不能得到消化权威性与Node.js的工作 [英] Cant get digest auth to work with node.js

问题描述

我试图得到一个简单的（！）摘要式身份验证使用的API从gathercontent.com与节点JS工作。

I'm trying to get a simple (!) digest authentication working with node js using an an API from gathercontent.com.

一切似乎除了工作我还得到一个错误的凭据的回应，看起来是这样的：

Everything seems to be working except I still get a "Wrong credentials" response that looks like this:

{ success: false, error: 'Wrong Credentials!' }

在code是这样的：

The code looks like this:

var https = require('https'),
    qs = require('querystring');
apikey = "[my api key goes in here]",
    pwd = "[my password goes in here]",
    crypto = require('crypto');


module.exports.apiCall = function () {

    var options = {
        host:'abcdefg.gathercontent.com',
        port:443,
        path:'/api/0.1/get_pages_by_project/get_me',
        method:'POST',
        headers:{
            "Accept":"application/json",
            "Content-Type":"application/x-www-form-urlencoded"
        }
    };

    var req = https.request(options, function (res) {

        res.on('data', function (d) {
            var creds = JSON.parse(d);


            var parsedDigest = parseDigest(res.headers['www-authenticate']);
            console.log(parsedDigest);
            var authopts = {
                host:'furthercreative.gathercontent.com',
                port:443,
                path:'/api/0.1/get_pages_by_project/get_me',
                method:'POST',
                headers:{
                    "Accept":"application/json",
                    "Content-Type":"application/x-www-form-urlencoded",
                    "Authorization" : getAuthHeader(parsedDigest, apikey, parsedDigest['Digest realm'], pwd)
                }
            };

            console.log(authopts);
            console.log('\n\n\n');
            var req2 = https.request(authopts, function (res2) {
                console.log("statusCode: ", res2.statusCode);
                console.log("headers: ", res2.headers);


                res2.on('data', function (d2) {
                    var result = JSON.parse(d2);

                });
            });

            req2.end();



        });

    });


    req.write('id=1234');

    req.end();

    req.on('error', function (e) {
        console.error(e);
    });

};

function parseDigest(s){

    var parts = s.split(',');
    var obj = {};
    var nvp = '';

    for(var i = 0; i < parts.length; i++){

        nvp = parts[i].split('=');
        obj[nvp[0]] = nvp[1].replace(/"/gi, '');
    }



    return obj;
}

function getAuthHeader(digest, apikey, realm, pwd){
    var md5 = crypto.createHash('md5');
    var s = '';

    var nc = '00000001';
    var cn = '0a4f113b';

    var HA1in = apikey+':'+realm+':'+pwd;
    md5 = crypto.createHash('md5');
    md5.update(HA1in);
    var HA1out = md5.digest('hex');

    var HA2in = 'POST:/api/0.1/get_pages_by_project/get_me';
    md5 = crypto.createHash('md5');
    md5.update(HA2in);
    var HA2out = md5.digest('hex');

    md5 = crypto.createHash('md5');
    var respIn = HA1out + ':' + digest.nonce + ':'+nc+':'+cn+':'+digest.qop+':'+ HA2out;
    md5.update(respIn);
    var resp = md5.digest('hex');


    s = [   'Digest username="',apikey,'", ',
        'realm="',digest['Digest realm'],'", ',
        'nonce="',digest.nonce,'", ',
        'uri="/api/0.1/get_pages_by_project/get_me", ',
        'cnonce="',cn,'", ',
        'nc="',nc,'", ',
        'qop="',digest.qop,'", ',
        'response="',resp,'", ',
        'opaque="',digest.opaque,'"'].join('')

    return s;
}

我想尝试和卷曲，但我不知道怎么办！

I'd try and Curl to it but I'm not sure how!

任何帮助AP preciated！

Any help appreciated!

