HTTP digest authentiction not working?

[schoettl]

Hi, thank you for this library!

I tried to access an API using digest authentication.

This works:

curl --digest -u "user:pass" http://localhost/private/test.txt

This does not work:

curlGetString "http://localhost/private/test.txt" [CurlHttpAuth [HttpAuthDigest], CurlHeader True, CurlUserName "user", CurlUserPassword "pass"]

The output suggests that only one request is done.

(CurlHttpReturnedError,"HTTP/2 401 \r\ndate: Thu, 15 Dec 2022 22:56:03 GMT\r\ncontent-type: application/json; charset=UTF-8\r\ncontent-length: 152\r\nserver: nginx/1.14.0 (Ubuntu)\r\nwww-authenticate: Digest realm=\"Xentral-API\",qop=\"auth\",nonce=\"602d44f9a3a6ee1f52fadxxxxxx\",opaque=\"533118e447c76f15f7axxxxxxx\"\r\nstrict-transport-security: max-age=31536000; includeSubDomains\r\nx-frame-options: SAMEORIGIN\r\n\r\n")

But the command line curl -vv suggests that for digest auth a follow-up request is made. Maybe that follow up is not implemented? Any ideas on this?

[schoettl]

I setup a local test server with digest auth using apache:

htdigest -c /srv/http/passwd.digest 'private area' user
mkdir -p /srv/http/private
echo test > /srv/http/private/test.txt

Enable digest auth in apache/httpd (https://httpd.apache.org/docs/2.4/mod/mod_auth_digest.html) and
also enable the mod_auth_digest in /etc/httpd/conf/httpd.conf.

---

Then I used tcpdump --interface lo -vv -w /tmp/curl to capture the the TCP/HTTP traffic.

I compared the traffic caused by the two one-liners in my first post:

• curl at command line makes two HTTP requests and gives the correct result.
• curlGetString from the Haskell library only makes one HTTP request and returns (CurlHttpReturnedError,"").

Looking at the library's source, I couldn't find or fix the bug. With some help I'd like to try to fix it though. Currently I use command [] "curl" ["--digest", "-u", userpass, url] from the command library. Shady... but it's a simple working solution.