Below is a concise feature list and short usage snippets showing how to leverage each capability from https://esm.town/v/pomdtr/password_auth?v=87 Just import:

Create val
import { passwordAuth } from "https://esm.town/v/pomdtr/password_auth?v=87";

Feature: Validate against one or more hardcoded passwords.
Snippet:

Create val
// A simple password check function
async function verifyPassword(password) {
  return ["mySecret", "myBackup"].includes(password);
}

app.use("/protected", passwordAuth(
  (req) => new Response("You have access!"), 
  { verifyPassword }
));

Users who navigate to /protected are redirected to /signin unless they enter a valid password. Session cookies are then set to keep them logged in.

Feature: Store sessions in a user-defined table instead of the default "password_auth_session".
Snippet:

Create val
async function verifyPassword(password) {
  // Hardcoded or any custom logic
  return password === "MyCustomSecret";
}

app.use("/customSessions", passwordAuth(
  (req) => new Response("Welcome to custom sessions!"), 
  {
    verifyPassword,
    sessionTable: "my_special_session_table"
  }
));

All session data is now saved in "my_special_session_table" instead of the default table.

Feature: Provide a password (or token) in the Authorization header (Bearer <password>) to skip the cookie flow.
Snippet:

Create val
import { passwordAuth } from "https://esm.town/v/pomdtr/password_auth?v=87";

async function verifyApiToken(passwordOrToken) {
  // Check a static password or your own token logic
  return passwordOrToken === "mySecretAPIKey";
}

app.use("/api", passwordAuth(
  (req) => new Response("API Access Granted"),
  { verifyPassword: verifyApiToken }
));

// Example call using fetch:
fetch("https://<your-val-town-endpoint>/api", {
  headers: {
    "Authorization": "Bearer mySecretAPIKey"
  }
});

This allows scripts or external clients to pass authentication without using the HTML form.

Feature: Automatic /signin (HTML form GET/POST) and /signout endpoints.
How It Works:

• GET /signin shows a default login page.
• POST /signin processes form data and sets an HTTP-only session cookie if valid.
• GET /signout clears the session cookie and redirects back to /signin.

Snippet:

Create val
app.get("/", (c) => c.text("Public route, no auth needed!"));

// Protect subsequent routes
app.use("/secret", passwordAuth(
  (req) => new Response("You are authenticated!"),
  { verifyPassword: async (p) => p === "myPw" }
));

// For sign-out, just navigate to /signout

When a user visits /secret without a valid cookie, they’re redirected to /signin. Once signed in, they can also hit /signout to end their session.

Feature:

• Sessions expire in 7 days by default.
• If the session table doesn’t exist in SQLite, it’s automatically created at login time.

Snippet:

Create val
async function verifyPassword(password) {
  return password === "testExpire";
}

app.use("/time-limited", passwordAuth(
  () => new Response("Session is still valid!"),
  { verifyPassword } 
));

If a user’s session is older than 7 days, they are redirected to /signin again.

1. verifyPassword(password): Provide any custom logic for passwords or tokens.
2. sessionTable: Override the SQLite table name for sessions if you want.
3. /signin & /signout: Automatically handled routes for HTML form logins and logout flows.
4. Bearer Auth: Supply a valid password/token in the Authorization header to bypass the HTML flow.
5. Cookie-Based Sessions: Once signed in, users get a cookie that remains valid for 7 days unless they sign out.