推荐答案

我看到一对夫妇的问题可能涉及您的问题。这很难说哪些是实际的罪魁祸首，不知道有关gathercontent的具体实现。如果你粘贴自己的WWW身份验证标头的一个例子，它会更容易提供具体的帮助。

I see a couple of issues potentially related to your problem. It's hard to tell which ones are the actual culprits, not knowing anything about gathercontent's implementation. If you pasted an example of their 'WWW-Authenticate' header, it would be much easier to provide specific help.

所以我猜测真正的原因是什么，但这里有一些现实问题，你无论如何都应该处理，以符合规范（即因为服务器开始做的事情略有不同保护它在将来打破）：

So I'm speculating what the actual cause is, but here are some actual problems that you should address anyway, to conform to the spec (i.e. protect it from breaking in the future because the server starts doing things slightly differently):

• 在您创建的授权标题，删除双引号围绕 NC ，可能还有的保护级别


• 我不知道是什么的保护级别值gathercontent使用。如果它的 AUTH-INT ，然后你还必须散列HTTP主体追加到 HA2 ，请参阅该规范的＃3.2.2.3 - 此外，他们可能会被指定的逗号分隔的QOP值作为您选择的列表 - 或者服务器的可能不会派人的保护级别所有，也就是说，它们用最基本的从HTTP的消化权威性，在您的实现将是违反的规范，因为那么你就不能如发送 cnonce ， NC 等


• 您尝试通过 parsedDigest [文摘境界'] ，即你是假设境界是初始摘要 关键字之后的第一个属性。这可能是也可能不是这样，但你不应该依赖它（修改 parseDigest 功能剥离字符串消化分裂的其余部分）前


• 您使用 parsedDigest 顺便说一下，你作出这样的假设摘要总是大写的方式，而 境界，现时等总是小写。根据规范，这些都是区分大小写

• in the Authorization headers you are creating, remove the double quotes around nc, and maybe also qop
• I don't know what qop value gathercontent is using. If it's auth-int, then you'd also have to append the hashed HTTP body to HA2, see #3.2.2.3 of the spec - furthermore, they might be specifying a comma-separated list of qop values for you to choose from - or the server might not send a value for qop at all, i.e. they use the most basic from of HTTP digest auth, in which your implementation would be violating the spec, as then you aren't allowed to e.g. send a cnonce, nc etc.
• you try to get the realm via parsedDigest['Digest realm'], i.e. you are assuming that the realm is the first attribute after the initial Digest keyword. That might or might not be the case, but you should not rely upon it (modify your parseDigest function to strip of the string "Digest " before splitting the rest)
• the way you use parsedDigest, you make the assumption that Digest is always capitalized that way, and that realm, nonce, etc. are always in lowercase. According to the spec, these are all case-insensitive

一对夫妇的无关的问题：

A couple of unrelated issues:

• 服务器是否真的强迫你使用摘要式身份验证？这是HTTPS，所以你还不如做基本身份验证，它的方式更容易，使用HTTPS，一样安全。 （这里回答自己，检查出gathercontent后：基本身份验证显然是<一个href=\"http://help.gathercontent.com/customer/portal/articles/250475-getting-started-with-gathercontent-api\"相对=nofollow>不可能）


• 正如我在你的问题发表评论时提及， cnonce 应该是随机为每个请求，尤其是，你不应该复制并从的维基百科，它让你更容易（但这里不是一个问题，因为所有的数据都要通过SSL反正你的情况）

• Does the server really force you to use Digest authentication? This is HTTPS, so you might as well do Basic authentication, it's way easier, and with HTTPS, just as safe. (Answering myself here, after checking out gathercontent: Basic auth is apparently not possible)
• As mentioned in my comment to your question, cnonce should be random for every request, especially, you shouldn't copy and paste it from Wikipedia, which makes you more vulnerable (but not an issue here, as all data goes over SSL anyway in your case)

关于如何卷曲它 - 试试这个：

Regarding how to curl it - try this:

curl --data 'id=1234' --digest --user "apikey:pwd" https://abcdefg.gathercontent.com:443/api/0.1/get_pages_by_project/get_me

这篇关于不能得到消化权威性与Node.js的工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！