Skip to content
This repository
Browse code

Ensure HTTP Digest auth uses appropriate HTTP method [#2490 state:res…

…olved] [Steve Madsen]
  • Loading branch information...
commit 195fadbfd31294d43634afb7bbf4f0ffc86b470a 1 parent 28f5cfe
Pratik authored May 18, 2009
3  actionpack/lib/action_controller/base/http_authentication.rb
@@ -194,9 +194,10 @@ def validate_digest_response(request, realm, &password_procedure)
194 194
 
195 195
         if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque]
196 196
           password = password_procedure.call(credentials[:username])
  197
+          method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD']
197 198
 
198 199
          [true, false].any? do |password_is_ha1|
199  
-           expected = expected_response(request.env['REQUEST_METHOD'], request.env['REQUEST_URI'], credentials, password, password_is_ha1)
  200
+           expected = expected_response(method, request.env['REQUEST_URI'], credentials, password, password_is_ha1)
200 201
            expected == credentials[:response]
201 202
          end
202 203
         end
23  actionpack/test/controller/http_digest_authentication_test.rb
@@ -149,6 +149,16 @@ def authenticate_with_request
149 149
     assert_equal 'Definitely Maybe', @response.body
150 150
   end
151 151
 
  152
+  test "authentication request with _method" do
  153
+    @request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => 'pretty', :password => 'please', :method => :post)
  154
+    @request.env['rack.methodoverride.original_method'] = 'POST'
  155
+    put :display
  156
+
  157
+    assert_response :success
  158
+    assert assigns(:logged_in)
  159
+    assert_equal 'Definitely Maybe', @response.body
  160
+  end
  161
+
152 162
   private
153 163
 
154 164
   def encode_credentials(options)
@@ -159,15 +169,22 @@ def encode_credentials(options)
159 169
     # to prevent tampering of timestamp
160 170
     ActionController::Base.session_options[:secret] = "session_options_secret"
161 171
 
162  
-    # Perform unauthenticated GET to retrieve digest parameters to use on subsequent request
163  
-    get :index
  172
+    # Perform unauthenticated request to retrieve digest parameters to use on subsequent request
  173
+    method = options.delete(:method) || 'GET'
  174
+
  175
+    case method.to_s.upcase
  176
+    when 'GET'
  177
+      get :index
  178
+    when 'POST'
  179
+      post :index
  180
+    end
164 181
 
165 182
     assert_response :unauthorized
166 183
 
167 184
     credentials = decode_credentials(@response.headers['WWW-Authenticate'])
168 185
     credentials.merge!(options)
169 186
     credentials.reverse_merge!(:uri => "#{@request.env['REQUEST_URI']}")
170  
-    ActionController::HttpAuthentication::Digest.encode_credentials("GET", credentials, password, options[:password_is_ha1])
  187
+    ActionController::HttpAuthentication::Digest.encode_credentials(method, credentials, password, options[:password_is_ha1])
171 188
   end
172 189
 
173 190
   def decode_credentials(header)

0 notes on commit 195fadb

Please sign in to comment.
Something went wrong with that request. Please try again.