search

cypress-io / cypress

Fast, easy and reliable testing for anything that runs in a browser.
https://cypress.io
MIT License
47.07k stars 3.19k forks source link

Add support for proxies that use NTLM/Kerberos authentication #4667

Open flotwig opened 5 years ago

flotwig commented 5 years ago

Current behavior:

Users attempting to use a proxy with NTLM authentication required will encounter the following error in Cypress when performing a cy.visit through their proxy:

HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: NEGOTIATE
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="..."

Desired behavior:

Cypress reads off the required NTLM/Kerberos auth strings on Windows and automatically uses them to connect to the Internet.

Versions

Cypress 3.3.2 Windows (maybe other OSes have token stores too)

Related Issues

seixasfelipe commented 5 years ago

Hi, I've found a plugin that could help with this issue (I haven't tested it yet).

NTLM Plugin @bjowes

bjowes commented 5 years ago

The plugin I've written supports endpoints with NTLM authentication. It does support an upstream proxy, but currently it does not support proxies with NTLM authentication. I haven't received any requests to implement that so far. If it would be an acceptable solution for this issue I will take a look. How do you see it @flotwig ?

flotwig commented 5 years ago

I'd like to add NTLM proxy support directly to Cypress, but I haven't been able to find a way to generate the credentials in Node.js. All the existing implementations rely on the user providing their NTLM username and password manually, which might be how we end up having to implement this.

bjowes commented 5 years ago

Agreed, I also think NTLM support should be native to Cypress - but not only for proxies but also for sites under test. But it is a fair argument to say that NTLM proxies should be supported first, since they apply to many users behind corporate proxies, regardless of what sites they are testing.

When it comes to implementation, I solved it in the plugin by letting user specify the user/pass. But this is a different scenario since I wanted to give the user control of which user should authenticate for the test run. An alternative solution could be to compile a native dll for node (with node-gyp) which can call Win32 API methods. That way it should be possible to let the OS perform the authentication for logged in user, but it would only work on Windows.

chadi-kazan commented 4 years ago

An alternative solution could be to compile a native dll for node (with node-gyp) which can call Win32 API methods. That way it should be possible to let the OS perform the authentication for logged in user, but it would only work on Windows.

using cypress and running into the same NTLM authentication problem described here. could you please elaborate on this?

richardszanyi commented 4 years ago

We are having the same issue with cypress where the proxy requires Kerberos authentication. Afaik, there is no way to pass those authentication information.

Any status about the feature where you can configure cypress to work with Kerberos?

flotwig commented 4 years ago

@richardszanyi Currently nobody is working on this feature.

As a workaround, you can configure cntlm, then point Cypress at your local proxy by setting the HTTP_PROXY environment variable to point to your local cntlm port.

richardszanyi commented 4 years ago

Is it going to work with a corporate proxy that requires kerberos auth? My auth credentials for proxy is setup by default on the PC we use, and I have no idea how to get those credentials. Do I have to setup cntlm with those credentials to be sent towards my corporate proxy, or I just run cntlm and it automatically detects and send any traffic with the right packet and auth?

flotwig commented 4 years ago

@richardszanyi I am not overly familiar with the differences between NTLM and Kerberos, sorry.

Check out the "Configuration hints" section of the cntlm docs. It does seem like you need to know a few pieces of information about your proxy.

If you don't think cntlm will work, it looks like px does the same thing, and does explicitly support Kerberos auth, and has less to configure as well: https://github.com/genotrance/px Might be a better solution.

cypress-app-bot commented 1 year ago

This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided.

andreaswilli commented 1 year ago

I'm experiencing this issue with Cypress v12.13.0 behind a corporate proxy. Accessing the internet (e.g. https://example.cypress.io/) and localhost works fine, but when I try to visit an intranet url (for Kerberos authentication) I get:

Error establishing proxy connection. Response from server was: HTTP/1.1 407 authenticationrequired
Date: Thu, 25 May 2023 11:43:25 GMT
Content-Type: text/html
Cache-Control: no-cache
Content-Length: 3937
X-Frame-Options: deny
Proxy-Connection: Keep-Alive
Proxy-Authenticate: Negotiate
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="McAfee Web Gateway"
Proxy-Support: Session-Based-Authentication

I haven't tried https://github.com/bjowes/cypress-ntlm-auth or https://github.com/genotrance/px so maybe one of those will fix the problem for me, but anyway I wanted to keep this issue alive since it would be nice to have Cypress support this use case out of the box.