search

studio-b12 / gowebdav

A golang WebDAV client library and command line tool.
BSD 3-Clause "New" or "Revised" License
309 stars 89 forks source link

Bug #14 fixed #17

Closed MrVine closed 6 years ago

MrVine commented 6 years ago

The problem was that Apache HTTPS Server does not provide opaque field in 401 Unauthorized response, but gowebdav trying to read it, and to add this field to Authorization header of the next request.

This is example of gowebdav <--> Apache HTTPS Server interaction to visualize problem and show the solution:

Client request

PROPFIND /user HTTP/1.0
Host: mydav.me

Server response

Connection →       Keep-Alive
Content-Length →   457
Content-Type →     text/html; charset=iso-8859-1
Date →             Wed, 20 Jun 2018 00:08:07 GMT
Keep-Alive →       timeout=5, max=100
Server →           Apache/2.4.18 (Ubuntu)
WWW-Authenticate → Digest realm="webdav", 
                   nonce="luTmlwdvBQA=7a7e41a1027643ba1f7b3c34d4e52133e2ee6a3c", 
                   algorithm=MD5, 
                   qop=auth
<!DOCTYPE HTML>
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at mydav.me Port 443</address>
</body></html>

OLD Client request

....
Authorization → Digest username="user", 
                realm="webdav", 
                nonce="luTmlwdvBQA=7a7e41a1027643ba1f7b3c34d4e52133e2ee6a3c", 
                uri="/user/", 
                qop="auth", 
                nc="1", 
                cnonce="558ea95e33ae7443", 
                response="bca502a89e83835f723320019706a606"
                opaque=""

NEW Client request

....
Authorization → Digest username="user", 
                realm="webdav", 
                nonce="luTmlwdvBQA=7a7e41a1027643ba1f7b3c34d4e52133e2ee6a3c", 
                uri="/user/", 
                qop=auth, 
                nc=1, 
                cnonce="558ea95e33ae7443", 
                response="bca502a89e83835f723320019706a606"

As you see, following changes was done: 1) empty opaque field was removed 2) quotes for qop field was removed (server require this field without quotes) 3) qoutes for nc field was removed (this field is number that is why it should be specified without quotes)

This changes allows to correctly authorize our request, and fix bug #14