Get same user from different user login

[nhduong29]

Hi @abbr,

I faced weird issues.
I and my colleague access the API (/test/login) at the same time(really fast) then I can get his username instead of my user name.
This is my implementation :

app.use(function(req, res, next) {
    if (req.originalUrl === '/test/login') {
        var nodeSSPI = require('node-sspi')
        var nodeSSPIObj = new nodeSSPI({
                retrieveGroups: true
            })
        nodeSSPIObj.authenticate(req, res, function(err) {
            res.finished || next()
        })
    } else {
        next()
    }
})

app.get('/test/login', (req, res) => {
    if (req.connection.user.trim() && (req.connection.user.split("\\")[1].trim())) {
        const username = req.connection.user.split("\\")[1].trim()//=====> We will get the same user name here
        res.redirect(`${process.env.LOGIN_REDIRECT}?username=${username}`);
    } else {
        res.redirect(process.env.LOGIN_REDIRECT);
    }
})

Did I miss something in the configuration?

[TheBryanMac]

I can confirm this same issue. We setup a basic nodeSSPIObj.authenticate as middleware on a single route as an extra test. We disabled retrieveGroups just in case, but the issue is easy to replicate now.

If two users hit the endpoint and are challenged, we return the username in the response to all users. All near-concurrent responses get the same username returned.