WWW-Authenticate challenge may be parsed incorrectly

[wu-lee]

trafficstars

In my project I am using angular-digest-auth to talk to a Restlet 2.3 based webserver (Java 7).

The authentication would not work correctly. It would always be rejected, even with the correct credentials.

I tracked this down and discovered a discarded exception in the Restlet server. This showed that the reason was that the response to the challenge sent by angular-digest-auth was incorrect - the server expected a nonce which matched the one it sent, and was a valid base64 encoding (which means it must be the correct length).

Checking the angular-digest-auth code, I noticed that the parseHeader() function's regex did not permit = characters in the values, which is what base64 uses to pad an encoded string to the required length. In fact the regex discarded the trailing = characters silently.

An example of the challenge sent by Restlet:

Digest realm="redacted realm", domain="/", nonce="MTQ0NzE3NDIzNjA2ODpmMzIxZTgzyzczYjq5NjU2ZDcyZGY3OTYxMjhiNGViYQ==", algorithm=MD5, qop="auth"

A trivial fix is possible just by permitting this character, but inspecting the regex I see it would not cope with other legal challenges. In particular, any empty parameter value would not get parsed correctly, nor any unquoted values, nor quoted values containing a comma or a quote character. Not to mention multiple challenges embedded in one header.

See https://tools.ietf.org/html/rfc2617#section-1.2 and https://tools.ietf.org/html/rfc2616#section-2.1

[wu-lee]

I have a fix with tests prepared, see the upcoming pull request branch wu-lee/issue-21