API to pass and retrieve hashed SIP password

[ibc]

Goal:

1. Pass uri and clear password as always.
2. Add ua.getHashedPassword() that retrieves HA1=MD5(username:realm:password) (so we need to also set the realm somehow...
3. Allow UA to be provided with uri and ha1Password instead of plain password.

@jmillan any concern about this?

[saghul]

FWIW, me likey. I'd make the real optional, and set it to the domain by default. Asterisk uses 'asterisk' by default as the realm, so people may want to change it.

[ibc]

OK, so in practice we would want a new realm configuration param that would just be used when ha1Password is also provided, agreed?

let ua = new JsSIP.UA({
    uri: 'sip:alice@atlanta.com',
    password: '1234fuckmeeasy'
});

and:

let ua = new JsSIP.UA({
    uri: 'sip:alice@atlanta.com',
    realm: 'asterisk',  // optional, if not set defaults to "atlanta.com"
    ha1Password: 'iwudkasjhdk234asd'
});

[ibc]

NOTE FOR ME: once first authentication is done, the UA should delete the clear SIP password from its internal configuration object and automatically set the ha1Password and realm fields. In this way the lifetime of the clear password would be reduced (between UA creation and first successful authentication).

CONS: rare use case in which the server requires a late authentication with a new realm... In that case the auth would just fail, but we can live with it IMHO. Thoughts?

[murillo128]

My two cents, in some weird cases, authentication info could be different than sip info, maybe something like this is could be useful:

let ua = new JsSIP.UA({
    username: 'alice@bar.com',
    auth: {
             username: 'alice',
             realm: 'foo.com',
             ha1Password: 'iwudkasjhdk234asd'
   }
});

[ibc]

There is already a authorization_user param for that case.

Regarding parameters grouping, I like it, but better leave it for a new 0.8.x milestone so we don't break the current API and can add the feature exposed here in the current 0.7.x set of releases.

[saghul]

OK, so in practice we would want a new realm configuration param that would just be used when ha1Password is also provided, agreed?

let ua = new JsSIP.UA({
uri: 'sip:alice@atlanta.com',
password: '1234fuckmeeasy'
});

and:

let ua = new JsSIP.UA({
uri: 'sip:alice@atlanta.com',
real: 'asterisk', // optional, if not set defaults to "atlanta.com"
ha1Password: 'iwudkasjhdk234asd'
});

Assuming you mean "realm" 👍

[ibc]

Kill me.

[ibc]

Done in master. Also note that, with this new feature and even if no ha1 & realm are given, JsSIP deletes the given plain SIP password from memory and, instead, stores the generated and validated ha1 among with the resulting realm.

UA class also exposes new methods (configuration setters and getters):

• ua.get(property): property can be realm / ha1 (useful for the app to store them in local storage and don't ask the user for the plain SIP password anymore).
• ua.set(property, value): property can be password / realm / ha1.

[jmillan]

👍