Merge pull request request#730 from dai-shi/PR_digest_01

better HTTP DIGEST support

Author: nylen

request.js

@@ -703,38 +703,54 @@ Request.prototype.onResponse = function (response) {
         break
 
       case 'Digest':
-        // TODO: More complete implementation of RFC 2617.  For reference:
+        // TODO: More complete implementation of RFC 2617.
+        //   - check challenge.algorithm
+        //   - support algorithm="MD5-sess"
+        //   - handle challenge.domain
+        //   - support qop="auth-int" only
+        //   - handle Authentication-Info (not necessarily?)
+        //   - check challenge.stale (not necessarily?)
+        //   - increase nc (not necessarily?)
+        // For reference:
         // http://tools.ietf.org/html/rfc2617#section-3
         // https://github.com/bagder/curl/blob/master/lib/http_digest.c
 
-        var matches = authHeader.match(/([a-z0-9_-]+)="([^"]+)"/gi)
         var challenge = {}
-
-        for (var i = 0; i < matches.length; i++) {
-          var eqPos = matches[i].indexOf('=')
-          var key = matches[i].substring(0, eqPos)
-          var quotedValue = matches[i].substring(eqPos + 1)
-          challenge[key] = quotedValue.substring(1, quotedValue.length - 1)
+        var re = /([a-z0-9_-]+)=(?:"([^"]+)"|([a-z0-9_-]+))/gi
+        for (;;) {
+          var match = re.exec(authHeader)
+          if (!match) break
+          challenge[match[1]] = match[2] || match[3];
         }
 
         var ha1 = md5(self._user + ':' + challenge.realm + ':' + self._pass)
         var ha2 = md5(self.method + ':' + self.uri.path)
-        var cnonce = uuid().replace(/-/g, '')
-        var digestResponse = md5(ha1 + ':' + challenge.nonce + ':1:' + cnonce + ':auth:' + ha2)
+        var qop = /(^|,)auth($|,)/.test(challenge.qop) && 'auth'
+        var nc = qop && '00000001'
+        var cnonce = qop && uuid().replace(/-/g, '')
+        var digestResponse = qop ? md5(ha1 + ':' + challenge.nonce + ':' + nc + ':' + cnonce + ':' + qop + ':' + ha2) : md5(ha1 + ':' + challenge.nonce + ':' + ha2)
         var authValues = {
           username: self._user,
           realm: challenge.realm,
           nonce: challenge.nonce,
           uri: self.uri.path,
-          qop: challenge.qop,
+          qop: qop,
           response: digestResponse,
-          nc: 1,
-          cnonce: cnonce
+          nc: nc,
+          cnonce: cnonce,
+          algorithm: challenge.algorithm,
+          opaque: challenge.opaque
         }
 
         authHeader = []
         for (var k in authValues) {
-          authHeader.push(k + '="' + authValues[k] + '"')
+          if (!authValues[k]) {
+            //ignore
+          } else if (k === 'qop' || k === 'nc' || k === 'algorithm') {
+            authHeader.push(k + '=' + authValues[k])
+          } else {
+            authHeader.push(k + '="' + authValues[k] + '"')
+          }
         }
         authHeader = 'Digest ' + authHeader.join(', ')
         self.setHeader('authorization', authHeader)

tests/test-digest-auth.js

@@ -14,17 +14,34 @@ var digestServer = http.createServer(function (req, res) {
 
   var ok;
 
-  if (req.headers.authorization) {
-    if (/^Digest username="test", realm="Private", nonce="WpcHS2\/TBAA=dffcc0dbd5f96d49a5477166649b7c0ae3866a93", uri="\/test\/", qop="auth", response="[a-f0-9]{32}", nc="1", cnonce="[a-f0-9]{32}"$/.exec(req.headers.authorization)) {
-      ok = true;
+  if (req.url === '/test/') {
+    if (req.headers.authorization) {
+      if (/^Digest username="test", realm="Private", nonce="WpcHS2\/TBAA=dffcc0dbd5f96d49a5477166649b7c0ae3866a93", uri="\/test\/", qop=auth, response="[a-f0-9]{32}", nc=00000001, cnonce="[a-f0-9]{32}", algorithm=MD5, opaque="5ccc069c403ebaf9f0171e9517f40e41"$/.exec(req.headers.authorization)) {
+        ok = true;
+      } else {
+        // Bad auth header, don't send back WWW-Authenticate header
+        ok = false;
+      }
     } else {
-      // Bad auth header, don't send back WWW-Authenticate header
+      // No auth header, send back WWW-Authenticate header
       ok = false;
+      res.setHeader('www-authenticate', 'Digest realm="Private", nonce="WpcHS2/TBAA=dffcc0dbd5f96d49a5477166649b7c0ae3866a93", algorithm=MD5, qop="auth", opaque="5ccc069c403ebaf9f0171e9517f40e41"');
+    }
+  } else if (req.url === '/dir/index.html') {
+    // RFC2069-compatible mode
+    // check: http://www.rfc-editor.org/errata_search.php?rfc=2069
+    if (req.headers.authorization) {
+      if (/^Digest username="Mufasa", realm="testrealm@host.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="\/dir\/index.html", response="[a-f0-9]{32}", opaque="5ccc069c403ebaf9f0171e9517f40e41"$/.exec(req.headers.authorization)) {
+        ok = true;
+      } else {
+        // Bad auth header, don't send back WWW-Authenticate header
+        ok = false;
+      }
+    } else {
+      // No auth header, send back WWW-Authenticate header
+      ok = false;
+      res.setHeader('www-authenticate', 'Digest realm="testrealm@host.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"');
     }
-  } else {
-    // No auth header, send back WWW-Authenticate header
-    ok = false;
-    res.setHeader('www-authenticate', 'Digest realm="Private", nonce="WpcHS2/TBAA=dffcc0dbd5f96d49a5477166649b7c0ae3866a93", algorithm=MD5, qop="auth"');
   }
 
   if (ok) {
@@ -63,7 +80,20 @@ request({
     assert.equal(response.statusCode, 401);
     assert.equal(numDigestRequests, 3);
 
-    console.log('All tests passed');
-    digestServer.close();
+    request({
+      'method': 'GET',
+      'uri': 'http://localhost:6767/dir/index.html',
+      'auth': {
+        'user': 'Mufasa',
+        'pass': 'CircleOfLife',
+      'sendImmediately': false
+      }
+    }, function(error, response, body) {
+      assert.equal(response.statusCode, 200);
+      assert.equal(numDigestRequests, 5);
+
+      console.log('All tests passed');
+      digestServer.close();
+    });
   });
 });