Fixed the 'HTTPDigestAuthentication' class of the v1 and v2 to work w…

…ith the level 0 of the digest authentication
OpenMarshal · Jul 15, 2017 · 6247297 · 6247297
1 parent 7d2cab0
commit 6247297
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 41 deletions.
diff --git a/lib/user/authentication/HTTPDigestAuthentication.js b/lib/user/authentication/HTTPDigestAuthentication.js
@@ -31,14 +31,10 @@ var HTTPDigestAuthentication = (function () {
             });
         };
         var authHeader = arg.findHeader('Authorization');
-        if (!authHeader) {
-            onError(Errors_1.Errors.MissingAuthorisationHeader);
-            return;
-        }
-        if (!/^Digest (\s*[a-zA-Z]+\s*=\s*(("(\\"|[^"])+")|([^,\s]+))\s*(,|$))+$/.test(authHeader)) {
-            onError(Errors_1.Errors.WrongHeaderFormat);
-            return;
-        }
+        if (!authHeader)
+            return onError(Errors_1.Errors.MissingAuthorisationHeader);
+        if (!/^Digest (\s*[a-zA-Z]+\s*=\s*(("(\\"|[^"])+")|([^,\s]+))?\s*(,|$))+$/.test(authHeader))
+            return onError(Errors_1.Errors.WrongHeaderFormat);
         authHeader = authHeader.substring(authHeader.indexOf(' ') + 1); // remove the authentication type from the string
         var authProps = {};
         var rex = /([a-zA-Z]+)\s*=\s*(?:(?:"((?:\\"|[^"])+)")|([^,\s]+))/g;
@@ -47,18 +43,26 @@ var HTTPDigestAuthentication = (function () {
             authProps[match[1]] = match[3] ? match[3] : match[2];
             match = rex.exec(authHeader);
         }
-        if (!(authProps.username && authProps.nonce && authProps.nc && authProps.cnonce && authProps.qop && authProps.response)) {
-            onError(Errors_1.Errors.AuenticationPropertyMissing);
-            return;
-        }
+        if (!(authProps.username && authProps.nonce && authProps.response))
+            return onError(Errors_1.Errors.AuenticationPropertyMissing);
+        if (!authProps.algorithm)
+            authProps.algorithm = 'MD5';
         userManager.getUserByName(authProps.username, function (e, user) {
-            if (e) {
-                onError(e);
-                return;
-            }
+            if (e)
+                return onError(e);
             var ha1 = md5(authProps.username + ':' + _this.realm + ':' + (user.password ? user.password : ''));
-            var ha2 = md5(arg.request.method.toString().toUpperCase() + ':' + arg.uri);
-            var result = md5(ha1 + ':' + authProps.nonce + ':' + authProps.nc + ':' + authProps.cnonce + ':' + authProps.qop + ':' + ha2);
+            if (authProps.algorithm === 'MD5-sess')
+                ha1 = md5(ha1 + ':' + authProps.nonce + ':' + authProps.cnonce);
+            var ha2;
+            if (authProps.qop === 'auth-int')
+                return onError(Errors_1.Errors.WrongHeaderFormat); // ha2 = md5(ctx.request.method.toString().toUpperCase() + ':' + ctx.requested.uri + ':' + md5(...));
+            else
+                ha2 = md5(arg.request.method.toString().toUpperCase() + ':' + arg.uri);
+            var result;
+            if (authProps.qop === 'auth-int' || authProps.qop === 'auth')
+                result = md5(ha1 + ':' + authProps.nonce + ':' + authProps.nc + ':' + authProps.cnonce + ':' + authProps.qop + ':' + ha2);
+            else
+                result = md5(ha1 + ':' + authProps.nonce + ':' + ha2);
             if (result.toLowerCase() === authProps.response.toLowerCase())
                 callback(Errors_1.Errors.None, user);
             else

diff --git a/lib/user/v2/authentication/HTTPDigestAuthentication.js b/lib/user/v2/authentication/HTTPDigestAuthentication.js
@@ -44,7 +44,7 @@ var HTTPDigestAuthentication = (function () {
             authProps[match[1]] = match[3] ? match[3] : match[2];
             match = rex.exec(authHeader);
         }
-        if (!(authProps.username && authProps.nonce && authProps.nc && authProps.cnonce && authProps.response))
+        if (!(authProps.username && authProps.nonce && authProps.response))
             return onError(Errors_1.Errors.AuenticationPropertyMissing);
         if (!authProps.algorithm)
             authProps.algorithm = 'MD5';

