Status code 401 seems incorrect. Is there a better solution?

Specs/standards say the right way to do things. They don't usually require you to follow them or prohibit you from not following them. They're like recipes: a recipe telling you to freeze ice cream probably won't specifically prohibit you from baking it, but a failure resulting from doing so shouldn't surprise anyone.

We're sending authentication data through the body and generating 401 responses. Where in the spec does it say 401 responses are to be used in that way? The only spec on 401 responses doesn't mention authentication through bodies anywhere

A 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent

and

A user agent that wishes to authenticate itself with an origin server — usually, but not necessarily, after receiving a 401 (Unauthorized) — can do so by including an Authorization header field with the request.

What it does say we can do (authenticate through headers), we're not doing. What we actually do (send authentication through the body), it never tells us to do, certainly not in that way. Though it says we can use additional authentication mechanisms (eg, encapsulate authentication within the message), we're still not doing what it specifically told us to do (use 401 responses with special headers). If we're not using those headers, then I don't know what we're doing with 401 responses: maybe baking ice cream.

Yes, it's possible. It's also not a good idea. Though I don't know all HTTP authentication schemes, the ones I know are dated and insecure, so I don't recommend it. If you must do so, however, try searching for HTTP authentication middleware.

• Passport includes a module
• An express module for all authentication headers
• Express basic auth

Definitely don't do basic auth: no encryption whatsoever. Digest, though it encrypts (weakly), is highly vulnerable. There might be better HTTP authentication schemes, however: I don't claim to know them all.