不能得到消化权威性与Node.js的工作 [英] Cant get digest auth to work with node.js
问题描述
我试图得到一个简单的(!)摘要式身份验证使用的API从gathercontent.com与节点JS工作。
I'm trying to get a simple (!) digest authentication working with node js using an an API from gathercontent.com.
一切似乎除了工作我还得到一个错误的凭据的回应,看起来是这样的:
Everything seems to be working except I still get a "Wrong credentials" response that looks like this:
{ success: false, error: 'Wrong Credentials!' }
在code是这样的:
The code looks like this:
var https = require('https'),
qs = require('querystring');
apikey = "[my api key goes in here]",
pwd = "[my password goes in here]",
crypto = require('crypto');
module.exports.apiCall = function () {
var options = {
host:'abcdefg.gathercontent.com',
port:443,
path:'/api/0.1/get_pages_by_project/get_me',
method:'POST',
headers:{
"Accept":"application/json",
"Content-Type":"application/x-www-form-urlencoded"
}
};
var req = https.request(options, function (res) {
res.on('data', function (d) {
var creds = JSON.parse(d);
var parsedDigest = parseDigest(res.headers['www-authenticate']);
console.log(parsedDigest);
var authopts = {
host:'furthercreative.gathercontent.com',
port:443,
path:'/api/0.1/get_pages_by_project/get_me',
method:'POST',
headers:{
"Accept":"application/json",
"Content-Type":"application/x-www-form-urlencoded",
"Authorization" : getAuthHeader(parsedDigest, apikey, parsedDigest['Digest realm'], pwd)
}
};
console.log(authopts);
console.log('\n\n\n');
var req2 = https.request(authopts, function (res2) {
console.log("statusCode: ", res2.statusCode);
console.log("headers: ", res2.headers);
res2.on('data', function (d2) {
var result = JSON.parse(d2);
});
});
req2.end();
});
});
req.write('id=1234');
req.end();
req.on('error', function (e) {
console.error(e);
});
};
function parseDigest(s){
var parts = s.split(',');
var obj = {};
var nvp = '';
for(var i = 0; i < parts.length; i++){
nvp = parts[i].split('=');
obj[nvp[0]] = nvp[1].replace(/"/gi, '');
}
return obj;
}
function getAuthHeader(digest, apikey, realm, pwd){
var md5 = crypto.createHash('md5');
var s = '';
var nc = '00000001';
var cn = '0a4f113b';
var HA1in = apikey+':'+realm+':'+pwd;
md5 = crypto.createHash('md5');
md5.update(HA1in);
var HA1out = md5.digest('hex');
var HA2in = 'POST:/api/0.1/get_pages_by_project/get_me';
md5 = crypto.createHash('md5');
md5.update(HA2in);
var HA2out = md5.digest('hex');
md5 = crypto.createHash('md5');
var respIn = HA1out + ':' + digest.nonce + ':'+nc+':'+cn+':'+digest.qop+':'+ HA2out;
md5.update(respIn);
var resp = md5.digest('hex');
s = [ 'Digest username="',apikey,'", ',
'realm="',digest['Digest realm'],'", ',
'nonce="',digest.nonce,'", ',
'uri="/api/0.1/get_pages_by_project/get_me", ',
'cnonce="',cn,'", ',
'nc="',nc,'", ',
'qop="',digest.qop,'", ',
'response="',resp,'", ',
'opaque="',digest.opaque,'"'].join('')
return s;
}
我想尝试和卷曲,但我不知道怎么办!
I'd try and Curl to it but I'm not sure how!
任何帮助AP preciated!
Any help appreciated!
推荐答案
我看到一对夫妇的问题可能涉及您的问题。这很难说哪些是实际的罪魁祸首,不知道有关gathercontent的具体实现。如果你粘贴自己的WWW身份验证标头的一个例子,它会更容易提供具体的帮助。
I see a couple of issues potentially related to your problem. It's hard to tell which ones are the actual culprits, not knowing anything about gathercontent's implementation. If you pasted an example of their 'WWW-Authenticate' header, it would be much easier to provide specific help.
