[EMAIL PROTECTED] wrote: > stas 2004/08/08 10:56:53 > > Added: t/hooks authen_digest.t > t/hooks/TestHooks authen_digest.pm > Log: > digest auth test
cool! I love that people are becoming as interested in Digest auth as I am :) the only comment that I would make is that these tests aren't really testing the right thing. the only apache API we have access to is $r->note_digest_auth_failure, which has the job of setting a proper WWW-Authenticate header. the current tests only really test this by accident, relying on LWP's Digest implementation to handle the header appropriately. so, really what I would do is manually check for the 401, which would indicate that Apache::HTTP_UNAUTHORIZED was returned, and check for WWW-Authenticate (and its properties), which would indicate that $r->note_digest_auth_failure was called (and given the proper fields, like the Realm). all the rest of the server side code is really unnecessary as well - you could easily use $r->args to toggle whether $r->note_digest_auth_failure is called. not that there is anything wrong with coding the server-side auth foo yourself, but what happens now is that someone who uses the tests as an example doesn't see that a) there is are CPAN modules to do this and b) that the implementation is imperfect, since it only handles the old digest auth scheme and not the newer one (where stuff like qop is important). so, there's nothing wrong with the tests per-se, but it seems to me to be lots of unnecessary work that is (perhaps) not even really testing the right thing. --Geoff --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
