mirror of
https://github.com/mountain-loop/yaak.git
synced 2026-04-21 08:11:24 +02:00
Fix NTLM challenge parsing when WWW-Authenticate has Negotiate first (#402)
This commit is contained in:
Gregory Schier
@@ -11,7 +11,8 @@
|
|||||||
"version": "0.1.0",
|
"version": "0.1.0",
|
||||||
"scripts": {
|
"scripts": {
|
||||||
"build": "yaakcli build",
|
"build": "yaakcli build",
|
||||||
"dev": "yaakcli dev"
|
"dev": "yaakcli dev",
|
||||||
|
"test": "vitest --run tests"
|
||||||
},
|
},
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"httpntlm": "^1.8.13"
|
"httpntlm": "^1.8.13"
|
||||||
|
|||||||
@@ -2,6 +2,16 @@ import type { PluginDefinition } from '@yaakapp/api';
|
|||||||
|
|
||||||
import { ntlm } from 'httpntlm';
|
import { ntlm } from 'httpntlm';
|
||||||
|
|
||||||
|
function extractNtlmChallenge(headers: Array<{ name: string; value: string }>): string | null {
|
||||||
|
const authValues = headers
|
||||||
|
.filter((h) => h.name.toLowerCase() === 'www-authenticate')
|
||||||
|
.flatMap((h) => h.value.split(','))
|
||||||
|
.map((v) => v.trim())
|
||||||
|
.filter(Boolean);
|
||||||
|
|
||||||
|
return authValues.find((v) => /^NTLM\s+\S+/i.test(v)) ?? null;
|
||||||
|
}
|
||||||
|
|
||||||
export const plugin: PluginDefinition = {
|
export const plugin: PluginDefinition = {
|
||||||
authentication: {
|
authentication: {
|
||||||
name: 'windows',
|
name: 'windows',
|
||||||
@@ -68,15 +78,12 @@ export const plugin: PluginDefinition = {
|
|||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
|
||||||
const wwwAuthenticateHeader = negotiateResponse.headers.find(
|
const ntlmChallenge = extractNtlmChallenge(negotiateResponse.headers);
|
||||||
(h) => h.name.toLowerCase() === 'www-authenticate',
|
if (ntlmChallenge == null) {
|
||||||
);
|
throw new Error('Unable to find NTLM challenge in WWW-Authenticate response headers');
|
||||||
|
|
||||||
if (!wwwAuthenticateHeader?.value) {
|
|
||||||
throw new Error('Unable to find www-authenticate response header for NTLM');
|
|
||||||
}
|
}
|
||||||
|
|
||||||
const type2 = ntlm.parseType2Message(wwwAuthenticateHeader.value, (err: Error | null) => {
|
const type2 = ntlm.parseType2Message(ntlmChallenge, (err: Error | null) => {
|
||||||
if (err != null) throw err;
|
if (err != null) throw err;
|
||||||
});
|
});
|
||||||
const type3 = ntlm.createType3Message(type2, options);
|
const type3 = ntlm.createType3Message(type2, options);
|
||||||
|
|||||||
84
plugins/auth-ntlm/tests/index.test.ts
Normal file
84
plugins/auth-ntlm/tests/index.test.ts
Normal file
@@ -0,0 +1,84 @@
|
|||||||
|
import type { Context } from '@yaakapp/api';
|
||||||
|
import { beforeEach, describe, expect, test, vi } from 'vitest';
|
||||||
|
|
||||||
|
const ntlmMock = vi.hoisted(() => ({
|
||||||
|
createType1Message: vi.fn(),
|
||||||
|
parseType2Message: vi.fn(),
|
||||||
|
createType3Message: vi.fn(),
|
||||||
|
}));
|
||||||
|
|
||||||
|
vi.mock('httpntlm', () => ({ ntlm: ntlmMock }));
|
