Ensure HTTP Digest auth uses appropriate HTTP method [#2490 state:resolved] [Steve Madsen]
This commit is contained in:
parent
28f5cfe066
commit
195fadbfd3
@ -194,9 +194,10 @@ def validate_digest_response(request, realm, &password_procedure)
|
||||
|
||||
if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque]
|
||||
password = password_procedure.call(credentials[:username])
|
||||
method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD']
|
||||
|
||||
[true, false].any? do |password_is_ha1|
|
||||
expected = expected_response(request.env['REQUEST_METHOD'], request.env['REQUEST_URI'], credentials, password, password_is_ha1)
|
||||
expected = expected_response(method, request.env['REQUEST_URI'], credentials, password, password_is_ha1)
|
||||
expected == credentials[:response]
|
||||
end
|
||||
end
|
||||
|
@ -149,6 +149,16 @@ def authenticate_with_request
|
||||
assert_equal 'Definitely Maybe', @response.body
|
||||
end
|
||||
|
||||
test "authentication request with _method" do
|
||||
@request.env['HTTP_AUTHORIZATION'] = encode_credentials(:username => 'pretty', :password => 'please', :method => :post)
|
||||
@request.env['rack.methodoverride.original_method'] = 'POST'
|
||||
put :display
|
||||
|
||||
assert_response :success
|
||||
assert assigns(:logged_in)
|
||||
assert_equal 'Definitely Maybe', @response.body
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def encode_credentials(options)
|
||||
@ -159,15 +169,22 @@ def encode_credentials(options)
|
||||
# to prevent tampering of timestamp
|
||||
ActionController::Base.session_options[:secret] = "session_options_secret"
|
||||
|
||||
# Perform unauthenticated GET to retrieve digest parameters to use on subsequent request
|
||||
get :index
|
||||
# Perform unauthenticated request to retrieve digest parameters to use on subsequent request
|
||||
method = options.delete(:method) || 'GET'
|
||||
|
||||
case method.to_s.upcase
|
||||
when 'GET'
|
||||
get :index
|
||||
when 'POST'
|
||||
post :index
|
||||
end
|
||||
|
||||
assert_response :unauthorized
|
||||
|
||||
credentials = decode_credentials(@response.headers['WWW-Authenticate'])
|
||||
credentials.merge!(options)
|
||||
credentials.reverse_merge!(:uri => "#{@request.env['REQUEST_URI']}")
|
||||
ActionController::HttpAuthentication::Digest.encode_credentials("GET", credentials, password, options[:password_is_ha1])
|
||||
ActionController::HttpAuthentication::Digest.encode_credentials(method, credentials, password, options[:password_is_ha1])
|
||||
end
|
||||
|
||||
def decode_credentials(header)
|
||||
|
Loading…
Reference in New Issue
Block a user