[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [libmicrohttpd] Doubt about digest auth algorithm
From: |
Christian Grothoff |
Subject: |
Re: [libmicrohttpd] Doubt about digest auth algorithm |
Date: |
Sun, 13 Mar 2016 14:36:05 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 |
Dear Silvio,
Yes, the difference is that with basic_auth, MHD "returns" you the
password the user provided. This is not possible with digest auth. Here,
you must provide the password and call MHD_digest_auth_check().
So with digest auth, you first use MHD_digest_auth_get_username() to
find out the username, then lookup the pass in your DB and then call
MHD_digest_auth_check() with user/pass/realm/timeout to check the PW. If
you get back MHD_NO or MHD_INVALID_NONCE you should then call
MHD_queue_fail_auth_response() to ask the user to re-authenticate.
"signal_stale" should be set in this call if you got back MHD_INVALID_NONCE.
Happy hacking!
Christian
On 03/10/2016 01:51 PM, silvioprog wrote:
> Hello listers,
>
> First, thanks for the rich auth demos available in the MHD, it was very
> useful for understand how the popular auths works.
>
> I have a small question about the digest auth: how to check if the user
> password is correctly? I have an example (in pseudo code) to check if my
> logic is correct:
>
> /* my digest check logic */
> bool isAuthenticated(char user, char * refPass) {
> bool userOK = (user == "my-user");
> // get the my-user password from database
> &refPass = "my-pass";// got from my database
> return userOK;// in my real code, if this function return true, the
> next func called will be MHD_digest_auth_check() receiving the refPass
> content
> }
>
> It seems that I need to get the user password from some place, and send
> it to the MHD_digest_auth_check().
>
> It is a little bit different from basic auth, that I just need to decode
> a base64 and the a string like "user:pass". BTW, is my digest check
> logic correct?
>
> --
> Silvio Clécio
signature.asc
Description: OpenPGP digital signature