||||||
|
|
||||||
|
import { plugin } from '../src';
|
||||||
|
|
||||||
|
describe('auth-ntlm', () => {
|
||||||
|
beforeEach(() => {
|
||||||
|
ntlmMock.createType1Message.mockReset();
|
||||||
|
ntlmMock.parseType2Message.mockReset();
|
||||||
|
ntlmMock.createType3Message.mockReset();
|
||||||
|
ntlmMock.createType1Message.mockReturnValue('NTLM TYPE1');
|
||||||
|
ntlmMock.parseType2Message.mockReturnValue({} as any);
|
||||||
|
ntlmMock.createType3Message.mockReturnValue('NTLM TYPE3');
|
||||||
|
});
|
||||||
|
|
||||||
|
test('uses NTLM challenge when Negotiate and NTLM headers are separate', async () => {
|
||||||
|
const send = vi.fn().mockResolvedValue({
|
||||||
|
headers: [
|
||||||
|
{ name: 'WWW-Authenticate', value: 'Negotiate' },
|
||||||
|
{ name: 'WWW-Authenticate', value: 'NTLM TlRMTVNTUAACAAAAAA==' },
|
||||||
|
],
|
||||||
|
});
|
||||||
|
const ctx = { httpRequest: { send } } as unknown as Context;
|
||||||
|
|
||||||
|
const result = await plugin.authentication?.onApply(ctx, {
|
||||||
|
values: {},
|
||||||
|
headers: [],
|
||||||
|
url: 'https://example.local/resource',
|
||||||
|
method: 'GET',
|
||||||
|
contextId: 'ctx',
|
||||||
|
});
|
||||||
|
|
||||||
|
expect(ntlmMock.parseType2Message).toHaveBeenCalledWith(
|
||||||
|
'NTLM TlRMTVNTUAACAAAAAA==',
|
||||||
|
expect.any(Function),
|
||||||
|
);
|
||||||
|
expect(result).toEqual({ setHeaders: [{ name: 'Authorization', value: 'NTLM TYPE3' }] });
|
||||||
|
});
|
||||||
|
|
||||||
|
test('uses NTLM challenge when auth schemes are comma-separated in one header', async () => {
|
||||||
|
const send = vi.fn().mockResolvedValue({
|
||||||
|
headers: [{ name: 'www-authenticate', value: 'Negotiate, NTLM TlRMTVNTUAACAAAAAA==' }],
|
||||||
|
});
|
||||||
|
const ctx = { httpRequest: { send } } as unknown as Context;
|
||||||
|
|
||||||
|
await plugin.authentication?.onApply(ctx, {
|
||||||
|
values: {},
|
||||||
|
headers: [],
|
||||||
|
url: 'https://example.local/resource',
|
||||||
|
method: 'GET',
|
||||||
|
contextId: 'ctx',
|
||||||
|
});
|
||||||
|
|
||||||
|
expect(ntlmMock.parseType2Message).toHaveBeenCalledWith(
|
||||||
|
'NTLM TlRMTVNTUAACAAAAAA==',
|
||||||
|
expect.any(Function),
|
||||||
|
);
|
||||||
|
});
|
||||||
|
|
||||||
|
test('throws a clear error when NTLM challenge is missing', async () => {
|
||||||
|
const send = vi.fn().mockResolvedValue({
|
||||||
|
headers: [{ name: 'WWW-Authenticate', value: 'Negotiate' }],
|
||||||
|
});
|
||||||
|
const ctx = { httpRequest: { send } } as unknown as Context;
|
||||||
|
|
||||||
|
await expect(
|
||||||
|
plugin.authentication?.onApply(ctx, {
|
||||||
|
values: {},
|
||||||
|
headers: [],
|
||||||
|
url: 'https://example.local/resource',
|
||||||
|
method: 'GET',
|
||||||
|
contextId: 'ctx',
|
||||||
|
}),
|
||||||
|
).rejects.toThrow('Unable to find NTLM challenge in WWW-Authenticate response headers');
|
||||||
|
});
|
||||||
|
});
|
||||||
Reference in New Issue
Block a user