HTTP Digest authentication support #131
Conversation
…iple_calls test case
Codecov Report
@@ Coverage Diff @@
## master #131 +/- ##
==========================================
- Coverage 98.86% 97.92% -0.94%
==========================================
Files 26 26
Lines 2285 2510 +225
Branches 165 183 +18
==========================================
+ Hits 2259 2458 +199
- Misses 14 32 +18
- Partials 12 20 +8
Continue to review full report at Codecov.
|
jameshilliard
force-pushed
the
HTTPDigestAuth
branch
from
851f517
to
e749665
Compare
treq/auth.py
Outdated
| return hashlib.sha1(x).hexdigest() | ||
|
|
||
|
|
||
| def build_digest_authentication_header(agent, **kwargs): |
There was a problem hiding this comment.
This shouldn't be public, if it needs to share data with the agent it should probably just be a private method on the agent.
|
The tests fail on Python 3, looks like you're trying to use a str as the header instead of a bytes. |
…equestDigestAuthenticationAgent without kwargs
|
@dreid How would I got about fixing the issue with the header being a str instead of bytes? I'm having trouble debugging that. |
treq/auth.py
Outdated
| # We support only "auth" QoP as defined in rfc-2617 or rfc-2069 | ||
| raise UnknownQopForDigestAuth(digest_authentication_params['qop']) | ||
| digest_authentication_header = self._build_digest_authentication_header( | ||
| self, |
There was a problem hiding this comment.
This self (and the agent argument in _build_digest_authentication_header are redundant.
Start by using byte strings ( |
|
@dreid I think I've got everything converted to using byte strings, now I'm getting 401 errors instead(I verified against a production server to confirm it's not just the tests that are failing) for python 3. Any idea what might be causing authentication to fail? |
I refactored the header builder based on the latest version in requests so it shouldn't be any worse than that version and appears to be unlikely to be a viable attack vector in practice here in general.
I changed algorithm to use an |
|
@glyph Merge conflicts fixed. |
|
Thanks for updating this @jameshilliard ! |
|
@glyph Is this good to merge now? |
… deps aren't pinned, let's get unstuck
…inherited in the meanwhile
|
I think I'm going to accept a bit of a coverage hit here but I want to make sure I get an accurate sense of what the coverage hit is, so I'm going to attempt to re-run the tests on trunk (which involves a fake empty commit and a force push because you can't re-run workflow jobs after 30 days). |
|
OK I am not sure what codecov thinks the base commit is but I'm not going to spend any more time on this. Allons y |
|
Oh. The repo was deactivated. Well, coverage will have to come later. |
|
(It's reactivated now.) |
This reverts commit 22a776d, reversing changes made to c9f0bae. Per 2024-06-28 discussion in #twisted on libera.chat and post-merge review comments on GitHub [1], this implementation doesn't look spec compliant. [1]: 22a776d#diff-14b7fa3002098fc55f2cdf2bf01a0039eb02598ae1e852170183d5935f4ef4d0R369
This is basically just #111 cherry-picked with merge conflicts fixed and POST Digest Authentication fixed.