[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[libmicrohttpd] Re: HTTP Digest Auth done
From: |
Amr Ali |
Subject: |
[libmicrohttpd] Re: HTTP Digest Auth done |
Date: |
Thu, 19 Aug 2010 03:25:49 +0200 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/18/2010 10:18 AM, Christian Grothoff wrote:
> Hi!
>
> On Tuesday 17 August 2010 22:00:20 Amr Ali wrote:
>> Hi Christian,
>>
>> I'm finally done with this module, I replaced the idea of an internal
>> buffer that stores nonces with implementing a timeout mechanism for each
>> nonce that is actually embedded into the nonce, so no need for increasing
>> the memory footprint.
>
> Nice -- if done right (so that clients cannot easily manipulate the
> timeout...).
Well there are 2 vetting stages for the validity of the nonce, keep an eye for
comments inside `is_authenticated()'. ;-)
>
>> I however made the nonce timeout to be 300 seconds
>> (which IMNSHO is quote enough), its already made as a macro that you can
>> override with -DNONCE_TIMEOUT <SECONDS>.
>
> Yuck. How about giving the timeout as an argument in your API?
>
Fixed, now you will have to supply nonce timeout thorough MHD_digest_auth.
Example file updated as well to reflect the changes.
>> I made an example C program for it as well, its completely based on
>> minimal_example.c just changed/deleted a few calls.
>
> Always good. Do you also have a testcase and documentation (TexInfo) for the
> tutorial/manual?
>
I don't know if it will ever need unit testing. I think the example will
demonstrate if it is working or not against any browser. There are of course few
cases that won't be exactly visible thorough a browser like in the case of nonce
invalidity and how it the code responds to it. But meh, we'll see.
>> As for combining this with MHD, I wanted to discuss how you want this to be
>> combined. The setup I have right now includes the files `digestauth.c' and
>> `digestauth.h' in src/daemon/Makefile.am, same goes for
>> `digest_auth_example.c'. I can change configure.ac to make it optional and
>> not enabled by default, so if someone wants this, he/she has to compile it
>> from source with something like "--enable-digest-auth"?
>
> Sounds good, but I suspect the default should be "on" eventually: having --
> disable-digest-auth (and maybe also --disable-post-processor) will make sure
> that only developers for embedded systems where code size is critical will
> disable it and "normal" packages, like say a Debian package for x86, have
> these enabled without forcing the maintainer to look up options.
>
Done, in the attached patch, configure will have --disable-digest-auth option,
which defaults to 'no'.
>> If you think this is good enough I'll make a patch for a the whole thing
>> and send it your way. If not, please let me know what you have in your
>> mind.
>
> My mindset is getting to the point where new code needs to come with
> testcases
> and at least a little bit of documentation ;-). Despite that request, I
> think
> you should send a first version of your patch now so that I can look over the
> API itself and give you feedback on that and the code. That way, the test &
> documentation won't have to be rewritten if the API needs to be adjusted
> (like
> with the -D NONCE_TIMEOUT, which is just a bad hack that can really not stay).
>
See attached!
> Happy hacking
>
> Christian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkxsiBwACgkQ2VxGY2VcpogkKQCeP8zybP3JJXjhB/KivB3Sjyoq
EBcAn32Fp/qkMmahuHpawI0B8gZcQXMB
=LExu
-----END PGP SIGNATURE-----
http_digest_auth.patch
Description: Text Data
http_digest_auth.patch.sig
Description: PGP signature
- [libmicrohttpd] HTTP Digest Auth done, Amr Ali, 2010/08/17
- [libmicrohttpd] Re: HTTP Digest Auth done, Christian Grothoff, 2010/08/18
- [libmicrohttpd] Re: HTTP Digest Auth done,
Amr Ali <=
- [libmicrohttpd] Re: HTTP Digest Auth done, Amr Ali, 2010/08/19
- [libmicrohttpd] Re: HTTP Digest Auth done, Christian Grothoff, 2010/08/19
- [libmicrohttpd] Re: HTTP Digest Auth done, Amr Ali, 2010/08/19
- Re: [libmicrohttpd] Re: HTTP Digest Auth done, Carlos Henrique Júnior, 2010/08/19
- Re: [libmicrohttpd] Re: HTTP Digest Auth done, Amr Ali, 2010/08/19
- Re: [libmicrohttpd] Re: HTTP Digest Auth done, Christian Grothoff, 2010/08/19
- Re: [libmicrohttpd] Re: HTTP Digest Auth done, Carlos Henrique Júnior, 2010/08/19