Minimum viable NTLM auth implementation

Added env variable "VITE_NTLM_AUTH", if true, login page will attempt NTLM auth challenge instead of showing login page. If challenge is successful and an authenticate message is received, it will check for the existence of the user using the provided mail attribute, and create an account with a random, complex password, and then authenticate as the user.
2025-11-20 03:31:03 +10:00 · 2024-09-16 08:32:33 +10:00
parent 9d0331d04f
commit 6ad469a115
9 changed files with 138 additions and 25 deletions
--- a/apps/server/src/integrations/ntlm/ntlm.service.ts
+++ b/apps/server/src/integrations/ntlm/ntlm.service.ts
@ -1,10 +1,19 @@
-import { Inject, Injectable } from '@nestjs/common';
+import { Inject, Injectable, UnauthorizedException } from '@nestjs/common';
 import { EnvironmentService } from '../environment/environment.service';
 import * as ldap from 'ldapjs';
+import { UserRepo } from '@docmost/db/repos/user/user.repo';
+import { TokensDto } from 'src/core/auth/dto/tokens.dto';
+import { TokenService } from 'src/core/auth/services/token.service';
+import { AuthService } from 'src/core/auth/services/auth.service';

@Injectable()
 export class NTLMService {
-  constructor(private readonly environmentService: EnvironmentService) {}
+  constructor(
+    private readonly environmentService: EnvironmentService,
+    private authService: AuthService,
+    private tokenService: TokenService,
+    private userRepo: UserRepo,
+  ) {}

  createClient = (domain: string) =>
    ldap.createClient({
@ -62,4 +71,40 @@ export class NTLMService {
      });
    });
  };
+
+  async login(name: string, email: string, workspaceId: string) {
+    const user = await this.userRepo.findByEmail(email, workspaceId, false);
+
+    if (!user) {
+      const tokensR = await this.authService.register(
+        {
+          name,
+          email,
+          password: this.generateRandomPassword(12),
+        },
+        workspaceId,
+      );
+
+      return tokensR;
+    }
+
+    user.lastLoginAt = new Date();
+    await this.userRepo.updateLastLogin(user.id, workspaceId);
+
+    const tokens: TokensDto = await this.tokenService.generateTokens(user);
+    return { tokens };
+  }
+
+  generateRandomPassword(length: number): string {
+    const characters =
+      'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+[]{}|;:,.<>?';
+    let password = '';
+
+    for (let i = 0; i < length; i++) {
+      const randomIndex = Math.floor(Math.random() * characters.length);
+      password += characters[randomIndex];
+    }
+
+    return password;
+  }
 }