所以我猜测真正的原因是什么,但这里有一些现实问题,你无论如何都应该处理,以符合规范(即因为服务器开始做的事情略有不同保护它在将来打破):
So I'm speculating what the actual cause is, but here are some actual problems that you should address anyway, to conform to the spec (i.e. protect it from breaking in the future because the server starts doing things slightly differently):
- 在您创建的
授权
标题,删除双引号围绕NC
,可能还有的保护级别
- 我不知道是什么
的保护级别
值gathercontent使用。如果它的AUTH-INT
,然后你还必须散列HTTP主体追加到HA2
,请参阅该规范的#3.2.2.3 - 此外,他们可能会被指定的逗号分隔的QOP值作为您选择的列表 - 或者服务器的可能不会派人的保护级别
所有,也就是说,它们用最基本的从HTTP的消化权威性,在您的实现将是违反的规范,因为那么你就不能如发送cnonce
,NC
等 - 您尝试通过
parsedDigest [文摘境界']
,即你是假设境界$拿到境界C $ C>是初始
关键字之后的第一个属性。这可能是也可能不是这样,但你不应该依赖它(修改摘要
parseDigest
功能剥离字符串消化的code>分裂的其余部分)前
- 您使用
parsedDigest
顺便说一下,你作出这样的假设摘要总是大写的方式,而境界
,现时
等总是小写。根据规范,这些都是区分大小写
- in the
Authorization
headers you are creating, remove the double quotes aroundnc
, and maybe alsoqop
- I don't know what
qop
value gathercontent is using. If it'sauth-int
, then you'd also have to append the hashed HTTP body toHA2
, see #3.2.2.3 of the spec - furthermore, they might be specifying a comma-separated list of qop values for you to choose from - or the server might not send a value forqop
at all, i.e. they use the most basic from of HTTP digest auth, in which your implementation would be violating the spec, as then you aren't allowed to e.g. send acnonce
,nc
etc. - you try to get the realm via
parsedDigest['Digest realm']
, i.e. you are assuming that therealm
is the first attribute after the initialDigest
keyword. That might or might not be the case, but you should not rely upon it (modify yourparseDigest
function to strip of the string"Digest "
before splitting the rest) - the way you use
parsedDigest
, you make the assumption that Digest is always capitalized that way, and thatrealm
,nonce
, etc. are always in lowercase. According to the spec, these are all case-insensitive
一对夫妇的无关的问题:
A couple of unrelated issues:
- 服务器是否真的强迫你使用
摘要式身份验证
?这是HTTPS,所以你还不如做基本身份验证
,它的方式更容易,使用HTTPS,一样安全。 (这里回答自己,检查出gathercontent后:基本身份验证显然是<一个href=\"http://help.gathercontent.com/customer/portal/articles/250475-getting-started-with-gathercontent-api\"相对=nofollow>不可能) - 正如我在你的问题发表评论时提及,
cnonce
应该是随机为每个请求,尤其是,你不应该复制并从的维基百科,它让你更容易(但这里不是一个问题,因为所有的数据都要通过SSL反正你的情况)
- Does the server really force you to use
Digest authentication
? This is HTTPS, so you might as well doBasic authentication
, it's way easier, and with HTTPS, just as safe. (Answering myself here, after checking out gathercontent: Basic auth is apparently not possible) - As mentioned in my comment to your question,
cnonce
should be random for every request, especially, you shouldn't copy and paste it from Wikipedia, which makes you more vulnerable (but not an issue here, as all data goes over SSL anyway in your case)
关于如何卷曲它 - 试试这个:
Regarding how to curl it - try this:
curl --data 'id=1234' --digest --user "apikey:pwd" https://abcdefg.gathercontent.com:443/api/0.1/get_pages_by_project/get_me
这篇关于不能得到消化权威性与Node.js的工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!