Fix NTLM challenge selection from WWW-Authenticate headers

2026-02-20 17:47:47 +01:00 · 2026-02-20 08:24:11 -08:00
3 changed files with 100 additions and 8 deletions
--- a/plugins/auth-ntlm/package.json
+++ b/plugins/auth-ntlm/package.json
@@ -11,7 +11,8 @@
  "version": "0.1.0",
  "scripts": {
    "build": "yaakcli build",
-    "dev": "yaakcli dev"
+    "dev": "yaakcli dev",
+    "test": "vitest --run tests"
  },
  "dependencies": {
    "httpntlm": "^1.8.13"
--- a/plugins/auth-ntlm/src/index.ts
+++ b/plugins/auth-ntlm/src/index.ts
@@ -2,6 +2,16 @@ import type { PluginDefinition } from '@yaakapp/api';

 import { ntlm } from 'httpntlm';

+function extractNtlmChallenge(headers: Array<{ name: string; value: string }>): string | null {
+  const authValues = headers
+    .filter((h) => h.name.toLowerCase() === 'www-authenticate')
+    .flatMap((h) => h.value.split(','))
+    .map((v) => v.trim())
+    .filter(Boolean);
+
+  return authValues.find((v) => /^NTLM\s+\S+/i.test(v)) ?? null;
+}
+
 export const plugin: PluginDefinition = {
  authentication: {
    name: 'windows',
@@ -68,15 +78,12 @@ export const plugin: PluginDefinition = {
        },
      });

-      const wwwAuthenticateHeader = negotiateResponse.headers.find(
-        (h) => h.name.toLowerCase() === 'www-authenticate',
-      );
-
-      if (!wwwAuthenticateHeader?.value) {
-        throw new Error('Unable to find www-authenticate response header for NTLM');
+      const ntlmChallenge = extractNtlmChallenge(negotiateResponse.headers);
+      if (ntlmChallenge == null) {
+        throw new Error('Unable to find NTLM challenge in WWW-Authenticate response headers');
      }

-      const type2 = ntlm.parseType2Message(wwwAuthenticateHeader.value, (err: Error | null) => {
+      const type2 = ntlm.parseType2Message(ntlmChallenge, (err: Error | null) => {
        if (err != null) throw err;
      });
      const type3 = ntlm.createType3Message(type2, options);
--- a/plugins/auth-ntlm/tests/index.test.ts
+++ b/plugins/auth-ntlm/tests/index.test.ts
@@ -0,0 +1,84 @@
+import type { Context } from '@yaakapp/api';
+import { beforeEach, describe, expect, test, vi } from 'vitest';
+
+const ntlmMock = vi.hoisted(() => ({
+  createType1Message: vi.fn(),
+  parseType2Message: vi.fn(),
+  createType3Message: vi.fn(),
+}));
+
+vi.mock('httpntlm', () => ({ ntlm: ntlmMock }));
+
+import { plugin } from '../src';
+
+describe('auth-ntlm', () => {
+  beforeEach(() => {
+    ntlmMock.createType1Message.mockReset();
+    ntlmMock.parseType2Message.mockReset();
+    ntlmMock.createType3Message.mockReset();
+    ntlmMock.createType1Message.mockReturnValue('NTLM TYPE1');
+    ntlmMock.parseType2Message.mockReturnValue({} as any);
+    ntlmMock.createType3Message.mockReturnValue('NTLM TYPE3');
+  });
+
+  test('uses NTLM challenge when Negotiate and NTLM headers are separate', async () => {
+    const send = vi.fn().mockResolvedValue({
+      headers: [
+        { name: 'WWW-Authenticate', value: 'Negotiate' },
+        { name: 'WWW-Authenticate', value: 'NTLM TlRMTVNTUAACAAAAAA==' },
+      ],
+    });
+    const ctx = { httpRequest: { send } } as unknown as Context;
+
+    const result = await plugin.authentication?.onApply(ctx, {
+      values: {},
+      headers: [],
+      url: 'https://example.local/resource',
+      method: 'GET',
+      contextId: 'ctx',
+    });
+
+    expect(ntlmMock.parseType2Message).toHaveBeenCalledWith(
+      'NTLM TlRMTVNTUAACAAAAAA==',
+      expect.any(Function),
+    );
+    expect(result).toEqual({ setHeaders: [{ name: 'Authorization', value: 'NTLM TYPE3' }] });
+  });
+
+  test('uses NTLM challenge when auth schemes are comma-separated in one header', async () => {
+    const send = vi.fn().mockResolvedValue({
+      headers: [{ name: 'www-authenticate', value: 'Negotiate, NTLM TlRMTVNTUAACAAAAAA==' }],
+    });
+    const ctx = { httpRequest: { send } } as unknown as Context;
+
+    await plugin.authentication?.onApply(ctx, {
+      values: {},
+      headers: [],
+      url: 'https://example.local/resource',
+      method: 'GET',
+      contextId: 'ctx',
+    });
+
+    expect(ntlmMock.parseType2Message).toHaveBeenCalledWith(
+      'NTLM TlRMTVNTUAACAAAAAA==',
+      expect.any(Function),
+    );
+  });
+
+  test('throws a clear error when NTLM challenge is missing', async () => {
+    const send = vi.fn().mockResolvedValue({
+      headers: [{ name: 'WWW-Authenticate', value: 'Negotiate' }],
+    });
+    const ctx = { httpRequest: { send } } as unknown as Context;
+
+    await expect(
+      plugin.authentication?.onApply(ctx, {
+        values: {},
+        headers: [],
+        url: 'https://example.local/resource',
+        method: 'GET',
+        contextId: 'ctx',
+      }),
+    ).rejects.toThrow('Unable to find NTLM challenge in WWW-Authenticate response headers');
+  });
+});