Age | Commit message (Collapse) | Author |
|
There is no reason to use old-style classes beyond laziness.
|
|
|
|
|
|
Said RFC is quite precise on which values of a challenge are to be
quoted. I didn't honour those parts and many applications do not enforce
these requirements, so I didn't notice. Now I explain which values are
to be quoted in the hopes that it works with "Wget/1.10.2 (Red Hat
modified)".
|
|
* added a number of internal links (L{...})
* some fixes
* some additions
|
|
Conflicts:
wsgitools/digest.py
|
|
The method no longer receives a start_response and is no longer
responsible for calling self.app. Instead it returns a dictionary with
the result of the authentication.
|
|
This is the inverse of parse_digest_response and also supports escaping
of backslashes and quotes.
|
|
The previous version did not handle escapes at all. Now I added two test
cases for escaping and rewrote the function to meet all test cases.
|
|
This shrinks the possibility of raising something from start_response
and maybe enables to factor out this start_response modification later.
|
|
The BasicAuthMiddleware and AuthDigestMiddleware now derive from
AuthenticationMiddleware which provides common functionality.
|
|
The interface of this internal function has changed in a backwards
incompatible way. The last parameter is no longer the bool stale, but an
exception now, which encodes more information than the previous bool.
This was made possible by the previous commit. This exception can then
be used by the new method www_authenticate to generate a suitable
WWW-Authenticate header. The idea behind this change is that at some
point it should be possible to override authorization_required (still
internal now) to evaluate what condition lead to the failure and to
generate custom error pages.
|
|
Instead of randomly raising KeyErrors or ValueErrors we can now see more
meaningful ProtocolViolations and StaleNonces. Note that this change
should be invisible to users who do not mess with internals.
|
|
|
|
|
|
|
|
|
|
It probably gained this bit later than shown in history due to darcs not
tracking execute bits. The bit was probably added for doc tests which
moved to a designated file later.
|
|
AuthTokenGenerator gained a base class AbstractTokenGenerator. This
class provides an additional method check_password implementing the
interface required by BasicAuthMiddleware. In addition
AbstractTokenGenerator gained two subclasses HtdigestTokenGenerator and
UpdatingHtdigestTokenGenerator. They both read authentication
information from a apache htdigest file. The latter also checks the file
for updates.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Prior to this change the digest module would check whether a nonce
looks like a nonce, verify the response and then verify the nonce.
This left a bit more room for brute forcing passwords, as the same
nonce could be used in arbitrary many tries and a stale response
would indicate an authentication success. Now authentication is only
tried for valid nonces. This also makes the NonceStoreBase.isnonce
method superfluous.
|
|
Even Py2.4 can handle large parameters to int, so long is not needed.
|
|
These changes introduce some compatibility code. They don't make
wsgitools usable with Python 3.0, but they also don't break
compatibility with Python 2.5.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The methods now take an optional last parameter called ident. It can
be used to bind nonces to specific uses within one NonceStore.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|