Allow to overwrite implementation details based on the request.connection

This commit introduces three new methods to the options, providing the developer using the middleware with the ability to modify how the NTLM user data and proxy cache ID are stored. This enhancement enables the middleware to be used with a (reverse) proxy if the application can supply a unique identifier for the user.

The default behavior of storing the user data and proxy cache ID on the request.connection is maintained as the default value for the new options.

Author: jsfi

README.md

@@ -98,7 +98,10 @@ It's not recommended, but it's possible to add NTLM-Authentication without valid
 | `domaincontroller` | `null` / `string` / `array` | `null` | One or more domaincontroller(s) to handle the authentication. If `null` is specified the user is not validated. Active Directory is supported. |
 | `tlsOptions` | `object` | `undefined` | An options object that will be passed to [tls.connect](https://nodejs.org/api/tls.html#tls_tls_connect_options_callback) and [tls.createSecureContext](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options). __Only required when using ldaps and the server's certificate is signed by a certificate authority not in Node's default list of CAs.__ (or use [NODE_EXTRA_CA_CERTS](https://nodejs.org/api/cli.html#cli_node_extra_ca_certs_file) environment variable)|
 | `tlsOptions.ca` | `string` /  `array` / `Buffer` | `undefined` | Override the trusted CA certificates provided by Node. Refer to [tls.createSecureContext](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options) |
-| `getConnectionId` | `function` | `function(request, response) { return utils.uuidv4(); }` | Function to generate custom connection IDs, based optionally on the request and response objects. |
+| `getConnectionId` | `function` | `function(request, response) { return utils.uuidv4(); }` | Function to generate custom connection IDs, based optionally on the request and response objects. Used by the default implementation of `getProxyId` to keep backwards compatibility. *deprecated* |
+| `getProxyId` | `function` | `function(request, response) { if (!request.connection.id) { request.connection.id = options.getConnectionId(request, response); } return request.connection.id; }` | Function to generate custom proxy cache IDs, based optionally on the request and response objects. |
+| `getCachedUserData` | `function` | `function(request, response) { return request.connection.ntlm; }` | Function to return the cached NTLM user data. |
+| `addCachedUserData` | `function` | `function(request, response, userData) { request.connection.ntlm = userData; }` | Function to cache the NTLM user data. |
 
 ## logging (examples)
 <a name="logging" />

lib/express-ntlm.js

@@ -43,6 +43,21 @@ module.exports = function(options) {
 
         getConnectionId(request, response) {
             return utils.uuidv4();
+        },
+
+        getProxyId(request, response) {
+            if (!request.connection.id) {
+                request.connection.id = options.getConnectionId(request, response);
+            }
+
+            return request.connection.id;
+        },
+
+        getCachedUserData(request, response) {
+            return request.connection.ntlm;
+        },
+        addCachedUserData(request, response, userData) {
+            request.connection.ntlm = userData;
         }
     }, options);
 
@@ -137,7 +152,9 @@ module.exports = function(options) {
     }
 
     function handle_type1(request, response, next, ntlm_message, callback) {
-        cache.remove(request.connection.id);
+        var proxyId = options.getProxyId(request, response);
+
+        cache.remove(proxyId);
         cache.clean();
 
         connect_to_proxy(ntlm_message, function(error, proxy, challenge) {
@@ -147,14 +164,15 @@ module.exports = function(options) {
             response.setHeader('WWW-Authenticate', 'NTLM ' + challenge.toString('base64'));
             response.end();
 
-            cache.add(request.connection.id, proxy);
+            cache.add(proxyId, proxy);
 
             return callback();
         });
     }
 
     function handle_type3(request, response, next, ntlm_message, callback) {
-        var proxy = cache.get_proxy(request.connection.id);
+        var proxyId = options.getProxyId(request, response),
+            proxy = cache.get_proxy(proxyId);
 
         var userDomainWorkstation = parse_ntlm_authenticate(ntlm_message),
             user = userDomainWorkstation[0],
@@ -176,10 +194,10 @@ module.exports = function(options) {
 
             request.ntlm = userData;
             response.locals.ntlm = userData;
-            request.connection.ntlm = userData;
+            options.addCachedUserData(request, response, userData);
 
             if (!result) {
-                cache.remove(request.connection.id);
+                cache.remove(proxyId);
                 options.debug(options.prefix, 'User ' + domain + '/' + user + ' authentication for URI ' + request.protocol + '://' + request.get('host') + request.originalUrl);
                 return options.forbidden(request, response, next);
             } else {
@@ -190,13 +208,9 @@ module.exports = function(options) {
     }
 
     return function(request, response, next) {
-        if (!request.connection.id) {
-            request.connection.id = options.getConnectionId(request, response);
-        }
-
         var auth_headers = request.headers.authorization;
 
-        var user = request.connection.ntlm;
+        var user = options.getCachedUserData(request, response);
         if (user && user.Authenticated) {
             options.debug(options.prefix, 'Connection already authenticated ' + user.DomainName + '/' + user.UserName);
             if (auth_headers) {
@@ -241,7 +255,7 @@ module.exports = function(options) {
         }
 
         if (ntlm_version === 3) {
-            if (cache.get_proxy(request.connection.id) !== null) {
+            if (cache.get_proxy(options.getProxyId(request, response)) !== null) {
                 return handle_type3(request, response, next, ah_data[1], function(error) {
                     if (error) {
                         options.debug(options.prefix, error.stack);