ltpa
A small library for generating and validating ltpa tokens. Based on the IBM specification.
Who is this for?
For developers integrating Node.js applications with the world of IBM Domino and/or Websphere.
Retrieving the server secret
In IBM Domino, the server secret can be found in the
names.nsf database,
($WebSSOConfigs) view,
LTPA_DominoSecret field.
Getting the module
$ npm install ltpaor clone it from github:
$ git clone https://github.com/markusberg/ltpa.gitAPI
This is the full API, but normally you'll only use a few of these methods. See examples below.
setSecrets(secrets: Secrets): Add your server secrets to the library, for later use in validation and signing of tokensrefresh(token: string, domain: string): Validate provided token, and return a fresh tokengenerateUserNameBuf(userName: string): Generate a userName Buffer. Currently hardcoded to CP-850, but the true char encoding is LMBCSgenerate(userNameBuf: Buffer, domain: string): Generate a Base64-encoded Ltpa tokensetValidity(seconds: number): Set how long a generated token is valid. Default is 5400 seconds (90 minutes).setStrictExpirationValidation(strict: boolean): If set to true, token expiration validation will check the actual validation timestamp in the token instead of the calculated expiration. See the "Known Issues" section below.setGracePeriod(seconds: number): Set the amount of time outside a ticket's validity that we will still accept it. This time is also added to the validity of tokens that are generated. Default is 300 seconds (5 minutes).
NOTE: since the grace period is added both on token generation, and during validation, the actual grace period is double what is set here.getUserName(token: string): Retrieve the username as astringfrom the provided token. No validation of the token is performedgetUserNameBuf(token: string): Retrieve the username as aBufferfrom the provided token. No validation of the token is performedvalidate(token: string, domain: string): Validate provided token. Throws an error if validation fails
Example 1
These examples are for Express, but the functionality should be easy to adapt to Koa or other frameworks.
Add the dependency and create a simple middleware:
let ltpa = ltpa /*** * Express Middleware * Authenticate user by verifying the provided LtpaToken cookie */ { try let ltpaToken = ltpa let newCookie = "LtpaToken=" + ltpaToken + "; Path=/; Domain=" + "example.com" res catch err console resstatus401 } /*** * Express route */routerExample 2
If you need to access a backend Domino database using a specific user account,
you can generate an LtpaToken for that account using the generate method:
let ltpa = let rp = ltpa routerTests
$ npm testor to run it continuously, while watching for changes
$ npm run test:watchKnown issues
Token validity
When validating token expiration, the library will only respect its internal validity setting, and will disregard the expiration-date setting in provided tokens. To force the library to use the actual timestamp in the token, use the setStrictExpirationValidation() method. This behaviour might change in version 2.
Character set
The module only works with usernames containing characters in the ibm850 codepage (basically Latin-1). The username in the token should be encoded in an IBM proprietary format called LMBCS (Lotus Multi-Byte Character Set) for which I have found no javascript implementation. However, LMBCS is backwards compatible with ibm850 for all characters in that codepage so if your usernames don't contain characters outside of ibm850, then you're good to go.
LTPA1 only
The package only supports LTPA1, and not LTPA2. WebSphere Application Server Version 5 and later supports LTPA1. WebSphere Application Server Version 7 and later supports LTPA2:
However, there is a package by Benjamin Kröger for dealing with LTPA2: