Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Digest authentication fails when GET parameters are specified #2023

Closed
Geoffrey-A opened this Issue Jan 8, 2018 · 1 comment

Comments

Projects
None yet
1 participant
@Geoffrey-A
Copy link
Contributor

Geoffrey-A commented Jan 8, 2018

With the following code:

import vibe.d;

final class Test {
    private DigestAuthInfo m_authinfo;
    this() {
        m_authinfo = new DigestAuthInfo;
        m_authinfo.realm = "realm";
    }

    @noRoute string authenticate(
        scope HTTPServerRequest req,
        scope HTTPServerResponse res ) @trusted
    {
        string checkPassword(string realm, string user) {
            return createDigestPassword("realm", "admin", "secret");
        }

        return performDigestAuth(
            req, res, m_authinfo, toDelegate(&checkPassword) );
    }

    @before!authenticate("username")
    void get(HTTPServerResponse res, string username = "me", string value = "default") {
        res.writeBody("hi " ~ username ~ "\nvalue: " ~ value ~ "\n");
    }
}

shared static this() {
    auto router = new URLRouter;
    router.registerWebInterface(new Test);

    auto settings = new HTTPServerSettings;
    settings.port = 8080;
    settings.bindAddresses = ["::1", "127.0.0.1"];

    listenHTTP(settings, router);
}

No parameter given:

% curl --digest -u admin:secret 'http://127.0.0.1:8080/'
hi admin
value: default

Parameter given, reproducible with any parameter name (such as ?unexpected=hello):

% curl --digest -u admin:secret 'http://127.0.0.1:8080/?value=test'
401 - Unauthorized

Unauthorized%

It works if either:

  • the @before!authenticate UDA is commented out
  • the endpoint is made POST instead of GET

Is there any workaround?

@Geoffrey-A

This comment has been minimized.

Copy link
Contributor Author

Geoffrey-A commented Jan 10, 2018

I checked that basic auth does not have this issue.

Geoffrey-A added a commit to Geoffrey-A/vibe.d that referenced this issue Feb 4, 2018

@s-ludwig s-ludwig closed this in 7e4d22c May 18, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.