Reputation: 1115
express-ntlm returning the wrong user
I'm using express-ntlm to get the current user's windows ID in an intranet setting. It works fine most of the time, but occasionally it will return the ID of a completely different person. I'm guessing this is something to do with sessions maybe?
const ntlm = require('express-ntlm');
module.exports = app => {
app.use(
ntlm({
debug: function() {
var args = Array.prototype.slice.apply(arguments);
console.log.apply(null, args);
},
domain: 'MS',
domaincontroller: 'ldap://something.com'
})
);
app.post('/get-user-details/', (req, res) => {
console.log(req.ntlm.UserName); //Returns correct user most of the time, but sometimes it returns different person who open site at the same time
});
Upvotes: 0
Views: 419
Answers (1)
Reputation: 8371
Unfortunately NTLM authenticates connections, not sessions. Which was fine in the past, but doesn't make sense anymore, since browser tend to open multiple connections at once to speed up page loading and reverse proxies are sharing connections to the backend. That's where the problem is: Your reverse proxy will reuse already authenticated connections to the backend, and therefore mix up users. To mitigate this issue, you have to make sure your reverse proxy has NTLM support enabled.
There is still an open pull request for express-ntlm that adds a Keep-Alive property which might solve this issue, unfortunately it's widely untested and first needs to be verified.
Upvotes: 1
Related Questions
- NTLM Api access with Node.js
- Get current user windows MicrosoftAccount in node.js
- NodeJs Express passport-jwt getting wrong user from token
- Accessing SMTP server with AUTH NTLM from Node.js
- How to implement username/password auth with express ntlm?
- GET Request works with Browser's REST Client but not with JS
- NTLM Authentication with request-ntlm
- Check if Windows Username and Password is correct in NodeJs
- NTLM authentication using node.js
- how to get current windows user from express?