New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP Digest authentication support #131
base: trunk
Are you sure you want to change the base?
Conversation
…iple_calls test case
Codecov Report
@@ Coverage Diff @@
## master #131 +/- ##
==========================================
- Coverage 98.86% 97.92% -0.94%
==========================================
Files 26 26
Lines 2285 2510 +225
Branches 165 183 +18
==========================================
+ Hits 2259 2458 +199
- Misses 14 32 +18
- Partials 12 20 +8
Continue to review full report at Codecov.
|
851f517
to
e749665
Compare
treq/auth.py
Outdated
return hashlib.sha1(x).hexdigest() | ||
|
||
|
||
def build_digest_authentication_header(agent, **kwargs): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This shouldn't be public, if it needs to share data with the agent it should probably just be a private method on the agent.
The tests fail on Python 3, looks like you're trying to use a str as the header instead of a bytes. |
…equestDigestAuthenticationAgent without kwargs
@dreid How would I got about fixing the issue with the header being a str instead of bytes? I'm having trouble debugging that. |
treq/auth.py
Outdated
# We support only "auth" QoP as defined in rfc-2617 or rfc-2069 | ||
raise UnknownQopForDigestAuth(digest_authentication_params['qop']) | ||
digest_authentication_header = self._build_digest_authentication_header( | ||
self, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This self (and the agent argument in _build_digest_authentication_header
are redundant.
Start by using byte strings ( |
@dreid I think I've got everything converted to using byte strings, now I'm getting 401 errors instead(I verified against a production server to confirm it's not just the tests that are failing) for python 3. Any idea what might be causing authentication to fail? |
087edb7
to
259a059
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for reviving this! I did just a quick skim, no verification of the algorithms. I'm not feeling well so sorry if my comments are terse, but I wanted to get you some quick feedback.
@@ -71,7 +71,7 @@ Here is a list of `requests`_ features and their status in treq. | |||
+----------------------------------+----------+----------+ | |||
| Basic Authentication | yes | yes | | |||
+----------------------------------+----------+----------+ | |||
| Digest Authentication | yes | no | | |||
| Digest Authentication | yes | yes | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉
…remove nested indexing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I still have a few concerns about security here that I want to make sure are addressed in a comment or something. And we should really avoid adding new magic byte sequences without an accompanying Enum somewhere so that callers can type-check their invocations.
a947a7e
to
4283a72
Compare
4283a72
to
12c0739
Compare
e147851
to
4a8e463
Compare
a8b0f48
to
99a0532
Compare
I refactored the header builder based on the latest version in requests so it shouldn't be any worse than that version and appears to be unlikely to be a viable attack vector in practice here in general.
I changed algorithm to use an |
@glyph Merge conflicts fixed. |
Thanks for updating this @jameshilliard ! |
@glyph Is this good to merge now? |
This is basically just #111 cherry-picked with merge conflicts fixed and POST Digest Authentication fixed.