You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please note that when authenticated, the response status should be 405 Method Not Allowed (because DELETE is not supported by this endpoint), not 401 Unauthorized.
However, servers may not include WWW-Authenticate header in the response when HTTP GET request method is used. For instance, sabre-io/Baikal does not return WWW-Authenticate header when GET method is used instead of MKCALENDAR. In such case Tesla cannot compose Authorization header for subsequent request and silently ignores it.
Therefore original HTTP method should be used to retrieve authentication variables. This behaviour has been verified with Python Requests library as well as cURL on digest authentication demo available at http://jigsaw.w3.org/HTTP/Digest/.
When using
Tesla.Middleware.DigestAuth
, Tesla always performs HTTPGET
request to retrieve authentication variables:https://github.com/teamon/tesla/blob/586c54372cef5ff8bcb570d2c1ad06fa2b81b833/lib/tesla/middleware/digest_auth.ex#L57-L63
Example code:
Output:
Please note that when authenticated, the response status should be
405 Method Not Allowed
(becauseDELETE
is not supported by this endpoint), not401 Unauthorized
.However, servers may not include
WWW-Authenticate
header in the response when HTTPGET
request method is used. For instance, sabre-io/Baikal does not returnWWW-Authenticate
header whenGET
method is used instead ofMKCALENDAR
. In such case Tesla cannot composeAuthorization
header for subsequent request and silently ignores it.Therefore original HTTP method should be used to retrieve authentication variables. This behaviour has been verified with Python Requests library as well as cURL on digest authentication demo available at http://jigsaw.w3.org/HTTP/Digest/.
curl -v "http://jigsaw.w3.org/HTTP/Digest/" --digest -u guest:guest -X DELETE
Notice that the first request uses
DELETE
method, notGET
:The text was updated successfully, but these errors were encountered: