Rack::Auth::Digest is deprecated and will be removed in Rack 3.1

[anothermh]

Rack 3.0 deprecated Rack::Auth::Digest and began warning that it would be removed in Rack 3.1.

The main branch of rack removed Rack::Auth::Digest entirely on Sept. 10 2022.

Grape requires rack/auth/digest/md5 explicitly in v1.7.0 and appears to have done so for a long time because it's referenced in upgrading to >= 0.9.0. It's also mentioned in the README as a supported auth mechanism.

Using gem 'rack', github: 'rack/rack' raises a LoadError when starting a Grape app:

bundle exec puma
Puma starting in single mode...
* Puma version: 6.0.1 (ruby 3.1.2-p20) ("Sunflower")
*  Min threads: 1
*  Max threads: 1
*  Environment: development
*          PID: 51155
! Unable to load application: LoadError: cannot load such file -- rack/auth/digest/md5
bundler: failed to load command: puma (/app/vendor/bundle/ruby/3.1.0/bin/puma)
/app/vendor/bundle/ruby/3.1.0/gems/bootsnap-1.15.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:17:in `require': cannot load such file -- rack/auth/digest/md5 (LoadError)
        from /app/vendor/bundle/ruby/3.1.0/gems/bootsnap-1.15.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:17:in `require'
        from /app/vendor/bundle/ruby/3.1.0/gems/grape-1.7.0/lib/grape.rb:8:in `<main>'
        from /app/vendor/bundle/ruby/3.1.0/gems/bootsnap-1.15.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:32:in `require'
        from /app/vendor/bundle/ruby/3.1.0/gems/bootsnap-1.15.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:32:in `require'
        from /app/config/environment.rb:26:in `<top (required)>'
        from config.ru:3:in `require_relative'
        from config.ru:3:in `block in <main>'
        from /app/vendor/cache/rack-a7d56490fd2f/lib/rack/builder.rb:103:in `eval'
        from /app/vendor/cache/rack-a7d56490fd2f/lib/rack/builder.rb:103:in `new_from_string'
        from /app/vendor/cache/rack-a7d56490fd2f/lib/rack/builder.rb:94:in `load_file'
        from /app/vendor/cache/rack-a7d56490fd2f/lib/rack/builder.rb:64:in `parse_file'
        from /app/vendor/bundle/ruby/3.1.0/gems/puma-6.0.1/lib/puma/configuration.rb:364:in `load_rackup'
        from /app/vendor/bundle/ruby/3.1.0/gems/puma-6.0.1/lib/puma/configuration.rb:286:in `app'
        from /app/vendor/bundle/ruby/3.1.0/gems/puma-6.0.1/lib/puma/runner.rb:158:in `load_and_bind'
        from /app/vendor/bundle/ruby/3.1.0/gems/puma-6.0.1/lib/puma/single.rb:44:in `run'
        from /app/vendor/bundle/ruby/3.1.0/gems/puma-6.0.1/lib/puma/launcher.rb:186:in `run'
        from /app/vendor/bundle/ruby/3.1.0/gems/puma-6.0.1/lib/puma/cli.rb:75:in `run'
        from /app/vendor/bundle/ruby/3.1.0/gems/puma-6.0.1/bin/puma:10:in `<top (required)>'
        from /app/vendor/bundle/ruby/3.1.0/bin/puma:25:in `load'
        from /app/vendor/bundle/ruby/3.1.0/bin/puma:25:in `<top (required)>'
        from /installs/ruby/3.1.2/lib/ruby/3.1.0/bundler/cli/exec.rb:58:in `load'
        from /installs/ruby/3.1.2/lib/ruby/3.1.0/bundler/cli/exec.rb:58:in `kernel_load'
        from /installs/ruby/3.1.2/lib/ruby/3.1.0/bundler/cli/exec.rb:23:in `run'
        from /installs/ruby/3.1.2/lib/ruby/3.1.0/bundler/cli.rb:484:in `exec'
        from /installs/ruby/3.1.2/lib/ruby/3.1.0/bundler/vendor/thor/lib/thor/command.rb:27:in `run'
        from /installs/ruby/3.1.2/lib/ruby/3.1.0/bundler/vendor/thor/lib/thor/invocation.rb:127:in `invoke_command'
        from /installs/ruby/3.1.2/lib/ruby/3.1.0/bundler/vendor/thor/lib/thor.rb:392:in `dispatch'
        from /installs/ruby/3.1.2/lib/ruby/3.1.0/bundler/cli.rb:31:in `dispatch'
        from /installs/ruby/3.1.2/lib/ruby/3.1.0/bundler/vendor/thor/lib/thor/base.rb:485:in `start'
        from /installs/ruby/3.1.2/lib/ruby/3.1.0/bundler/cli.rb:25:in `start'
        from /installs/ruby/3.1.2/lib/ruby/gems/3.1.0/gems/bundler-2.3.7/libexec/bundle:48:in `block in <top (required)>'
        from /installs/ruby/3.1.2/lib/ruby/3.1.0/bundler/friendly_errors.rb:103:in `with_friendly_errors'
        from /installs/ruby/3.1.2/lib/ruby/gems/3.1.0/gems/bundler-2.3.7/libexec/bundle:36:in `<top (required)>'
        from /installs/ruby/3.1.2/bin/bundle:25:in `load'
        from /installs/ruby/3.1.2/bin/bundle:25:in `<main>'

I can successfully run the app after removing the require call for rack/auth/digest/md5 in lib/grape.rb, the method definition for http_digest in lib/grape/middleware/auth/dsl.rb and the call to http_digest in lib/grape/middleware/auth/strategies.rb.

I'm happy to open a PR to completely remove support for digest auth from Grape but it's a major breaking change so I wanted to open a discussion before doing so in case there's a different course of action that's preferable.

[dblock]

What's the upgrade path for someone using Rack::Auth::Digest? Is there a GitHub issue on removing it somewhere that explains why?

For grape this sounds like a breaking change either way. Upgrade to Rack 3.x, remove any code that breaks, major version bump. Thanks!

[anothermh]

What's the upgrade path for someone using Rack::Auth::Digest?

The upgrade path should be using any modern auth mechanism instead. The fallback path should be using Basic Auth. The README already offers some alternatives:

Use Doorkeeper, warden-oauth2 or rack-oauth2 for OAuth2 support.

Is there a GitHub issue on removing it somewhere that explains why?

The PR doesn't mention reasons why but:

1. MD5 has been considered "cryptographically broken and unsuitable for further use" for 14 years
2. Digest Auth standard has been obsolete for 11 years

I am assuming they're removing it because it should be removed.

For grape this sounds like a breaking change either way. Upgrade to Rack 3.x, remove any code that breaks, major version bump. Thanks!

Want me to make a PR?

[dblock]

Want me to make a PR?

Yes please!

[ioquatix]

It's completely insecure, unless you use it over TLS, in which case basic auth is simpler and just as secure.

[ninoseki]

Removed by #2361.

[ioquatix]

Nice work team!