NodeSSPI called several times in one request

[suckerp]

Hi,

I'm using NodeSSPI as a global middleware in my Express backend (port 3000) just like in your example alongside an Angular frontend (port 4200). I added a console.log(err) inside the nodeSSPIObj.authenticate to see what the error is like.
Now everytime I make a call to the backend I get at least 3 times "undefined" in the express console which means the middleware is called that many times during a single call. No matter what browser I use (IE, Firefox or Chrome).

Then I made a simple test and created a test route in the backend and even if I call it directly with localhost:3000/test NodeSSPI is called 3 times. And at least once on every reload or if I go to another route manually.

Is this expected the behaviour? I was under the impression it should only be called once when you call the backend the first time and because perRequestAuth is set to false on default it shouldn't be called again after that until you restart the browser.
Afterall if retrieveGroups is set to true it would also be called on each of the 3+ initial calls and on all other calls later.
Or am I not understandig the way it should work?

[abbr]

If host name of backend and frontend is different, there could be an option preflight request according to CORS. NTLM auth has at least 2 round trips. Therefore 3 times seems OK to me.
If perRequestAuth is false, then NodeSSPI will perform auth once per connection. But connection lifetime <= browser session, so auth could happen multiple times per browser session. If that bothers you, you can use a session mgmt module to save user info after first auth.

[suckerp]

Thanks for your answer.
Why does it also happen if I deactivate CORS and access the backend directly? Even then at least 3 times.
I just wondered since you always said the retrieveGroups option takes a toll on the AD server and if every single request does it 3 times it might be too much.
Right now it looks like my connection lifetime ends right after I entered a site otherwise it wouldn't call NodeSSPI again 3 times when I load a new page.

Something like Express Session wouldn't work in development mode since afaik it only works if frontend and backend are on the same host which isn't the case. I could maybe use a JSON WebToken.
How does either help me if i could only save the username or userSID but no other means to identify the user. Since NodeSSPI is a global middleware it would still be called first to authenticate the credentials send in the http request before I could even access the token / cookie.

But with the other issue #53 where some groups are missing I'd probably need to add another ldap module to check the if the user is a member of the groups I need him to be a member of and therefore I could just deactivate the retrieveGroups option which should lead to less stress on the AD server.

[suckerp]

Looks like one part problem solved itself for me.
Since I have to deploy the project on Windows IIS I found out that by using Windows Authentication in IIS iisnode has the option to add the AUTH_USER to the http headers so I can get the authenticated user from there.
Which is good news since when I used Node-SSPI after a test deploy I got the login prompt in an infinite loop and when I finally canceled I got a 401 or 403 error. After deactiving Node-SSPI the SSO from IIS worked.
I probably missed something on how to make IIS Windows Authentication and Node-SSPI work together.
Do you have any idea how?

Now I still need to find a way to get the specified groups the authenticated user is part of. But I guess I need to do it without Node-SSPI.

Thanks for your help and explanations.

[L-L-the-noob]

I was facing the same problem of having multiple requests per request from browser.
I finally noticed something different in each of those request/response so I did some research of the NTLM handshake.

From what I read here, an unofficial document of how MS NTLM handshakes work, I finally see why would there be at least 3 requests came into my server (and that's making node-sspi fairly difficult to migrate with some other node modules that's making use of the request/response pair). It's pretty much how MS NTLM works, but apparently browsers don't show a thing about the handshakes behind-the-scene.

TL;DR: It's how the NTLM protocol works, those are the required handshakes and they are not shown in the development tools of your browsers.

[HellowThar]

I have this exact same issue. I get that's how NTLM handshaking works, but it's calling my POST methods 3 times. This executes database writes 3 times over instead of handshaking first, then continuing. Frustrating!