Digest Auth doesn't work properly #89

Closed
Olli opened this Issue Aug 6, 2013 · 2 comments

Comments

Projects
None yet
4 participants

Olli commented Aug 6, 2013

The normal way is: client asks server, server responds, client do some crypto things and responds to the server.

If I use digest auth the first thing is that the client sends a www-authenticate header without getting the server response before.
This ends in a 400 .
I'd try to use ActiveResource in junction with the shopware REST API.
I think the problem lays somewhere in connection.rb/authorisation_header.
Instead of if auth_type == :digest it should maybe be if auth_type == :digest && @response_auth_header
But it doesn't work properly ... I got 400 too.

Hi Olli,

just in case someone stumbles upon this.
i needed to access the SW API too and had no luck with activeresource-3.2.13
placed this in initializers

module ActiveResource
  class Connection

    # made retried an instance variable
    def with_auth
      @retried ||= false
      yield
    rescue UnauthorizedAccess => e
      raise if @retried || auth_type != :digest
      @response_auth_header = e.response['WWW-Authenticate']
      @retried = true
      retry
    end

    # to use it in here
    def authorization_header(http_method, uri)
      if @user || @password
        if auth_type == :digest
           @retried ? { 'Authorization' => digest_auth_header(http_method, uri) } : {}
        else
          { 'Authorization' => 'Basic ' + ["#{@user}:#{@password}"].pack('m').delete("\r\n") }
        end
      else
        {}
      end
    end

    # set the nounceCount to "00000001" instead of "0"
    def digest_auth_header(http_method, uri)
      params = extract_params_from_response

      request_uri = uri.path
      request_uri << "?#{uri.query}" if uri.query

      ha1 = Digest::MD5.hexdigest("#{@user}:#{params['realm']}:#{@password}")
      ha2 = Digest::MD5.hexdigest("#{http_method.to_s.upcase}:#{request_uri}")

      params.merge!('cnonce' => client_nonce)
      request_digest = Digest::MD5.hexdigest([ha1, params['nonce'], "00000001", params['cnonce'], params['qop'], ha2].join(":"))
      "Digest #{auth_attributes_for(uri, request_digest, params)}"
    end

    def auth_attributes_for(uri, request_digest, params)
      [
        %Q(username="#{@user}"),
        %Q(realm="#{params['realm']}"),
        %Q(qop="#{params['qop']}"),
        %Q(uri="#{uri.path}"),
        %Q(nonce="#{params['nonce']}"),
        %Q(nc="00000001"),
        %Q(cnonce="#{params['cnonce']}"),
        %Q(opaque="#{params['opaque']}"),
        %Q(response="#{request_digest}")].join(", ")
    end

  end
end

rails-bot bot added the stale label May 5, 2017

rails-bot bot commented May 5, 2017

This issue has been automatically marked as stale because it has not been commented on for at least three months.
The resources of the Rails team are limited, and so we are asking for your help.

If it is an issue and you can still reproduce this error on the master branch,
please reply with all of the information you have about it in order to keep the issue open.

If it is a pull request and you are still interested on having it merged please make sure it can be merged clearly.

Thank you for all your contributions.

Owner

rafaelfranca commented May 5, 2017

This issue has been automatically marked as stale because it has not been commented on for at least three months.

The resources of the Rails team are limited, and so we are asking for your help.

If it is an issue and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open.

If it is a pull request and you are still interested on having it merged please make sure it can be merged clearly.

Thank you for all your contributions.

rails-bot bot closed this May 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment