worked out bugs in my digest auth

2007-08-21 @ 23:24#

i spent the evening working out kinks in my implementation of HTTP Digest Authentication. nothing major. i cleaned up the hash computation code (to make it easier to read, mostly) and generally trimmed the code. along the way, i pulled my HTTP Basic Authentication code into the same module. now i have a single class that handles both Basic and Digest.

i also made sure that exyus can now support *both* Basic and Digest at the same time. it's now up to the client to peruse the WWW-Autheticate headers and pick the method the client supports. fwiw, while the specs say clients should pick the strongest auth method from the list of available ones, i see that most all just pick the first one.

i also found that, while MSIE gives up attempting to authenticate against my server after three tries, FF tries endlessly. this can be bad. i also fond that one of my favorite HTTP tools, WFetch, fails to authenticate using Digest. in fact, WFetch ends up in a race condition and never stops making authentication requests against the server. can you say "DoS attack!?"

to fix this possible (and perverse) situation, i added a counter that will throw a hard error (403 Forbidden) if the client fails to authenticate five times within 30 seconds. i figure 6 times per second is faster than any reasonable user can type, eh?

code