[Support] The library does not support the older digest protocol

[42degrees]

Question

The library fails when connecting to an older RFC 2069 API. Was it intentional that the library doesn't support connecting to legacy digest APIs? If it was intentional, then IMO the library would benefit by providing a clear error message when the server fails to provide a QOP value. What happens now is that the AllDataCorrectFilled() method returns false, so the resulting error is: Cannot load all required data from {AuthenticateHeaderName}. Data: {AuthenticateHeader}. This is not a very clear response and since RFC 2617 does specify that qop is optional (to be backwards compatible to 2069) which makes it hard to understand why it's being flagged as required.

Also, from reading the spec it defines that the h2 hash is built differently depending on the value in the QOP field (as well as whether it is provided at all), and the library does not appear to be supporting all the permutations (specifically, it only appears to support the QOP value of "auth" and not missing, "auth-int", or "auth-conf"). I am not an expert on digest authentication, so maybe there is a nuance here that I'm not seeing (maybe "auth-int" and "auth-conf" are not found in the wild).

I have modified the library for my own use to support RFC 2069, and I started the process of adding differences based on the value of qop, but I lack a test environment that supports the different processes to validate that I'm doing that right (my current requirements are to support the legacy version of digest, the rest was just curiosity). The main addition that I made is in GetDigestHeader():

    public string GetDigestHeader(string digestUri, Method method)
    {
       if (null == _qop)
        {
            var hash1 = GenerateMD5($"{_username}:{_realm}:{_password}");
            var hash2 = GenerateMD5($"{method.ToString().ToUpperInvariant()}:{digestUri}");
            var digestResponse = GenerateMD5($"{hash1}:{_nonce}:{hash2}");
            return $"Digest username=\"{_username}\"," +
                   $" realm=\"{_realm}\"," +
                   $" nonce=\"{_nonce}\"," +
                   $" uri=\"{digestUri}\"," +
                   $" response=\"{digestResponse}\"";
        }
        else if ("auth" == _qop)
        { <original code here> }

As well as changing AllDataCorrectFilled() to not require the QOP.

Thanks for creating the library!

[bernardbr]

Hi @42degrees!

I'm sorry for not getting back to you sooner.

I don't see a reason why we shouldn't support older protocol versions. I'll take a look at adding support to the old protocol version compatibility.

If you wish, open a Pull Request for this case with the change you suggested! I'm going to try to find a way to automate tests that validate both the old RFC2069 and new versions. One possibility, perhaps, is that we could create different strategies for each version.

Thanks for the feedback!