Digest Auth Fails about needle HOT 12 CLOSED

That's odd. Why does the nc need to be changed?

from needle.

Actually, it doesn't look like that is the problem now. Apologies for logging the issue prematurely. I went into the .npm/needle/0.7.2/package/lib/auth and changed the value to 0 as suggested. I ran it and it worked for the first time.

I am using Meteor to put some images to moodstock. I initially used http-digest-client to test the api, and it worked, but I needed to upload images so wanted to use needle. Unfortunately, where http-digest-client is working, needle is failing. Here is the code that is failing on needle, but working ondigest-client. Note this is just the echo service of moodstock, and the error returned is an 'Internal server error'

FAILING

var needle = Meteor.require('needlefix'); 
var options = {
    username: settings.moodstockApiKey,
    password: settings.moodstockApiSecret,
    auth: 'digest'    
};
needle.get('http://api.moodstocks.com/v2/echo/?hello=someone&moodstocks=working', options,
        function(err, resp, body) {
            if (!err)
                console.log(resp);
        });

WORKING

digest = Meteor.require('http-digest-client')(settings.moodstockApiKey, settings.moodstockApiSecret, false);
digest.request({
        host: 'api.moodstocks.com',
        path: '/v2/echo/?hello=someone&moodstocks=working',
        port: 80,
        method: 'GET'
    }, function(res) {
        res.on('data', function(data) {
            console.log(data.toString());
        });
        res.on('error', function(err) {
            console.log('oh noes');
        });
    });

This could be a problem with needle, but might be an issue with moodstock? Either way, odd it works for one, and not the other. I can post up key and secret if that will help, otherwise you could signup for free account.

from needle.

Ok, thanks for the update. I'll take a look at http-digest-client and see if there's anything we need to fix.

from needle.

Ok, finally took the time to check the http-digest-client library. It looks like it's not working either for them:

var digest = require('http-digest-client')('user', 'passwd');

digest.request({
  host: 'httpbin.org',
  path: '/digest-auth/test/user/passwd',
  port: 80,
  method: 'GET',
}, function (res) {
  console.log('Got status code:' + res.statusCode);

  res.on('data', function (data) {
    console.log(data.toString());
  });
  res.on('error', function (err) {
    console.log('oh noes');
  });
});

I'm using httpbin.org to do the tests and I keep getting 401's. Any ideas?

from needle.

Same issue here. Is there any workaround ?

from needle.

Not still. I haven't been able to find a working implementation of the digest auth among the node libraries. If you find one, please let me know so we can get this fixed!

from needle.

Have there been any updates on this? I'd love to get the digest auth working

from needle.

Needle seems to use lowercase request method values when using the .get(), .put(), post(), etc functions. The request method is used to calculate part of the hash used in the digest challenge response, shown here from Auth.js.

Line 68: ha2 = md5(method + ':' + path),

Most web servers I know report the request method in uppercase (we're using PHP's $_SERVER['REQUEST_METHOD'] global). This case difference is causing a mismatch in the challenge response, and therefore failing authentication.

A quick fix to test this theory is to change the request call from from needle.get(...) to needle.request('GET', ...). Needle will pass that uppercase method through to the hashing function, which results in a matching challenge response (at least in my testing). So for the above example, you might try altering your code to this and see if it works.

var needle = Meteor.require('needlefix'); 
var options = {
    username: settings.moodstockApiKey,
    password: settings.moodstockApiSecret,
    auth: 'digest'    
};
needle.request('GET', 'http://api.moodstocks.com/v2/echo/?hello=someone&moodstocks=working', options,
        function(err, resp, body) {
            if (!err)
                console.log(resp);
        });

After making this change, I was able to successfully authenticate using digest auth.

from needle.

This is great news. I'll try it out in a sec.

from needle.

Ok so after chaging the method to uppercase letters in lib/auth.js, the above example against httpbin still didn't work. I revised the header parsing and some other things and eventually got it to work against the test endpoint at test.webdav.org.

var needle = require('..');
var opts = {
  username: 'user1', 
  password: 'user1',
  auth: 'digest'
}

needle.get('http://test.webdav.org/auth-digest/', opts, function(err, resp) {
  if (resp.statusCode == 401)
    console.log('Nope')
  else
    console.log('Yep!')
})

This is currently on the digest-auth-fixes branch. @montanajob can you try and see if using that code it (still) works so I get it merged to master?

And thanks again!

from needle.

And I finally figured out the reason why the test against httpbin wasn't working. Turns out they expect cookies to be returned (which isn't actually part of the spec).

from needle.

Yes, the digest-auth-fixes branch still works for me. Thanks for the fix.

from needle.