Need help with Rack::Auth::Digest.. (maybe bug)

Need help with Rack::Auth::Digest.. (maybe bug)

[maxmotor]

Hi All,

First of all, I'm sorry for my English.

Maybe I made mistake but looks like I found bug in Rack::Auth::Digest
implementation (rack-1.1.0)

If passwords_hashed is not set to true then you can't provide
verification in 'normal way', because @authenticator.call return
password value and does not matter is it password or nil, false, etc.

For example as 'normal way' I mean something like this:

example1:

Rack::Auth::Digest::MD5.new(app, 'Admin') do |login|
     'admin_pass' if login == 'admin'
end

In this case value = @authenticator.call(auth.username) return 'nil'
that means you can use empty password (value.to_s = '')  with any
login except 'admin'.


example2:

Rack::Auth::Digest::MD5.new(app, 'Admin') do |login|
      login == 'admin' ? 'admin_pass' : false
end

In this case you can use  password  = 'false' (value.to_s = 'false')
with any login except 'admin'.

To avoid this you should use hacks. For example:

example1. raise an exception

Rack::Auth::Digest::MD5.new(app, 'Admin') do |login|
      login == 'admin' ? 'admin_pass' : raise 'Invalid password'
end

example2: return random password:

Rack::Auth::Digest::MD5.new(app, 'Admin') do |login|
      login == 'admin' ? 'admin_pass' : rand
end

etc...

But I think it should be fixed inside 'valid_digest?'. For example

def valid_digest?(auth)
   !!(pass = @authenticator.call(auth.username)) && (digest(auth,
pass) == auth.response)
end


P.S. As variant to avoid this problem you can set passwords_hashed to
true but in this case you should have properly generated hash for
password ( password_hash = HA1=MD5(A1) =
MD5(username:realm:password)).

Please help/correct me if I am wrong.

Thank you in advance!

--
Regards, Max