Digest Authentication in Webserver Library #3053
Conversation
Codecov Report
@@ Coverage Diff @@
## master #3053 +/- ##
========================================
Coverage ? 27.6%
========================================
Files ? 20
Lines ? 3655
Branches ? 678
========================================
Hits ? 1009
Misses ? 2468
Partials ? 178Continue to review full report at Codecov.
|
|
Hello @igrr , will this feature be added to the Master Branch ?? |
|
@igrr any news ?? |
There was a problem hiding this comment.
Sorry, forgot about this MR again. Left some (mostly minor comments below).
One major request is to make sure new functionality does not get linked into the application if Basic auth is used. My suggestion is to add two functions, requestBasicAuthentication and requestDigestAuthentication, keep requestAuthentication for compatibility (making it call requestBasicAuthentication). This way the extra code only gets added if Digest auth is actually used in the sketch.
| if(mode==BASIC_AUTH){ | ||
| sendHeader("WWW-Authenticate", "Basic realm=\"" + _srealm + "\""); | ||
| }else{ | ||
| _snonce=String(RANDOM_REG32,HEX)+String(RANDOM_REG32,HEX)+String(RANDOM_REG32,HEX)+String(RANDOM_REG32,HEX); |
There was a problem hiding this comment.
Does String(val, HEX) automatically pad the string to 8 hexadecimal places, or the string can end up being shorter?
There was a problem hiding this comment.
Also, it might be a bit nicer to put this into a separate function, a la String getRandomHexString(size_t length).
There was a problem hiding this comment.
String(val, HEX) in the original Arduino depends on itoa which does not support padding
But it's not a problem really
the nonce and opaque values are arbitrary in length anyway
but the idea of a function is much better as I need to call it twice ..
I will modify it right away ..
| void ESP8266WebServer::requestAuthentication(){ | ||
| sendHeader("WWW-Authenticate", "Basic realm=\"Login Required\""); | ||
| send(401); | ||
| void ESP8266WebServer::requestAuthentication(HTTPAuthMethod mode, const char* realm, const String& AuthFailMsg){ |
There was a problem hiding this comment.
suggest authFailMsg instead of AuthFailMsg.
| @@ -0,0 +1,45 @@ | |||
| #include <ESP8266WiFi.h> | |||
There was a problem hiding this comment.
Please add a public domain / CC0 license at the top of the sketch
There was a problem hiding this comment.
I copied this sketch from the HttpBasicAuth folder and it does not have a license ..
I am not sure of what should I put here ..
can you give an Example ??
There was a problem hiding this comment.
There was a problem hiding this comment.
Sorry, i mean public domain license, as in Blink example. It has been mentioned before that using LGPL license on examples is too restrictive. We already have a few such examples, and it would be better to migrate all the examples to CC0/public domain license.
There was a problem hiding this comment.
sorry I just copied the license from the next sketch in the folder .
fixed it now
|
|
||
| const char* www_username = "admin"; | ||
| const char* www_password = "esp8266"; | ||
| const char* www_realm = "Custom Realm"; // allows you to set the realm of authentication Default:"Login Required" |
There was a problem hiding this comment.
These long comments will not fit into default Arduino IDE window.
| const char* www_username = "admin"; | ||
| const char* www_password = "esp8266"; | ||
| const char* www_realm = "Custom Realm"; // allows you to set the realm of authentication Default:"Login Required" | ||
| String AuthFailResponse = "Authentication Failed"; // the Content of the HTML response in case of Unautherized Access Default:empty |
There was a problem hiding this comment.
same here, variable names in Arduino usually start with lowercase letter
|
thanks for the fast reply @igrr 🗡️ Concerning this :
The function prototype in the header file is the following it defaults to use the Basic Auth if no parameters is passed to the function call this code for example exactly works the same as if no modifications were added if you are worried about the extra code added .. the Bulk of the Code resides in the function please advise on how to proceed I will modify it as you say it if you say so :D I am working on the other modifications in the meanwhile waiting for a reply to push the last modification |
|
Ok, i understand. It's okay to keep the function as is ( |
|
I've made the modifications you asked for |
Lan-Hekary
force-pushed
the
DigestAuth
branch
from
7c3fb22 to
f91b58c
Compare
|
any news ?? @igrr |
* Add Digest Auth * Check for Opaque and Nonce * Remove Serial Debug and fix Indentation * Added example sketch with documentation,Fixed indentation and Defaults * Digest Authentication minor changes + new padded 32 digit random function * update license to public domain * renaming functions
Added and Example called HTTPAdvancedAuth to show the user how to use the auth method
the Normal Basic Auth wasn't affected as it's the default mode in the function call
the user can change the auth relm too
also added a feature to change the auth failure html content