bobziuchkovski / digest Goto Github PK

The RFC states that a challenge can be re-used for more than one request. This let's you avoid making 2 round-trips for every request. The transport implementation doesn't do that.

There is no cookie handling in the RoundTrip function for the cookies possibly returned by the first request

func httpCall(method, uri string, payload []byte) (*http.Response, error){

   data, err := json.Marshal(map[string]interface{}{
	"password": "123456",
})

t := digest.NewTransport(config.Mongo.PublicKey, config.Mongo.PrivateKey)
   req, err := http.NewRequest(method, uri, bytes.NewReader(data))
req.Header.Set("Content-Type", "application/json")
res, err := t.RoundTrip(req)
log.Printf("%+v", res)
return res, err

}

PATCH Request Throws 400 Bad Request, But the same function works for GET method

I am trying to hit MongoDB Update User API to change password i.e. https://www.mongodb.com/docs/atlas/reference/api/database-users-update-a-user/

{Status:400 Bad Request StatusCode:400 Proto:HTTP/2.0 ProtoMajor:2 ProtoMinor:0 Header:map[Content-Length:[185] Content-Type:[application/json] Date:[Wed, 13 Apr 2022 00:19:19 GMT] Referrer-Policy:[strict-origin-when-cross-origin] Server:[envoy] Strict-Transport-Security:[max-age=31536000; includeSubdomains;] X-Content-Type-Options:[nosniff] X-Envoy-Upstream-Service-Time:[39] X-Frame-Options:[DENY] X-Mongodb-Service-Version:[gitHash=313eecc3b1fc39a689953c7a77f3ea15380e088e; versionString=v20220330] X-Permitted-Cross-Domain-Policies:[none]] Body:{cs:0xc0003ad800} ContentLength:185 TransferEncoding:[] Close:false Uncompressed:false Trailer:map[] Request:0xc000564c00 TLS:0xc0002aee70}

There is a bug with this library. If you use the wrapper to send http post with body (eg. json) you will get a "ContentLeng=... with Body length is 0" error. The reason being "body" in http.request object is io.reader, it is being read once when doing authentication and is depleted. When the actual request is sent to server after authenticated, the buffer is already drained and is empty, thus the length 0 error. I find this post particular useful , it fixes the bug:
https://stackoverflow.com/questions/23070876/reading-body-of-http-request-without-modifying-request-state

If the Digest contains a "charset" directive, (or anything not covered by the switch statement) it will throw a ErrBadChallenge Error. ("Challenge is bad").

One can add the additional cases into the switch to solve this of course, but for anyone wondering why the error appears...

Not sure what it says in the specification but the server I'm calling does not use whitespaces between params in the challenge. I.e. when splitting on comma plus whitespace it won't work.

My suggestion would be to split on comma (",") ONLY and then trim the individual parts.