Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DigestAuthenticator returning 401 when the nonce isn't valid anymore #8

Closed
N4zroth opened this issue Apr 15, 2016 · 3 comments
Closed

DigestAuthenticator returning 401 when the nonce isn't valid anymore #8

N4zroth opened this issue Apr 15, 2016 · 3 comments

Comments

@N4zroth
Copy link

N4zroth commented Apr 15, 2016
edited
Loading

Hi,
I run into problems with the AuthenticationCacheInterceptor: The CachingAuthenticator seems to cache a successful digest authentication (which is of course correct so far) and tries to reuse it on subsequent request (also correct).
The problem is that the request might be several seconds later than the original request thus invalidating the nonce.
In previous versions, this was fine as the authenticator just tried again until OkHttp's request limit (20) was reached. As the authentication itself was correct, the next request worked fine.
But the following code in DigestAuthenticator prevents any request after an unsuccessful authentication to be executed:

// prevent infinite loops when the password is wrong
final String authorizationHeader = request.header("Authorization");
if (authorizationHeader != null && authorizationHeader.startsWith("Digest")) {
Log.w(TAG, "previous digest authentication failed, returning null");
return null;
}

It does prevent infinite loops (well 'infinite' as in a maximum of 20 requests) on invalid passwords but it doesn't take into consideration that something else (e. g. the previously cached nonce) was wrong.
Is there a simple way to fix this? I've removed the code and my authentication works fine again.
Thanks!
@rburgst
Copy link
Owner

rburgst commented Apr 15, 2016

Hi
I don't quite understand your scenario. Why is the nonce invalidated?
Can you send a concrete example or create a unit test that shows it?

Thanks

@N4zroth
Copy link
Author

N4zroth commented Apr 15, 2016

Hi,
sure I'll do that as soon as I'm in the office on monday.
I basically send and successfully authenticate a request which has a nonce that's valid for five seconds. The cache saves the authentication and tries to reuse it when I issue another request ten seconds later. The nonce isn't valid anymore as ten seconds have passed and thus the authentication fails. The Authenticator treats this as wrong password and aborts authentication completely even though password and user name were correct, only the saved nonce had timed out.
Greetings :)

@rburgst
Copy link
Owner

rburgst commented Apr 27, 2016

This is indeed a bug and I need to fix it, in the meantime its probably good for you to roll back to the previous version.

@glenharris glenharris mentioned this issue Jun 9, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rburgst @N4zroth