node-expose-sspi-strict
Version:
Expose the Microsoft Windows SSPI interface in order to do NTLM and Kerberos authentication.
200 lines (199 loc) • 11.3 kB
JavaScript
;
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
var __generator = (this && this.__generator) || function (thisArg, body) {
var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
function verb(n) { return function (v) { return step([n, v]); }; }
function step(op) {
if (f) throw new TypeError("Generator is already executing.");
while (_) try {
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
if (y = 0, t) op = [op[0] & 2, t.value];
switch (op[0]) {
case 0: case 1: t = op; break;
case 4: _.label++; return { value: op[1], done: false };
case 5: _.label++; y = op[1]; op = [0]; continue;
case 7: op = _.ops.pop(); _.trys.pop(); continue;
default:
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
if (t[2]) _.ops.pop();
_.trys.pop(); continue;
}
op = body.call(thisArg, _);
} catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
}
};
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
exports.__esModule = true;
exports.auth = void 0;
var createError = require('http-errors');
var base64_arraybuffer_1 = require("base64-arraybuffer");
var misc_1 = require("./misc");
var api_1 = require("../../lib/api");
var SSO_1 = require("./SSO");
var ServerContextHandleManager_1 = require("./ServerContextHandleManager");
var debug_1 = __importDefault(require("debug"));
var debug = debug_1["default"]('node-expose-sspi:auth');
/**
* Tries to get SSO information from browser. If success, the SSO info
* is stored under req.sso
*
* @export
* @param {AuthOptions} [options={}]
* @returns {RequestHandler}
*/
function auth(options) {
var _this = this;
if (options === void 0) { options = {}; }
var opts = {
useActiveDirectory: true,
useGroups: true,
useOwner: false,
useCookies: true,
groupFilterRegex: '.*',
allowsGuest: false,
allowsAnonymousLogon: false
};
Object.assign(opts, options);
var _a = api_1.sspi.AcquireCredentialsHandle({
packageName: 'Negotiate'
}), credential = _a.credential, tsExpiry = _a.tsExpiry;
var checkCredentials = function () {
if (tsExpiry < new Date()) {
// renew server credentials
api_1.sspi.FreeCredentialsHandle(credential);
var renewed = api_1.sspi.AcquireCredentialsHandle({
packageName: 'Negotiate'
});
credential = renewed.credential;
tsExpiry = renewed.tsExpiry;
}
};
var schManager = new ServerContextHandleManager_1.ServerContextHandleManager(10000);
// returns the node middleware.
return function (req, res, next) {
(function () { return __awaiter(_this, void 0, void 0, function () {
var authorization, cookieToken, token, messageType, buffer, ssoMethod, input, serverContextHandle, serverSecurityContext, lastServerContextHandle, method, sso, e_1;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
_a.trys.push([0, 4, , 5]);
authorization = req.headers.authorization;
if (!authorization) {
debug('no authorization key in header');
res.statusCode = 401;
res.setHeader('WWW-Authenticate', 'Negotiate');
return [2 /*return*/, res.end()];
}
if (!authorization.startsWith('Negotiate ')) {
res.statusCode = 400;
return [2 /*return*/, res.end("Malformed authentication token: " + authorization)];
}
checkCredentials();
cookieToken = opts.useCookies
? schManager.initCookie(req, res)
: undefined;
debug('cookieToken: ', cookieToken);
token = authorization.substring('Negotiate '.length);
messageType = misc_1.getMessageType(token);
debug('messageType: ', messageType);
buffer = base64_arraybuffer_1.decode(token);
debug(misc_1.hexDump(buffer));
if (!(messageType === 'NTLM_NEGOTIATE_01' ||
messageType === 'Kerberos_1')) return [3 /*break*/, 2];
return [4 /*yield*/, schManager.waitForReleased(cookieToken)];
case 1:
_a.sent();
debug('schManager waitForReleased finished.');
ssoMethod = messageType.startsWith('NTLM')
? 'NTLM'
: 'Kerberos';
schManager.setMethod(ssoMethod, cookieToken);
_a.label = 2;
case 2:
input = {
credential: credential,
clientSecurityContext: {
SecBufferDesc: {
ulVersion: 0,
buffers: [buffer]
}
}
};
serverContextHandle = schManager.getServerContextHandle(cookieToken);
if (serverContextHandle) {
debug('adding to input a serverContextHandle (not first exchange)');
input.contextHandle = serverContextHandle;
}
debug('input just before calling AcceptSecurityContext', input);
serverSecurityContext = api_1.sspi.AcceptSecurityContext(input);
debug('serverSecurityContext just after AcceptSecurityContext', serverSecurityContext);
if (!['SEC_E_OK', 'SEC_I_CONTINUE_NEEDED'].includes(serverSecurityContext.SECURITY_STATUS)) {
// 'SEC_I_COMPLETE_AND_CONTINUE', 'SEC_I_COMPLETE_NEEDED' are considered as errors because it is used
// only by 'Digest' SSP. (not by Negotiate, Kerberos or NTLM)
if (serverSecurityContext.SECURITY_STATUS === 'SEC_E_LOGON_DENIED') {
res.statusCode = 401;
return [2 /*return*/, res.end("SEC_E_LOGON_DENIED. (incorrect login/password, or account disabled, or locked, etc.). Protocol Message = " + messageType + ".")];
}
throw new Error('AcceptSecurityContext error: ' +
serverSecurityContext.SECURITY_STATUS);
}
schManager.set(serverSecurityContext.contextHandle, cookieToken);
debug('AcceptSecurityContext output buffer');
debug(misc_1.hexDump(serverSecurityContext.SecBufferDesc.buffers[0]));
if (serverSecurityContext.SECURITY_STATUS === 'SEC_I_CONTINUE_NEEDED') {
res.statusCode = 401;
res.setHeader('WWW-Authenticate', 'Negotiate ' +
base64_arraybuffer_1.encode(serverSecurityContext.SecBufferDesc.buffers[0]));
return [2 /*return*/, res.end()];
}
lastServerContextHandle = schManager.getServerContextHandle(cookieToken);
method = schManager.getMethod(cookieToken);
sso = new SSO_1.SSO(lastServerContextHandle, method);
sso.setOptions(opts);
return [4 /*yield*/, sso.load()];
case 3:
_a.sent();
req.sso = sso.getJSON();
api_1.sspi.DeleteSecurityContext(lastServerContextHandle);
schManager.release(cookieToken);
// check if user is allowed.
if (!opts.allowsAnonymousLogon &&
req.sso.user.name === 'ANONYMOUS LOGON') {
res.statusCode = 401;
return [2 /*return*/, res.end('Anonymous login not authorized.')];
}
if (!opts.allowsGuest && req.sso.user.name === 'Guest') {
res.statusCode = 401;
return [2 /*return*/, res.end('Guest not authorized.')];
}
// user authenticated and allowed.
res.setHeader('WWW-Authenticate', 'Negotiate ' + base64_arraybuffer_1.encode(serverSecurityContext.SecBufferDesc.buffers[0]));
return [2 /*return*/, next()];
case 4:
e_1 = _a.sent();
schManager.release();
console.error(e_1);
next(createError(401, "Error while doing SSO: " + e_1.message));
return [3 /*break*/, 5];
case 5: return [2 /*return*/];
}
});
}); })();
};
}
exports.auth = auth;