Fix Digest Auth to Return Correct Header

Digest Auth was returning the wrong header when a login attempt failed.

Closes #133

httpbin/core.py

@@ -359,7 +359,9 @@ def digest_auth(qop=None, user='user', passwd='passwd'):
     """Prompts the user for authorization using HTTP Digest auth"""
     if qop not in ('auth', 'auth-int'):
         qop = None
-    if not request.headers.get('Authorization'):
+    if 'Authorization' not in request.headers or  \
+                       not check_digest_auth(user, passwd) or \
+                       not 'Cookie' in request.headers:
         response = app.make_response('')
         response.status_code = 401
 
@@ -382,9 +384,6 @@ def digest_auth(qop=None, user='user', passwd='passwd'):
         response.headers['WWW-Authenticate'] = auth.to_header()
         response.headers['Set-Cookie'] = 'fake=fake_value'
         return response
-    elif not (check_digest_auth(user, passwd) and
-              request.headers.get('Cookie')):
-        return status_code(401)
     return jsonify(authenticated=True, user=user)
 
 

test_httpbin.py

@@ -103,6 +103,21 @@ class HttpbinTestCase(unittest.TestCase):
         response = self.app.get('/gzip')
         self.assertEqual(response.status_code, 200)
 
+    def test_digest_auth_with_wrong_password(self):
+        auth_header = 'Digest username="user",realm="wrong",nonce="wrong",uri="/digest-auth/user/passwd",response="wrong",opaque="wrong"'
+        response = self.app.get(
+            '/digest-auth/auth/user/passwd',
+            environ_base={
+                # httpbin's digest auth implementation uses the remote addr to
+                # build the nonce
+                'REMOTE_ADDR': '127.0.0.1',
+            },
+            headers={
+                'Authorization': auth_header,
+            }
+        )
+        assert 'Digest' in response.headers.get('WWW-Authenticate')
+
     def test_digest_auth(self):
         # make first request
         unauthorized_response = self.app.get(