Skip to content

About digest authorization! #42

easyops opened this Issue Nov 28, 2013 · 5 comments

2 participants

easyops commented Nov 28, 2013

there are maybe a bug, when I use needle digest authorization.

it does't work for RFC 2069, only supports RFC 2617.

auth.js line 46 should be

if (typeof challenge.qop === 'string') {
    cnonce = md5(Math.random().toString(36)).substr(0, 8);
    nc = digest.update_nc(nc);
    resp = resp.concat(nc, cnonce);
    resp = resp.concat(challenge.qop, ha2);
} else {
    resp = resp.concat(ha2);


var ha1 = md5(user + ':' + challenge.realm + ':' + pass), ha2 = md5(method
        + ':' + path), resp = [ ha1, challenge.nonce ];

and can't be the parameters of function.

they should be get from the headers of response.

tomas commented Dec 4, 2013

Thanks for the heads up. I'll take a look and get back to you.

tomas commented Dec 4, 2013

Ok, just took a look. Can you point me at the specific part of the RFC where I can read about the first snippet of code you're showing?

As for the second part, I really don't know what you mean. What can't be "the parameters of function"?

easyops commented Dec 5, 2013

about first question , you can refer to

about second question, "path" as the parameter of function md5 , it should be gotten from the response head. If web server change the path, there will be a problem. For example , the client path is : /mypath/, it may be change d to /mypath by web server.

tomas commented Mar 5, 2014


Would you mind submitting a pull request for this? I'd really appreciate it.

tomas commented Apr 8, 2014

No answer so closing...

@tomas tomas closed this Apr 8, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.