2

I am working on creating an API for my ruby application that authenticates users based on HTTP Digest Authentication. I decided to use the Grape API library because it makes creating an API cleaner in ruby. The Grape documentation states that you can use Digest Authentication like:

http_digest({ :realm => 'Test Api', :opaque => 'app secret' }) do |username|
  # lookup the user's password here
  { 'user1' => 'password1' }[username]
end

The Grape implementation above is a wrapper for Rack::Auth::Digest::MD5

Now also for security i read that as of RFC 2617 you don't need to store the password as plain text in the database you store an MD5 digest of the username:realm:password and authticate against that so i created a DataMapper model:

class Key
  include DataMapper::Resource

  property :id,              Serial

  property :username,        String
  property :password,        String

  property :active,          Boolean, :default => true
  property :created_at,      DateTime, :default => DateTime.now
  property :updated_at,      DateTime
end

Now with what I provided, I am lost as to how to connect these two and make it work.

ny95
  • 680
  • 5
  • 17

1 Answers1

3

Unfortunately, Rack::Auth::Digest::MD5 expects a plaintext password on the server side.

The Grape example code shows a hard-coded lookup of password.

You could replace { 'user1' => 'password1' }[username] with 

Key.first( :username => username ).password

provided you stored plaintext passwords in the Key class. You could store these reversibly-encrypted I suppose, although that doesn't add much security unless you construct relatively complex/costly schemes for key management.

Not sure if there is a way around this that would let you store hashed passwords. MD5 isn't the most secure hashing choice (although better than nothing!). If security is an important concern for your API, you will want to look beyond digest auth - using https would help, for example.

Edit: Following a bit of to-and-fro in discussions, the following variation of Grape's example does allow you to store the MD5'd password:

auth :http_digest, { :realm => { :realm => 'Llama', :passwords_hashed => true, :opaque => "7302c32d39bbacb5ed0ace096723fd" } } do |username|
  Digest::MD5.hexdigest( 'fred:Llama:654321' )
end

The example gives a hard-coded username:'fred', password:'654321' response. So I think your target code is something like:

auth :http_digest, { :realm => { :realm => 'Llama', :passwords_hashed => true, :opaque => "7302c32d39bbacb5ed0ace096723fd" } } do |username|
  k = Key.first( :username => username )
  k ? k.password : nil
end

And you store the result of Digest::MD5.hexdigest( "#{username}:#{realm}:#{password}" ) in each user's password property.

Note the double-level hash with :realm twice. This is a bit hacky, but at least you don't have to write your own middleware, Grape is still dealing with it. This is not a documented feature of Grape or covered with tests, so may not work in future versions.

Neil Slater
  • 26,512
  • 6
  • 76
  • 94
  • After looking around [Rack Digest MD5](https://github.com/rack/rack/blob/master/lib/rack/auth/digest/md5.rb) I figured out that if `attr_writer :passwords_hashed` is set to `true` then it will accept an already hashed password in the format `username:realm:password` which is good but im having trouble setting that property from the Grape API wrapper. Any suggestions? – ny95 Apr 05 '13 at 14:16
  • Looking through Grape code, you could maybe feed a hash to the `:realm` symbol, containing `:realm, :opaque, :passwords_hashed` keys . . . not documented or tested in Grape though, so a bit of a back door to what you want. I tested it, but it didn't work for me. – Neil Slater Apr 05 '13 at 15:03
  • Im going to try and see what happens also, for the opaque value, does it matter what it is, can i just set it to `SecureRandom.hex(15)` for example? – ny95 Apr 05 '13 at 15:10
  • Not entirely sure what `:opaque` does, examples just show client reflecting it back to server. However, I just tried on a mini Grape app on my computer and your suggestion works just fine for me. – Neil Slater Apr 05 '13 at 15:14
  • Ok thanks, I'm looking through the grape api and rack source but i am very lost as to where to add the modification. – ny95 Apr 05 '13 at 15:24
  • In Grape, the rack digest layer is set up (in build_middleware / endpoint.rb) as `use Rack::Auth::Digest::MD5, settings[:auth][:realm], settings[:auth][:opaque], &settings[:auth][:proc]` and in `Rack::Auth::Digest::MD5` the value of `:realm` is unpacked like this: `realm, opaque, @passwords_hashed = realm.values_at :realm, :opaque, :passwords_hashed` . . . but I just get a rack error when I make :realm key point to a hash. – Neil Slater Apr 05 '13 at 15:32
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/27650/discussion-between-cristian-rivera-and-neil-slater) – ny95 Apr 05 '13 at 15:37
  • It would be great if someone could update Grape README with a more complete Digest example. Thanks. – dB. Apr 14 '13 at 14:21