Support for Digest auth method

[wangyongxiao]

is there have middleware can do Digest Auth in actix-web

actix_web_httpauth can only support Bearer and Basic

so how can support Digest Auth like

“WWW-Authenticate","Digest realm="test", qop="auth", nonce="MTcwMjUzOTAwMjAwMDplYmVmYjAwNzdkM2ZjMzU3MzRmNmZhZTUwOTBjOTM1Ng==”

[robjtede]

If this is not possible with first-party tools, I'd consider this a feature request for actix-web-httpauth.

[joehasson]

Hi @robjtede I'm interested in working on this issue. I have a couple of thoughts around what the API for this should look like and would appreciate any feedback on the following.

• Generating a challenge: In digest auth the challenge response needs to be generated uniquely for each new request (there are unique nonce and opaque values associated with each challenge). I would propose using a Config struct that wraps a challenge_factory(req) -> DigestChallenge closure, provided by the library user. The Config would then be stored in app data for later use by the extractor (similar to how basic and bearer auth are handled).
• Handling missing config: If this Config isn't present in the app state then I think there are two options for generating a response.
  1. Just return a 500 Internal Server Error, effectively requiring users to provide a Config.
  2. Generate a challenge according to some reasonable defaults. The problem is that its not clear how to store the nonce and opaque value such that they can be properly verified when the client responds. Cookies are no good here because we need to check the nonce has not been used before. So maybe forcing users to pass a Config is the best approach.

Thanks in advance for any comments!