HTTP Digest Authentication PUT DELETE problem. Bug ?

Hi all,

I've got a problem with HTTP Digest Authentication after upgrading Rails to 2.3.2. It seems that it is broken for PUT and DELETE requests method. Here is what I did: 1. Generate new rails app in rails 2.3.2 2. Added sample scaffold model Post name:string 3. Added simple HTTP Digest Authentication filter to application controller:

----------------code----------------- |

  USERS = { 'lifo' => 'world', 'pretty' => 'please', 'a' => 'b'}

  before_filter :digest_authenticate

  def digest_authenticate     authenticate_or_request_with_http_digest do |login|       USERS[login]     end   end

---------------- code -----------------|

It works fine for index, new, create and show action, but for destroy (DELETE) and update(PUT) htaccess popup apears and don't allow to update or delete( of course for I put correct login/password data :))

Have you got also problem with this ? I've reviewed action_pack source code and it seems that in lines: http://github.com/rails/rails/blob/18eb80ccc7e932f9a6c00462ceaeea648631b120/actionpack/lib/action_controller/http_authentication.rb(197,198)

expected = expected_response(request.env['REQUEST_METHOD'], request.env ['REQUEST_URI'], credentials, password, password_is_ha1) expected == credentials[:response]

there are different values generated for PUT and DELETE request method.

Regards

Grzesiek F.

I've run into the same problem. GET and POST work find, but PUT and DELETE repeatedly asks for login information and never succeeds.

This is a bug in Rails 2.3.2. I've created a Lighthouse ticket for it (#2490) and created a patch that fixes it. It will probably help get the fix into a release if others acknowledge the problem and can verify my patch fixes it for them.

https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/2490-http-digest-auth-uses-wrong-request-method-for-put-delete#ticket-2490-1