instance method `validate_digest_response`

Ruby on Rails 6.1.7.10

Since v2.3.18

Available in: v2.3.18 v3.0.20 v3.1.12 v3.2.22.5 v4.0.13 v4.1.16 v4.2.9 v5.2.8.1 v6.0.6 v6.1.7.10 v7.0.10 v7.1.6 v7.2.3 v8.0.4 v8.1.2

Compare with:

validate_digest_response(request, realm, &password_procedure)

Returns false unless the request credentials response value matches the expected value. First try the password as a ha1 digest password. If this fails, then try it as a plain text password.

Parameters

request req
realm req
password_procedure block

Source

# File actionpack/lib/action_controller/metal/http_authentication.rb, line 207
      def validate_digest_response(request, realm, &password_procedure)
        secret_key  = secret_token(request)
        credentials = decode_credentials_header(request)
        valid_nonce = validate_nonce(secret_key, request, credentials[:nonce])

        if valid_nonce && realm == credentials[:realm] && opaque(secret_key) == credentials[:opaque]
          password = password_procedure.call(credentials[:username])
          return false unless password

          method = request.get_header("rack.methodoverride.original_method") || request.get_header("REQUEST_METHOD")
          uri    = credentials[:uri]

          [true, false].any? do |trailing_question_mark|
            [true, false].any? do |password_is_ha1|
              _uri = trailing_question_mark ? uri + "?" : uri
              expected = expected_response(method, _uri, credentials, password, password_is_ha1)
              expected == credentials[:response]
            end
          end
        end
      end

Defined in actionpack/lib/action_controller/metal/http_authentication.rb line 207 · View on GitHub · Improve this page · Find usages on GitHub

Defined in ActionController::HttpAuthentication::Digest

Signature

Parameters