Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

digest auth: use RequireAuthStale when appropriate #6569

Merged
merged 3 commits into from Mar 25, 2020
Merged

digest auth: use RequireAuthStale when appropriate #6569

merged 3 commits into from Mar 25, 2020

Conversation

mpl
Copy link
Collaborator

@mpl mpl commented Mar 24, 2020

What does this PR do?

This PR adds support for the stale header option, so that the digest auth middleware can use it when replying to a request that is correctly (correct username and password) authenticated, but with a nonce counter that is not the expected one. We distinguish two cases:

  • if the nonce counter is the same as the previously seen one, it is still considered a replay attack, and the behaviour stays the same as before.
  • if the nonce counter is inferior to the expected one, one of the possible reasons is because requests arrived out of order, and is the cause of the observed issue. In this case, we use the new RequireAuthStale method, which uses the header mentioned above, to signal the client (the browser) that it should retry with the same credentials, without having to prompt the user for the credentials again.

Motivation

Fixes #4281

More

- [ ] Added/updated tests
- [ ] Added/updated documentation

Additional Notes

@traefiker traefiker added this to the 2.2 milestone Mar 24, 2020
@mpl mpl added this to To review in v2 via automation Mar 24, 2020
juliens
juliens approved these changes Mar 25, 2020
View reviewed changes
Copy link
Member

@juliens juliens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ldez
ldez approved these changes Mar 25, 2020
View reviewed changes
Copy link
Member

@ldez ldez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

dtomcej
dtomcej approved these changes Mar 25, 2020
View reviewed changes
Copy link
Contributor

@dtomcej dtomcej left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
:shipit:

@ldez ldez added the kind/bug/fix a bug fix label Mar 25, 2020
jbdoumenjou
jbdoumenjou approved these changes Mar 25, 2020
View reviewed changes
Copy link
Member

@jbdoumenjou jbdoumenjou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@traefiker traefiker merged commit 69de5bb into traefik:v2.2 Mar 25, 2020
v2 automation moved this from To review to Done Mar 25, 2020
@traefiker traefiker mentioned this pull request Mar 25, 2020
Closed
@mpl mpl deleted the dauth branch April 13, 2022 08:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliens juliens juliens approved these changes

@jbdoumenjou jbdoumenjou jbdoumenjou approved these changes

@ldez ldez ldez approved these changes

@dtomcej dtomcej dtomcej approved these changes

Assignees
No one assigned
Labels
area/authentication area/middleware kind/bug/fix a bug fix size/S
Projects
No open projects
v2
Done
Milestone
2.2
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@mpl @juliens @jbdoumenjou @ldez @dtomcej @traefiker