A small library for generating and validating ltpa tokens. Based on the IBM specification.
For developers integrating Node.js applications with the world of IBM Domino and/or Websphere.
Since version 2.0, this module is strictly ESmodule. If you require CommonJS, you can still use the 1.x versions.
In IBM Domino, the server secret can be found in the
names.nsf
database,
($WebSSOConfigs)
view,
LTPA_DominoSecret
field.
$ npm install ltpa
or clone it from github:
$ git clone https://github.com/markusberg/ltpa.git
This is the full API, but normally you'll only use a few of these methods. See examples below.
setSecrets(secrets: Secrets)
: Add your server secrets to the library, for later use in validation and signing of tokensrefresh(token: string, domain: string)
: Validate provided token, and return a fresh tokengenerateUserNameBuf(userName: string)
: Generate a userName Buffer. Currently hardcoded to CP-850, but the true char encoding is LMBCSgenerate(userNameBuf: Buffer, domain: string)
: Generate a Base64-encoded Ltpa tokensetValidity(seconds: number)
: Set how long a generated token is valid. Default is 5400 seconds (90 minutes).setStrictExpirationValidation(strict: boolean)
: If set to true, token expiration validation will check the actual validation timestamp in the token instead of the calculated expiration. See the "Known Issues" section below.setGracePeriod(seconds: number)
: Set the amount of time outside a ticket's validity that we will still accept it. This time is also added to the validity of tokens that are generated. Default is 300 seconds (5 minutes).
NOTE: since the grace period is added both on token generation, and during validation, the actual grace period is double what is set here.getUserName(token: string)
: Retrieve the username as astring
from the provided token. No validation of the token is performedgetUserNameBuf(token: string)
: Retrieve the username as aBuffer
from the provided token. No validation of the token is performedvalidate(token: string, domain: string)
: Validate provided token. Throws an error if validation fails
These examples are for Express, but the functionality should be easy to adapt to Koa or other frameworks.
Add the dependency and create a simple middleware:
import { getUserName, refresh, setSecrets } from 'ltpa'
import { NextFunction, Request, Response } from 'express'
setSecrets({
'example.com': 'AAECAwQFBgcICQoLDA0ODxAREhM=',
})
/**
* Express Middleware
* Authenticate user by verifying the provided LtpaToken cookie
*/
export function mwLtpaAuth(req: Request, res: Response, next: NextFunction) {
try {
const ltpaToken = refresh(req.cookies.LtpaToken, 'example.com')
const newCookie =
'LtpaToken=' + ltpaToken + '; Path=/; Domain=' + 'example.com'
res.setHeader('Set-Cookie', newCookie)
next()
} catch (err) {
console.log(err)
res.status(401).json({ message: 'Not authorized for this resource' })
}
}
/**
* Express route
*/
router.get('/testAuth', mwLtpaAuth, (req: Request, res: Response) => {
res.send('user is logged in as ' + getUserName(req.cookies.LtpaToken))
})
If you need to access a backend Domino database using a specific user account,
you can generate an LtpaToken for that account using the generate
method:
import { Request, Response } from 'express'
import { generate, generateUserNameBuf, setSecrets } from 'ltpa'
setSecrets({
'example.com': 'AAECAwQFBgcICQoLDA0ODxAREhM=',
})
router.get('/myDominoView', async (req: Request, res: Response) => {
const userNameBuf = generateUserNameBuf('CN=Sysadmin Account,O=Example Inc')
const backendToken = generate(userNameBuf, 'example.com')
const url = new URL(
'/api/data/collections/name/myDominoView',
'https://domino.example.com/',
)
const headers = { Cookie: `LtpaToken=${backendToken}` }
try {
const response = await fetch(url, { headers })
const json = await response.json()
res.json(json)
} catch (err) {
console.error(err)
res.status(500).send(err)
}
})
$ npm test
or to run it continuously, while watching for changes
$ npm run test:watch
When validating token expiration, the library will only respect its internal validity
setting, and will disregard the expiration-date setting in provided tokens. To force the library to use the actual timestamp in the token, use the setStrictExpirationValidation() method. This behaviour might change in version 2.
The module only works with usernames containing characters in the ibm850
, and ibm852
codepages (this covers most of Europe). The username in the token is encoded in an old IBM/Lotus format called LMBCS
(Lotus Multi-Byte Character Set) for which I have found no javascript implementation.
The package only supports LTPA1, and not LTPA2. WebSphere Application Server Version 5 and later supports LTPA1. WebSphere Application Server Version 7 and later supports LTPA2:
However, there is a package by Benjamin Kröger for dealing with LTPA2: