marcoskirsch/nodemcu-httpserver

Digest Authentication

hamid-rostami opened this issue · 0 comments

I added Digest Authentication method to my fork of nodemcu-httpserver based on rfc7616.
New filename is httpserver-digestauth.lua and have 2 functions (based on httpserver-basicauth.lua architecture) :

* digestAuth.authenticate
* digestAuth.authErrorHeader

digestAuth.authenticate function try to find 'Authorization: Digest' in request header and fetch fields of this header into 'digest' table, and then validate with pre-defined username/password pair (defined in 'httpserver-conf.lua' file).

If not find 'Authorization: Digest' in request header, return nil for username and a code for passing to 'digestAuth.authErrorHeader' function for create suitable response.
In this case, server response to request with HTTP 401 code and 'WWW-Authenticate: Digest' in response header. In addition, some fields that the method requires such as 'nonce', 'opaque' and 'stale'

As you know, digest authentication security very depend on generation algorithm of nonce field. I using this algorithm for generation nonce hash:

math.randomseed(tmr.now())
random1 = math.random(0, 0xFFFF)
nonce = encoder.toHex( crypto.hash("md5", random1..":"..tmr.now()))

Please test this feauture and tell me your suggestions.
Best regards.