This is a copy of a note I sent a month back to the rails-core mailing list; no response there, but perhaps this is the best place for it anyway. I'll take a look at patching this myself and try sending that in too...
From RFC 2617 - http://tools.ietf.org/html/rfc2617 - which specifies Digest Authentication, the section discussing the "digest-uri' element states:
The URI from Request-URI of the Request-Line; duplicated here because proxies are allowed to change the Request-Line in
and the detailed discussion on calculation of the digest value specifically says:
"where "digest-uri-value" is the value of the "uri" directive on the Authorization header in the request."
That is, the "digest-uri" provided in the Authorization header is what should be used in calculating the digest for authentication purposes, not the request URI - because that string may change between the client and the ultimate server responding to the request.
However, it looks like this has been implemented incorrectly in Rails ActionController::HttpAuthentication for some time - for example from actionpack-3.0.7/lib/action_controller/metal/http_authentication.rb line 188:
uri = credentials[:uri][0,1] == '/' ? request.fullpath : request.url
This should be simply:
uri = credentials[:uri]
We ran into this bug when switching from a java-Spring-Acegi authentication handler to Rails HttpAuthentication. It had always
worked perfectly with Acegi. Rails digest authentication worked fine when connecting directly to the server it was installed on, but when connecting to a front-end server that rewrites the URL's, Rails digest authentication always failed. With the above patch, digest authentication works correctly again.
If there's a need to verify that the digest-uri matches in some way the request uri the server should do that separately from the actual digest authentication piece, which should just match the specifications of RFC 2617. Agreed?
Fix for digest authentication bug - issue #2301 in rails/rails
@arthurpsmith Is this still an issue?
As far as I am aware, yes it is still an issue. For the service where we need Digest authentication we're running rails 3.0.9 with my patch so as far as that goes it's working for us. However, it would probably break and need to be re-patched if we update to a newer rails version. I've had no indication this has been fixed in rails releases since then.
I just compared actionpack-3.2.3 and it looks like there are some changes in the digest authentication section - in particular the uri now uses request.original_fullpath etc. instead of request.fullpath. This seems to depend on an environment variable ORIGINAL_FULLPATH which seems to be set by rails/application.rb - but I see no sign this addresses at all the issue of a proxy that may rewrite the URL. The RFC is very specific - the URL provided in the credentials is to be used for Digest authentication, and it is clear this has still not been fixed in 3.2.3.
Changelog entry for Digest Auth fix (#2301)
Fixed @ 6e52376
Yup, it's done, thanks all.
Trying to upgrade an application to Rails 4 I've reach a problem with our digest authentication that maybe is related with which requests we're authenticating, Does anyone know if credentials[:uri] should respect the parameters that came for the request?
With this change credentials[:uri] only preserve the path so the authentication doesn't work