-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable support for Digest Authentication #957
Comments
Note: iOS's ChangeTracker doesn't support Digest auth, but I'm in the middle of fixing that. |
Can SG support digest when it's storing passwords using bcrypt? I didn't think we had the ability to extract the password to build the MD5 hash for digest. Or is there a way around this? |
That's a good point. If we were storing a MD5 or SHA digest of the password I think it would work (the server-side part of Digest auth doesn't actually require the password itself, just a digest) but not with something funky like jillions of rounds of bcrypt hashing. |
From section 4.13 of the RFC:
|
I think we would should add a property like |
Closing this ticket, as JWT would be the preferred alternative to basic auth in non-SSL scenarios. |
We really shouldn't allow clients to authenticate using Basic auth over a non-SSL connection, since it leaks the user's credentials. (If this weren't so common, it would be considered a horrible security vulnerability.)
We do probably still need to support some sort of username/password auth for non-SSL, which means Digest auth (I don't know of any comparable alternatives.) Go's HTTP package doesn't support it, but there is a go-http-auth package that does and seems to be pretty easy to adopt.
The text was updated successfully, but these errors were encountered: