Support for Custom HTTP Headers / Mixed Mode Authentication

[sg-chrishasz]

Hello @s-KaiNet!

First: Thank you for authoring spsave! I am using this library as part of my VSCode addon: SPGo (https://github.com/readysitego/spgo) and it has saved me hours of work.

A number of my users support SharePoint environments where mixed mode authentication is used, but are unable to authenticate using NTLM Credentials due to the requirement that the "X-FORMS_BASED_AUTH_ACCEPTED” header be present, with a value of "f" (this configuration forces SharePoint to use NTLM auth).

Can you extend the spsave() function to also optionally accept a set of headers to include in all http/s calls to the SharePoint server?

Thanks!
Chris

[koltyakov]

Just linking these issues together koltyakov/sppull#20

[s-KaiNet]

Hi Chris, thank you,

To be honest I don't want to add any additional http-related settings to spsave, because from my POV it violates some design principles. spsave knows nothing about underlying authentication strategy nor details of implementation. By providing this header via spsave we are trying to control underlying authentication mechanism from spsave side which is not good I think.
One another issue with this approach is about all other libraries which use sp-request. sppull for example. That means, that every library derived from sp-request should be modified and that's also not very good on my opinion.

However I need to provide a way for you to configure underlying sp-request with additional "switch" - X-FORMS_BASED_AUTH_ACCEPTED to change authentication path to be NTLM-based instead of form based.

So my proposal to fix your issue is using nodejs process environment variables.
For example I will add a piece of code in sp-request, which additionally looks for headers in procces.env.
Pseudocode:

var additionalHeaders = process.env['_sp_request_headers'];
if(additionalHeaders) {
  requestHeaders = merge(requestHeaders, additionalHeaders)
}  
performs actual request here

You in your vscode add-in need to add below line before using sp-request:

process.env['_sp_request_headers'] = JSON.stringify({
'X-FORMS_BASED_AUTH_ACCEPTED': 'f'
});

This approach also solves sppull issue. What do you guys think about proposed approach?

Some notes regarding basic authentication. Currently node-sp-auth (and thereforesp-request) doesn't support basic auth because it has lowest level of security. However if you would like, I can add basic auth as well (hopefully implementation is pretty straightforward).

[koltyakov]

So my proposal to fix your issue is using nodejs process environment variables

My opinion, that it's a bright idea!

I also can add merging these custom headers in the part of SPPull, which doesn't use sp-request (there is one case with downloading large files as a stream).

[s-KaiNet]

So I've updated sp-request, 2.1.2 is the latest. When updating, please make sure that you have 2.1.2 in your node_modules.
In order to provide additional headers for sp-request you need to run add below code:

process.env['_sp_request_headers'] = JSON.stringify({
	'X-FORMS_BASED_AUTH_ACCEPTED': 'f'
});