digest-auth-request icon indicating copy to clipboard operation
digest-auth-request copied to clipboard

Published 20 hours ago verified publisher icon inorganik

Unable to get it working, missing response header

Open hallard opened this issue 6 years ago • 2 comments

I tried to implement this authentication without any success. First tried the HTML code as follow

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>Test</title>
<script src="js/jquery-2.1.3.min.js"></script>
<script type="text/javascript" src="js/md5.js"></script>
<script type="text/javascript" src="js/digestAuthRequest.min.js"></script>
</head>
<body>

<h1>DigestAuthRequest.js test</h1>
<p id="result">Requesting...</p>
<p id="data"></p>

<script type="text/javascript">
window.onload = function() {

        var url = 'https://httpbin.org/digest-auth/auth/user/passwd/MD5/never';
	var req = new digestAuthRequest('GET', url, 'user', 'passwd');

	req.request(function(data) {
		console.log('Data retrieved successfully');
		console.log(data);
		document.getElementById('result').innerHTML = 'Data retrieved successfully';
		document.getElementById('data').innerHTML = JSON.stringify(data);
	},function(errorCode) {
		console.log('no dice: '+errorCode);
		document.getElementById('result').innerHTML = 'Error: '+errorCode;
        });
}
</script>
</body>
</html>

Added some debug info to the js code, looks like we don't have the all the response headers (I tried two servers with different app, same issue) from the XMLHttpRequest. We just have content-type

image

And if I'm doing same thing with curl, it works

 curl -D - --digest -u "user:passwd" 'https://httpbin.org/digest-auth/auth/user/passwd/MD5/never'

HTTP/1.1 401 UNAUTHORIZED
Connection: keep-alive
Server: gunicorn/19.9.0
Date: Tue, 08 Jan 2019 18:58:03 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Www-Authenticate: Digest realm="[email protected]", nonce="0e1032dd304a0e45bec4bca942d2a940", qop="auth", opaque="873548f6f2e529e6080d97fb3c54a040", algorithm=MD5, stale=FALSE
Set-Cookie: stale_after=never; Path=/
Set-Cookie: fake=fake_value; Path=/
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Via: 1.1 vegur

HTTP/1.1 200 OK
Connection: keep-alive
Server: gunicorn/19.9.0
Date: Tue, 08 Jan 2019 18:58:03 GMT
Content-Type: application/json
Content-Length: 47
Set-Cookie: fake=fake_value; Path=/
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Via: 1.1 vegur

{
  "authenticated": true,
  "user": "user"
}

Any idea what I'm doing wrong?

hallard avatar Jan 08 '19 19:01 hallard

I found a couple things:

  1. the behavior of getAllResponseHeaders() in Chrome since v60 is a little weird and
  2. you may need to add 'Access-Control-Expose-Headers: www-authenticate' to your server for this to work in the browser

That would explain why it's working in curl, because curl has no CORS restrictions, you get all the headers, but with browsers becoming more and more security-y, they make things harder for us web devs.

inorganik avatar Jan 08 '19 21:01 inorganik

i am experiencing the same CORS restriction. one (local) solution would be to disable this in chrome.

https://stackoverflow.com/a/43881141/7886100

i would like to see how to use digest auth programmtically and overcome chrome CORS restrictions.. 👍

image

ozett avatar Dec 08 '19 12:12 ozett