npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@webstudio-is/wsauth

v0.269.0

Published

Webstudio auth primitives, validators, build-time helpers, and runtime enforcement

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

kofkoftrysoundtrysound

Keywords

Readme

@webstudio-is/wsauth

wsauth is Webstudio's generic authentication package.

It owns shared authentication types, validators, route matching, build-time resource generation, and runtime enforcement helpers used by Builder-generated sites. The package is structured around auth methods so Webstudio can add methods beyond Basic Auth without changing the route auth model.

The first implemented method is HTTP Basic Auth.

Auth Config

Webstudio sync writes route authentication config at:

.webstudio/auth.json

Version 1 uses JSON with route strings as keys:

{
  "version": 1,
  "routes": {
    "/my/page": {
      "method": "basic",
      "login": "me",
      "password": "idiot"
    },
    "/bla/*": {
      "method": "basic",
      "login": "bla",
      "password": "blubb"
    }
  }
}

Routes use the same path pattern syntax Webstudio uses for pages:

  • Static segment: /about
  • Named parameter: /blog/:slug
  • Optional named parameter: /blog/:slug?
  • Wildcard: /docs/*
  • Named wildcard: /docs/:path*

Route rules:

  • A route must start with /.
  • A route must not contain repeating /.
  • A route must not end with /, except the root route /.
  • * and :name* wildcard segments must be the final segment.
  • Named parameters use :name, :name?, or :name*.
  • Parameter names must contain word characters only, matching \w+.

Basic Auth

Version 1 supports Basic Auth:

{
  "method": "basic",
  "login": "admin",
  "password": "secret"
}

Rules:

  • Login is required.
  • Password is required.
  • Login must not contain :.
  • Login must not contain whitespace.
  • Password must not contain whitespace.
  • Password may contain :.

The colon rule follows HTTP Basic Auth's user-id ":" password credential structure from RFC 7617.

Build Semantics

Build tools generate .webstudio/auth.json from Webstudio project data. The file is treated as build output and is overwritten on sync.

Generated auth sources are applied in this order:

  1. Project-level auth config from Webstudio project settings
  2. Page-level auth generated by Webstudio page settings

If both sources define the same route, the later source wins. Because routes are JSON object keys, the generated config file cannot represent duplicate routes.

Runtime

At runtime, protected requests without valid credentials receive:

new Response("Authentication required", {
  status: 401,
  headers: {
    "WWW-Authenticate": 'Basic realm="Webstudio"',
    "Cache-Control": "private, no-store",
  },
});