diff --git a/httpbin/core.py b/httpbin/core.py index 29760a7..3e23249 100644 --- a/httpbin/core.py +++ b/httpbin/core.py @@ -359,7 +359,9 @@ def digest_auth(qop=None, user='user', passwd='passwd'): """Prompts the user for authorization using HTTP Digest auth""" if qop not in ('auth', 'auth-int'): qop = None - if not request.headers.get('Authorization'): + if 'Authorization' not in request.headers or \ + not check_digest_auth(user, passwd) or \ + not 'Cookie' in request.headers: response = app.make_response('') response.status_code = 401 @@ -382,9 +384,6 @@ def digest_auth(qop=None, user='user', passwd='passwd'): response.headers['WWW-Authenticate'] = auth.to_header() response.headers['Set-Cookie'] = 'fake=fake_value' return response - elif not (check_digest_auth(user, passwd) and - request.headers.get('Cookie')): - return status_code(401) return jsonify(authenticated=True, user=user) diff --git a/test_httpbin.py b/test_httpbin.py index 9fd9f61..e3f4ad7 100755 --- a/test_httpbin.py +++ b/test_httpbin.py @@ -103,6 +103,21 @@ class HttpbinTestCase(unittest.TestCase): response = self.app.get('/gzip') self.assertEqual(response.status_code, 200) + def test_digest_auth_with_wrong_password(self): + auth_header = 'Digest username="user",realm="wrong",nonce="wrong",uri="/digest-auth/user/passwd",response="wrong",opaque="wrong"' + response = self.app.get( + '/digest-auth/auth/user/passwd', + environ_base={ + # httpbin's digest auth implementation uses the remote addr to + # build the nonce + 'REMOTE_ADDR': '127.0.0.1', + }, + headers={ + 'Authorization': auth_header, + } + ) + assert 'Digest' in response.headers.get('WWW-Authenticate') + def test_digest_auth(self): # make first request unauthorized_response = self.app.get(