>> the only apache API we have access to is $r->note_digest_auth_failure, >> which >> has the job of setting a proper WWW-Authenticate header. the current >> tests >> only really test this by accident, relying on LWP's Digest >> implementation to >> handle the header appropriately. > > > right, that's exactly the purpose of this test: test > $r->note_digest_auth_failure, no more and no less. So no accidents here.
but see, you're doing lots more and a bit less. the test specifically tests for two things: that a known bad user/pass (and none at all) gets 401 and that a known user/pass gets 200. in the first case you're not testing $r->note_digest_auth_failure at all - the 401 is simply the result of the handler return value, and removing $r->note_digest_auth_failure would have the same effect. now, the second case is testing $r->note_digest_auth_failure but indirectly - you're not looking at what $r->note_digest_auth_failure does, but rather assuming that LWP is handling the overall challenge/response dialogue correctly. now, we rely on LWP all the time, so that's not really the issue I'm trying to argue. I'm only saying that if you look internally at what $r->note_digest_auth_failure is doing you're not testing that code specifically, you're only testing the effects of it. contrast this with the recent C-L tests, where we pull out the C-L header specifically since it's the behavior of $r->set_content_length (and other things) we're interested in. yeah, ok, this is all a bit academic - there's nothing really wrong with the tests as they stand. I'm just trying to illustrate a point, really :) > Feel free to improve it, as long as $r->note_digest_auth_failure is tested. I would alter it as I've suggested, ripping out the bulk of your weekend labors :) --Geoff --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
