HTTP Digest Authentication PUT DELETE problem. Bug?


#1

Hi all,

I’ve got a problem with HTTP Digest Authentication after upgrading
Rails to 2.3.2.
It seems that it is broken for PUT and DELETE requests method.
Here is what I did:

  1. Generate new rails app in rails 2.3.2
  2. Added sample scaffold model Post name:string
  3. Added simple HTTP Digest Authentication filter to application
    controller:

|----------------code----------------- |
USERS = { ‘lifo’ => ‘world’, ‘pretty’ => ‘please’, ‘a’ => ‘b’}

before_filter :digest_authenticate

def digest_authenticate
authenticate_or_request_with_http_digest do |login|
USERS[login]
end
end
|---------------- code -----------------|

It works fine for index, new, create and show action, but for destroy
(DELETE) and update(PUT) htaccess popup apears and don’t allow to
update or delete( of course for I put correct login/password data :))

Have you got also problem with this ?
I’ve reviewed action_pack source code and it seems that in lines:
http://github.com/rails/rails/blob/18eb80ccc7e932f9a6c00462ceaeea648631b120/actionpack/lib/action_controller/http_authentication.rb(197,198)

expected = expected_response(request.env[‘REQUEST_METHOD’], request.env
[‘REQUEST_URI’], credentials, password, password_is_ha1)
expected == credentials[:response]

there are different values generated for PUT and DELETE request
method.

Regards

Grzesiek F.


#2

I’ve run into the same problem. GET and POST work find, but PUT and
DELETE repeatedly asks for login information and never succeeds.


#3

This is a bug in Rails 2.3.2. I’ve created a Lighthouse ticket for it
(#2490) and created a patch that fixes it. It will probably help get
the fix into a release if others acknowledge the problem and can
verify my patch fixes it for them.

https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/2490-http-digest-auth-uses-wrong-request-method-for-put-delete#ticket-2490-1