-
-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Digest Auth will auth regardless of status code #3772
Comments
Are we sure that tightening this check is what we want to do? It looks like RFC 7235 suggests that it's acceptable to send a WWW-Authenticate challenge with a non-401 status code. I'm not sure
|
@nateprewitt So we have two role models to look at here:
Frankly, I'm not sold on restricting this to 401s only, but I do think we should restrict it to 4xx codes. Having these headers sent back on a 30x, for example, could lead to interesting behaviour. On the one hand, we have to answer the challenge, right? On the other we're being redirected, potentially to a totally different domain. I think the only right answer in non 4xx cases is to not authenticate. Unfortunately, we will answer any challenge we receive at the moment and that's problematic. |
Also @nateprewitt, please let someone else pick this up. |
Yeah, I was planning on leaving it on the stack. I just did work on testing this functionality last week which is why I felt the need to comment. I just implemented tests confirming that we won't send Authorization on a 3xx request unless challenged after the redirect, so I don't think that's an issue we need to worry about. I don't think that restricting this to the 4XX range is unreasonable but I do think the RFC is pretty permissive. I'm just trying to provide information that I couldn't find in the IRC messages that seems relevant. Hopefully helping avoid similar problems that we just had with tightening basic auth. The Authorization definition also seems to leave this pretty open.
|
Correct, which is why we send Basic Authentication headers on the first request. We can't do that with Digest-Auth because we need to respond to a Challenge. |
You could also send |
Sorry, I should have clarified further on Authorization. I agree we shouldn't be sending Digest Authorization without an appropriate challenge first. What I'm saying is that the section quoted above seems to also support that responding to an appropriate challenge in a non-401 response is permissible which is what we what we currently do. The scoping here is obviously in the hands of you and @Lukasa, I just wanted to make sure we didn't completely constrict that to 401 hastily as the original post noted. |
We also literally can't.
I appreciate that :) I think @Lukasa is starting to feel more and more (as I do) that we should be very strict in our interpretation of specifications. That said, (as you point out) the spec is lenient, so my position is that we should be strict in the spirit of the specification. I can't see any reason why someone would challenge with a 200 response, so it should be safe to restrict it to 4xx responses. |
So, let's consider this a 3.0.0 issue instead. Clearly there is no problem with Requests' current behaviour: we're well within specification, and we have nothing to worry about with that, but I do think we should restrict ourselves to 4xx responses in the future. |
Hey @Lukasa will work on this issue |
Discovered on IRC.
The digest auth handler in Requests' codebase doesn't ever actually check that it is responding to a 401: it just looks for an Authorization header. That's pretty dumb, so we should add a check to only actually do the execution for 401s.
This is a contributor friendly change.
The text was updated successfully, but these errors were encountered: