3

I'm trying to implement twisted cred with HTTP Digest Authentication, and I'm having some difficulty. I was able to get it to work with checkPassword, but I don't want to store my passwords in the clear in the database, obviously.

I'm storing the MD5 of username:realm:password in my password database, and I'm calculating it using:

from twisted.cred._digest import calcHA1

def calc_ha1(self, password, username=None):
    if username is None:
        username = self.avatarId

    realm = self.digest_factory.digest.authenticationRealm
    return calcHA1('md5', username, realm, password, None, None)

My password checker looks like this:

def requestAvatarId(self, credentials):
    username = credentials.username
    try:
        user = self.session.query(models.User).filter_by(username=username).one()
    except NoResultFound as e:
        return defer.fail(credError.UnauthorizedLogin("No such administrator"))

    if credentials.checkHash(user.password_hash):
        return defer.succeed(username)
    else:
        return defer.fail(credError.UnauthorizedLogin("Bad password"))

However, when checkHash computes HA2 and combines it with the HA1 that I have in the DB, it does not match what the browser is sending. I stepped through the checkHash code with a debugger and everything is operating as I would expect. Does anyone have ideas?

Thanks -s

Sameer Parekh
  • 131
  • 1
  • 1
  • 6
  • 1
    Would you consider attaching an SSCCE ? Unfortunately I can't run these snippets on their own. – Glyph Mar 31 '14 at 05:19
  • Digest authentication response includes far more than just the username, realm and password. There's also client/server nonce, request count et cetera. Are those missing from the code extract? – RomanK Feb 25 '15 at 12:41
  • which version of python you using, maybe the type of user.password_hash and hash data from broswer mismatch. – yumoqing Aug 29 '17 at 09:03

0 Answers0