Re: [libmicrohttpd] Doubt about digest auth algorithm

[Christian Grothoff]

Dear Silvio,

Yes, the difference is that with basic_auth, MHD "returns" you the
password the user provided. This is not possible with digest auth. Here,
you must provide the password and call MHD_digest_auth_check().

So with digest auth, you first use MHD_digest_auth_get_username() to
find out the username, then lookup the pass in your DB and then call
MHD_digest_auth_check() with user/pass/realm/timeout to check the PW. If
you get back MHD_NO or MHD_INVALID_NONCE you should then call
MHD_queue_fail_auth_response() to ask the user to re-authenticate.
"signal_stale" should be set in this call if you got back MHD_INVALID_NONCE.

Happy hacking!

Christian

On 03/10/2016 01:51 PM, silvioprog wrote:
> Hello listers,
> 
> First, thanks for the rich auth demos available in the MHD, it was very
> useful for understand how the popular auths works.
> 
> I have a small question about the digest auth: how to check if the user
> password is correctly? I have an example (in pseudo code) to check if my
> logic is correct:
> 
> /* my digest check logic */
> bool isAuthenticated(char user, char * refPass) {
>   bool userOK = (user == "my-user");
>   // get the my-user password from database
>   &refPass = "my-pass";// got from my database
>   return userOK;// in my real code, if this function return true, the
> next func called will be MHD_digest_auth_check() receiving the refPass
> content
> }
> 
> It seems that I need to get the user password from some place, and send
> it to the MHD_digest_auth_check().
> 
> It is a little bit different from basic auth, that I just need to decode
> a base64 and the a string like "user:pass". BTW, is my digest check
> logic correct?
> 
> -- 
> Silvio Clécio

signature.asc
Description: OpenPGP digital signature