Issue #914 resolved

improvements to digest auth

created an issue

The current implementation of HTTP Digest Auth suffers from a few defects:

  • The API is contorted. The {{{users}}} arg is either:
  1. a dict of the form: {username: password}, or

  2. a callable returning a dict, or

  3. a callable returning a password

The third of these is not documented.

  • It only works with a credential store which contains plaintext passwords. It cannot work with a credential store which contains H(A1) hashes instead of plaintext passwords.

  • It does not perform any nonce validation. A user agent can ignore the nonce provided by the server and send an Authorization header with a nonce of its own making and digest_auth will happily accept it.

  • The code is grossly intertwined with code for Basic auth, although the two authentication methods have very little in common. As a consequence the code is convoluted and hard to follow.

I have written another implementation of Digest auth which is intended to replace the current one found in lib/ and lib/ The main differences are:

  • The code is completely separate from code for Basic auth.

  • Instead of an overloaded 'users' argument, you pass it a 'get_ha1' function which takes a realm and user as arguments and returns the H(A1) hash.

  • The module provides three get_ha1 functions to make it easy to use any of the following kinds of credential stores:

  1. A dictionary of the form { username : plaintext_password }

  2. A dictionary of the form { username : HA1_hash }

  3. A file compatible with the Apache htdigest utility. These files consist of lines of the form: username:realm:HA1_hash

The longest of these get_ha1 functions is 9 lines of code.

  • Folks with other types of credential stores need only write a get_ha1() function for it.

Note that with this new auth_digest and the auth_basic in ticket #913, the files {{{ lib/ }}} and {{{ lib/ }}} can be completely deprecated.

Note that this new digest auth has an API which is not backward compatible with the current digest_auth tool. The required modification to existing applications should be about 3 lines of code.

Comments (2)

  1. Log in to comment