HTTP Digest Authentication PUT DELETE problem. Bug?

Hi all,

I’ve got a problem with HTTP Digest Authentication after upgrading
Rails to 2.3.2.
It seems that it is broken for PUT and DELETE requests method.
Here is what I did:

  1. Generate new rails app in rails 2.3.2
  2. Added sample scaffold model Post name:string
  3. Added simple HTTP Digest Authentication filter to application
    controller:

|----------------code----------------- |
USERS = { ‘lifo’ => ‘world’, ‘pretty’ => ‘please’, ‘a’ => ‘b’}

before_filter :digest_authenticate

def digest_authenticate
authenticate_or_request_with_http_digest do |login|
USERS[login]
end
end
|---------------- code -----------------|

It works fine for index, new, create and show action, but for destroy
(DELETE) and update(PUT) htaccess popup apears and don’t allow to
update or delete( of course for I put correct login/password data :))

Have you got also problem with this ?
I’ve reviewed action_pack source code and it seems that in lines:
http://github.com/rails/rails/blob/18eb80ccc7e932f9a6c00462ceaeea648631b120/actionpack/lib/action_controller/http_authentication.rb(197,198)

expected = expected_response(request.env[‘REQUEST_METHOD’], request.env
[‘REQUEST_URI’], credentials, password, password_is_ha1)
expected == credentials[:response]

there are different values generated for PUT and DELETE request
method.

Regards

Grzesiek F.

I’ve run into the same problem. GET and POST work find, but PUT and
DELETE repeatedly asks for login information and never succeeds.

This is a bug in Rails 2.3.2. I’ve created a Lighthouse ticket for it
(#2490) and created a patch that fixes it. It will probably help get
the fix into a release if others acknowledge the problem and can
verify my patch fixes it for them.

https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/2490-http-digest-auth-uses-wrong-request-method-for-put-delete#ticket-2490-1