zio-http icon indicating copy to clipboard operation
zio-http copied to clipboard
verified publisher icon zio

Nonce and Realm are Required for Digest Authentication

Open khajavi opened this issue 4 months ago • 1 comments

Here are a few suggestions to make the digest's www-authentication header more robust, based on RFC 7616, which I interpreted from it:

  1. nonce is required
  2. realm is required
  3. qop is a nonempty list, which at least contains 'auth' as qop

https://github.com/zio/zio-http/blob/1e2f80d3f9c0fe95f89f0fd6e2c3b222e93fca0e/zio-http/shared/src/main/scala/zio/http/Header.scala#L4574-L4586

khajavi avatar Aug 05 '25 08:08 khajavi

I am not sure about qop but the other two while not modeled precisely can still be used correctly. I will mark this as an improvement for 4.x, to make this a breaking and clean change rather then doing something hacky.

987Nabil avatar Aug 05 '25 09:08 987Nabil