{"id":16391,"library":"httpntlm","title":"HTTP NTLM Authentication for Node.js","description":"httpntlm is a Node.js library designed to facilitate HTTP NTLM authentication, a protocol used in Windows environments. It is a direct port of the Python `python-ntlm` library and notably includes support for NTLMv2, which handles extended security and target information negotiations. The current stable version is 1.8.13, and while it's a mature library with over a decade of history, its release cadence appears infrequent, with the last significant README update in March 2023. Key differentiators include its focused implementation of NTLM for Node.js, offering both a high-level API for common use cases (GET, POST, etc.) and granular access to NTLM message creation and parsing for advanced scenarios. It supports both HTTP and HTTPS connections, and allows for pre-encrypting passwords for enhanced security. The library relies on other modules like `httpreq`, `async`, and `agentkeepalive` for its underlying HTTP requests and flow control.","status":"maintenance","version":"1.8.13","language":"javascript","source_language":"en","source_url":"git://github.com/SamDecrock/node-http-ntlm","tags":["javascript"],"install":[{"cmd":"npm install httpntlm","lang":"bash","label":"npm"},{"cmd":"yarn add httpntlm","lang":"bash","label":"yarn"},{"cmd":"pnpm add httpntlm","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Used internally for making HTTP requests; exposes its options to httpntlm's API.","package":"httpreq","optional":false},{"reason":"Utilized in advanced usage patterns for flow control, particularly when manually handling NTLM steps.","package":"async","optional":true},{"reason":"Provides an `HttpsAgent` for connection pooling, improving performance for multiple requests.","package":"agentkeepalive","optional":true}],"imports":[{"note":"This package is primarily CommonJS. Direct `import` syntax will likely result in an error in pure ESM environments without specific Node.js configuration or bundler setup.","wrong":"import httpntlm from 'httpntlm';","symbol":"httpntlm","correct":"const httpntlm = require('httpntlm');"},{"note":"The primary method for performing NTLM-authenticated GET requests. Similar methods (post, put, del) are also available.","symbol":"httpntlm.get","correct":"const httpntlm = require('httpntlm');\nhttpntlm.get({ /* options */ }, callback);"},{"note":"Provides access to the raw NTLM message creation and parsing functions (e.g., `createType1Message`, `parseType2Message`, `create_LM_hashed_password`), intended for advanced scenarios where manual control over the NTLM handshake is required.","wrong":"import { ntlm } from 'httpntlm';","symbol":"httpntlm.ntlm","correct":"const { ntlm } = require('httpntlm');\n// or\nconst ntlm = require('httpntlm').ntlm;"}],"quickstart":{"code":"const httpntlm = require('httpntlm');\n\nhttpntlm.get({\n  url: \"https://someurl.com\", // Replace with your NTLM-protected URL\n  username: process.env.NTLM_USERNAME ?? '',\n  password: process.env.NTLM_PASSWORD ?? '',\n  workstation: process.env.NTLM_WORKSTATION ?? 'local_workstation',\n  domain: process.env.NTLM_DOMAIN ?? ''\n}, function (err, res){\n  if(err) {\n    console.error(\"NTLM GET request failed:\", err.message); // Log the error message\n    return;\n  }\n\n  console.log(\"Status Code:\", res.statusCode);\n  console.log(\"Response Headers:\", res.headers);\n  console.log(\"Response Body (truncated):\");\n  console.log(res.body ? res.body.substring(0, 500) + '...' : '[No Body]'); // Truncate body for readability\n});","lang":"javascript","description":"Demonstrates how to perform a basic NTLM-authenticated GET request using the library's high-level API, including error handling and using environment variables for sensitive credentials."},"warnings":[{"fix":"Ensure the target server supports NTLMv2. If NTLMv1 is strictly required, manual NTLM message handling via `httpntlm.ntlm` might be necessary, or consider alternative libraries that allow explicit NTLM version specification.","message":"The library explicitly states that it assumes the server supports NTLMv2 and creates responses accordingly. If the server only supports NTLMv1 and does not negotiate NTLMv2 extended security, this assumption might lead to authentication failures or unexpected behavior.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Exercise caution when using in modern Node.js environments. Monitor for compatibility issues and consider alternative, actively maintained NTLM solutions if stability becomes a concern.","message":"The package's specified Node.js engine requirement is `>=10.4.0`, a very old version of Node.js. While the library might function on newer Node.js versions, official support and compatibility testing beyond Node.js 10 may be limited, potentially leading to unforeseen issues.","severity":"deprecated","affected_versions":"<=1.8.13"},{"fix":"For ESM projects, use dynamic `await import('httpntlm')` or ensure your build process correctly transpiles or bundles CJS dependencies. Alternatively, switch your project to CommonJS if `httpntlm` is a critical dependency and ESM is not strictly required.","message":"The package is primarily CommonJS (CJS). Attempting to `import` it directly in a pure ECMAScript Module (ESM) Node.js project (e.g., with `\"type\": \"module\"` in `package.json`) will result in a `TypeError: require is not a function` or similar module resolution errors.","severity":"breaking","affected_versions":">=1.0.0"},{"fix":"Regularly scan your project's dependencies using tools like Snyk, npm audit, or yarn audit to identify and mitigate any transitive vulnerabilities introduced by `httpntlm` or its components. Update dependencies as recommended.","message":"The Snyk security scan badge in the README indicates 'Known Vulnerabilities'. While the Snyk Vulnerability Database currently shows no *direct* vulnerabilities for `httpntlm` itself, it's crucial to check its *dependencies* for vulnerabilities which may be indirectly introduced.","severity":"gotcha","affected_versions":"*"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Verify the URL, username, password, workstation, and domain are correct. Ensure the server endpoint is indeed NTLM-protected and configured correctly. Debug the initial Type 1 message sent to confirm it's well-formed.","cause":"During the NTLM handshake, the server must respond with a `WWW-Authenticate` header containing the Type 2 challenge message. This error indicates the server did not provide the expected challenge, likely due to an invalid initial Type 1 message or incorrect server configuration.","error":"www-authenticate not found on response of second request"},{"fix":"Double-check all authentication parameters for typos or incorrect values. Ensure the user account has access to the resource. If pre-encrypting passwords, verify the `lm_password` and `nt_password` buffers are generated correctly from the plaintext password. Consider setting `domain` to an empty string if unsure.","cause":"This is a generic authentication failure, usually stemming from incorrect `username`, `password`, `workstation`, or `domain` parameters. It can also occur if the NTLM hashes generated are incorrect.","error":"NTLM authentication failed: Invalid credentials"},{"fix":"If your project is ESM, either switch to dynamic `await import('httpntlm')` (if supported and appropriate for your use case) or configure your build system to handle CommonJS modules. If possible, consider setting `\"type\": \"commonjs\"` in your `package.json` or changing file extensions to `.cjs` for files that use `require()`.","cause":"This error occurs when attempting to use `require()` syntax in an ECMAScript Module (ESM) context. The `httpntlm` library is designed for CommonJS.","error":"TypeError: require is not a function"}],"ecosystem":"npm"}