Skip to content

Improve challenge parsing #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Improve challenge parsing #16

wants to merge 3 commits into from

Conversation

paulvt
Copy link

@paulvt paulvt commented Feb 28, 2018

This branch improves and fixes the parsing of the challenge in the header. It fixes a crash if there are multiple authentication schemes in the header and it adds some robustness for HTTP servers that are not completely compliant with RFC 2617.

Parsing/regexps are inspired by RFC 2617: https://tools.ietf.org/html/rfc2617#section-3.2.1.

@paulvt
Only parse the digest challenge part of the response header
0e64223 
It is allowed to provide multiple authentication schemes with optional
challenges in the WWW-Authenticate headers.  This fixes that it always
took the first scheme, and thus failed on a header such as:
  WWW-Authenticate: NTLM, Digest ....

Also frameworks such as Faraday group multiple WWW-Authenticate headers in
a response, for example
  WWW-Authenticate: Digest ...
  WWW-Authenticate: NTLM
into:
  WWW-Authenticate: Digest ..., NTLM
so there is a single way of retrieving header data.

This commit changes the parser to pick out only the digest challenge part
and the authentication parameters until it encounters another scheme (if
any).
@paulvt
Add some robustness for not so complete RFC (2617) complient headers
8b116bc 
This allows for HTTP servers to provide headers where the challenge
parameter values are unquoted or when there is no spacing after the
parameter separator.
@paulvt
Copy link
Author

paulvt commented Feb 28, 2018

It might also be a good idea to throw Net::HTTP::DigestAuth::Error if the initial match fails on www_authenticate fails and challenge is nil as a result. Currently it will crash with undefined method ``gsub`` for nil:NilClass. What do you think?

@paulvt paulvt mentioned this pull request Feb 28, 2018
Merged
@paulvt paulvt mentioned this pull request Mar 15, 2018
Open
@drbrain
Copy link
Owner

drbrain commented Mar 16, 2018

I think an exception that is understandable is better than NoMethodError for undiagnosable reasons

@paulvt
Raise an error if the auth header has a syntax error
acbf4d4 
This also includes the case where there is no Digest authentication in the
auth header at all.

Adds a small remark about this to the documentation of
Net::HTTP::DigestAuth#auth_header.
@paulvt
Copy link
Author

paulvt commented Mar 21, 2018

I added a commit that raises a Net::HTTP::DigestAuth::Error if the www-authenticate header does not match (either because of a syntax error or a missing Digest authentication method).

@rgaufman
Copy link

Please accept this pull request, I believe it addresses
#18

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@paulvt @drbrain @rgaufman