0

I've got myself a little stuck trying to get a quick bit of HTTP Digest authentication up and running, pretty much like suggested within the guide:

Ruby on Rails Guides: Action Controller Overview > HTTP Digest Authentication

class ApplicationController < ActionController::Base
  protect_from_forgery

  USERS = { "sam" => "ruby" }

  before_filter :authenticate

private
  def authenticate
    authenticate_or_request_with_http_digest do |username|
      USERS[username]
    end
  end
end

I get prompted for a username and password although when inputting the above the authentication seems to fail and I get prompted again. So I started to dig into the code that validates the request here:

GitHub: http_authentication.rb > validate_digest_response

  def validate_digest_response(request, realm, &password_procedure)
    secret_key  = secret_token(request)
    credentials = decode_credentials_header(request)
    valid_nonce = validate_nonce(secret_key, request, credentials[:nonce])

    if valid_nonce && realm == credentials[:realm] && opaque(secret_key) == credentials[:opaque]
      password = password_procedure.call(credentials[:username])
      return false unless password

      method = request.env['rack.methodoverride.original_method'] || request.env['REQUEST_METHOD']
      uri    = credentials[:uri][0,1] == '/' ? request.fullpath : request.url

     [true, false].any? do |password_is_ha1|
       expected = expected_response(method, uri, credentials, password, password_is_ha1)
       expected == credentials[:response]
     end
    end
  end

I can't see how it is handling the password as plain text. How is password_is_ha1 being set? I'm also a little confused on how any? block is working which might not be helping :-/

Just as quick note: I know that I shouldn't really be storing passwords in plain text, and in source code like this. I'm just trying to build up an understanding and will refactor this later.

A massive thanks for all your help in advance :-D

Sam Leicester
  • 109
  • 10

1 Answers1

0

The any? method acts like collect, except it returns true the first time its block returns true. Here, it acts like a loop over the array [true, false]:

  1. The block is first run with password_is_ha1 set to true. If the block returns true, any? immediately returns true, and since this is the last statement of validate_digest_response, the method as a whole returns true.

  2. Otherwise, the block is run again with password_is_ha1 set to false. If the block returns true, any? immediately returns true, and since this is the last statement of validate_digest_response, the method as a whole returns true.

  3. If neither of those runs returned true, any? returns false. Since this is the last statement of validate_digest_response, the method as a whole returns false.

Thus, the effect of that line is to first assume it's a hashed password and check if it's valid, then assume it's a plaintext password and check if it's valid. Another, more verbose, way to write it would have been:

   expected = expected_response(method, uri, credentials, password, true)
   return true if expected == credentials[:response]

   expected = expected_response(method, uri, credentials, password, false)
   return true if expected == credentials[:response]

   return false
Becca Royal-Gordon
  • 17,541
  • 7
  • 56
  • 91