    try {
+        // Lazy-load validator on first mTLS request
+        await ensureCfMtlsValidator(authConfig);
+
+        // Create a mock res object to capture response sending attempts
+        let capturedStatus = null;
+        let capturedMessage = null;
+        const mockRes = {
+            status: (code) => {
+                capturedStatus = code;
+                return mockRes;
+            },
+            setHeader: () => mockRes,
+            send: (msg) => {
+                capturedMessage = msg;
+                return mockRes;
+            },
+        };
+
+        const result = handleCfMtlsAuthentication(req, mockRes, authConfig, Logger);
+
+        // If handleCfMtlsAuthentication sent a response, we need to send it
+        if (!result.success && capturedStatus && capturedMessage) {
+            res.status(capturedStatus).send(capturedMessage);
+            return { success: false, handled: true, responseSent: true };
+        }
+
+        return { success: result.success, handled: true };
+    } catch (error) {
+        Logger.error("CF mTLS initialization failed:", error.message);
+        return { success: false, handled: true, error: "Authentication configuration error" };
+    }
+}
+
+/**
+ * Authentication strategy handler for Open authentication
+ */
+async function openAuthStrategy() {
+    return { success: true, handled: true };
+}
+
+/**
+ * Strategy registry mapping authentication types to their handlers
+ */
+const AUTH_STRATEGIES = {
+    [AUTHENTICATION_TYPE.Basic]: basicAuthStrategy,
+    [AUTHENTICATION_TYPE.CfMtls]: cfMtlsAuthStrategy,
+    [AUTHENTICATION_TYPE.Open]: openAuthStrategy,
+};
+
+/**
+ * Creates an authentication middleware with the given configuration.
+ * This factory function returns a middleware that uses the provided authConfig via closure.
+ *
+ * @param {Object} authConfig - Authentication configuration object
+ * @returns {Function} Express middleware function
+ */
+function createAuthMiddleware(authConfig) {
+    return async function authenticate(req, res, next) {
+        // Handle invalid configuration
+        if (!authConfig || !authConfig.types || !Array.isArray(authConfig.types)) {
+            Logger.error("Invalid auth configuration:", authConfig);
+            return res.status(401).send("Not authorized");
+        }
+
+        // If open authentication, allow immediately
+        if (authConfig.types.includes(AUTHENTICATION_TYPE.Open)) {
+            res.status(200);
+            return next();
+        }
+
+        // Try each registered authentication strategy
+        const results = [];
+
+        for (const authType of authConfig.types) {
+            const strategy = AUTH_STRATEGIES[authType];
+
+            if (!strategy) {
+                Logger.warn(`Unknown authentication type: ${authType}`);
+                continue;
+            }
+
+            try {
+                const result = await strategy(req, res, authConfig);
+                results.push({ type: authType, ...result });
+
+                if (result.success) {
+                    res.status(200);
+                    return next();
+                }
+
+                // If the strategy already sent a response (e.g., CF mTLS specific error codes)
+                if (result.responseSent) {
+                    return;
+                }
+            } catch (error) {
+                Logger.error(`Error in ${authType} authentication:`, error.message);
+                results.push({ type: authType, success: false, handled: true, error: error.message });
+            }
+        }
+
+        // If we reach here, authentication failed
+        // Check if any strategy was attempted
+        const attemptedStrategies = results.filter((r) => r.handled);
+
+        if (attemptedStrategies.length === 0) {
+            // No authentication method was attempted
+            const wwwAuthHeaders = [];
+
+            if (authConfig.types.includes(AUTHENTICATION_TYPE.Basic)) {
+                wwwAuthHeaders.push(AUTH_STRINGS.WWW_AUTHENTICATE_REALM);
+            }
+
+            if (wwwAuthHeaders.length > 0) {
+                res.setHeader("WWW-Authenticate", wwwAuthHeaders.join(", "));
+            }
+
+            return res.status(401).send("Authentication required.");
+        }
+
+        // At least one strategy was attempted but failed
+        const firstError = attemptedStrategies.find((r) => r.error);
+        return res.status(401).send(firstError?.error || "Authentication failed");
+    };
+}
+
+module.exports = {
+    createAuthMiddleware,
+    createAuthConfig,
+};