Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Digest authentication fails when GET parameters are specified #2023

Closed
Geoffrey-A opened this issue Jan 8, 2018 · 1 comment
Closed

Digest authentication fails when GET parameters are specified #2023

Geoffrey-A opened this issue Jan 8, 2018 · 1 comment

Comments

@Geoffrey-A
Copy link
Contributor

@Geoffrey-A Geoffrey-A commented Jan 8, 2018

With the following code:

import vibe.d;

final class Test {
    private DigestAuthInfo m_authinfo;
    this() {
        m_authinfo = new DigestAuthInfo;
        m_authinfo.realm = "realm";
    }

    @noRoute string authenticate(
        scope HTTPServerRequest req,
        scope HTTPServerResponse res ) @trusted
    {
        string checkPassword(string realm, string user) {
            return createDigestPassword("realm", "admin", "secret");
        }

        return performDigestAuth(
            req, res, m_authinfo, toDelegate(&checkPassword) );
    }

    @before!authenticate("username")
    void get(HTTPServerResponse res, string username = "me", string value = "default") {
        res.writeBody("hi " ~ username ~ "\nvalue: " ~ value ~ "\n");
    }
}

shared static this() {
    auto router = new URLRouter;
    router.registerWebInterface(new Test);

    auto settings = new HTTPServerSettings;
    settings.port = 8080;
    settings.bindAddresses = ["::1", "127.0.0.1"];

    listenHTTP(settings, router);
}

No parameter given:

% curl --digest -u admin:secret 'http://127.0.0.1:8080/'
hi admin
value: default

Parameter given, reproducible with any parameter name (such as ?unexpected=hello):

% curl --digest -u admin:secret 'http://127.0.0.1:8080/?value=test'
401 - Unauthorized

Unauthorized%

It works if either:

  • the @before!authenticate UDA is commented out
  • the endpoint is made POST instead of GET

Is there any workaround?

@Geoffrey-A
Copy link
Contributor Author

@Geoffrey-A Geoffrey-A commented Jan 10, 2018

I checked that basic auth does not have this issue.

Loading

Geoffrey-A added a commit to Geoffrey-A/vibe.d that referenced this issue Feb 4, 2018
@s-ludwig s-ludwig closed this in 7e4d22c May 18, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant