Skip to content

About digest authorization! #42

Closed
easyops opened this Issue Nov 28, 2013 · 5 comments

2 participants

@easyops
easyops commented Nov 28, 2013

there are maybe a bug, when I use needle digest authorization.

it does't work for RFC 2069, only supports RFC 2617.

auth.js line 46 should be

if (typeof challenge.qop === 'string') {
    cnonce = md5(Math.random().toString(36)).substr(0, 8);
    nc = digest.update_nc(nc);
    resp = resp.concat(nc, cnonce);
    resp = resp.concat(challenge.qop, ha2);
} else {
    resp = resp.concat(ha2);
}

and

var ha1 = md5(user + ':' + challenge.realm + ':' + pass), ha2 = md5(method
        + ':' + path), resp = [ ha1, challenge.nonce ];

and can't be the parameters of function.

they should be get from the headers of response.

@tomas
Owner
tomas commented Dec 4, 2013

Thanks for the heads up. I'll take a look and get back to you.

@tomas
Owner
tomas commented Dec 4, 2013

Ok, just took a look. Can you point me at the specific part of the RFC where I can read about the first snippet of code you're showing?

As for the second part, I really don't know what you mean. What can't be "the parameters of function"?

@easyops
easyops commented Dec 5, 2013

about first question , you can refer to http://en.wikipedia.org/wiki/Digest_access_authentication.

about second question, "path" as the parameter of function md5 , it should be gotten from the response head. If web server change the path, there will be a problem. For example , the client path is : /mypath/, it may be change d to /mypath by web server.

@tomas
Owner
tomas commented Mar 5, 2014

Hi,

Would you mind submitting a pull request for this? I'd really appreciate it.

@tomas
Owner
tomas commented Apr 8, 2014

No answer so closing...

@tomas tomas closed this Apr 8, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.