diff --git a/src/user/authentication/HTTPDigestAuthentication.ts b/src/user/authentication/HTTPDigestAuthentication.ts
@@ -42,15 +42,9 @@ export class HTTPDigestAuthentication implements HTTPAuthentication
 
         let authHeader = arg.findHeader('Authorization')
         if(!authHeader)
-        {
-            onError(Errors.MissingAuthorisationHeader)
-            return;
-        }
-        if(!/^Digest (\s*[a-zA-Z]+\s*=\s*(("(\\"|[^"])+")|([^,\s]+))\s*(,|$))+$/.test(authHeader))
-        {
-            onError(Errors.WrongHeaderFormat);
-            return;
-        }
+            return onError(Errors.MissingAuthorisationHeader);
+        if(!/^Digest (\s*[a-zA-Z]+\s*=\s*(("(\\"|[^"])+")|([^,\s]+))?\s*(,|$))+$/.test(authHeader))
+            return onError(Errors.WrongHeaderFormat);
 
         authHeader = authHeader.substring(authHeader.indexOf(' ') + 1); // remove the authentication type from the string
 
@@ -64,22 +58,30 @@ export class HTTPDigestAuthentication implements HTTPAuthentication
             match = rex.exec(authHeader);
         }
 
-        if(!(authProps.username && authProps.nonce && authProps.nc && authProps.cnonce && authProps.qop && authProps.response))
-        {
-            onError(Errors.AuenticationPropertyMissing);
-            return;
-        }
+        if(!(authProps.username && authProps.nonce && authProps.response))
+            return onError(Errors.AuenticationPropertyMissing);
+        if(!authProps.algorithm)
+            authProps.algorithm = 'MD5';
 
         userManager.getUserByName(authProps.username, (e, user) => {
             if(e)
-            {
-                onError(e);
-                return;
-            }
+                return onError(e);
 
-            const ha1 = md5(authProps.username + ':' + this.realm + ':' + (user.password ? user.password : ''));
-            const ha2 = md5(arg.request.method.toString().toUpperCase() + ':' + arg.uri);
-            const result = md5(ha1 + ':' + authProps.nonce + ':' + authProps.nc + ':' + authProps.cnonce + ':' + authProps.qop + ':' + ha2);
+            let ha1 = md5(authProps.username + ':' + this.realm + ':' + (user.password ? user.password : ''));
+            if(authProps.algorithm === 'MD5-sess')
+                ha1 = md5(ha1 + ':' + authProps.nonce + ':' + authProps.cnonce);
+
+            let ha2;
+            if(authProps.qop === 'auth-int')
+                return onError(Errors.WrongHeaderFormat); // ha2 = md5(ctx.request.method.toString().toUpperCase() + ':' + ctx.requested.uri + ':' + md5(...));
+            else
+                ha2 = md5(arg.request.method.toString().toUpperCase() + ':' + arg.uri);
+
+            let result;
+            if(authProps.qop === 'auth-int' || authProps.qop === 'auth')
+                result = md5(ha1 + ':' + authProps.nonce + ':' + authProps.nc + ':' + authProps.cnonce + ':' + authProps.qop + ':' + ha2);
+            else
+                result = md5(ha1 + ':' + authProps.nonce + ':' + ha2);
 
             if(result.toLowerCase() === authProps.response.toLowerCase())
                 callback(Errors.None, user);

diff --git a/src/user/v2/authentication/HTTPDigestAuthentication.ts b/src/user/v2/authentication/HTTPDigestAuthentication.ts
@@ -58,7 +58,7 @@ export class HTTPDigestAuthentication implements HTTPAuthentication
             match = rex.exec(authHeader);
         }
 
-        if(!(authProps.username && authProps.nonce && authProps.nc && authProps.cnonce && authProps.response))
+        if(!(authProps.username && authProps.nonce && authProps.response))
             return onError(Errors.AuenticationPropertyMissing);
         if(!authProps.algorithm)
             authProps.algorithm = 'MD5';