Copyright ©

Mongoose OS Forum

ATTENTION! This forum has moved to:

Do not post any new messages.

need more public functions for digest authentication

Older mongoose (4.x) password protection was simple - I supplied the file name of password file and authentication was done internally before calling the user event handler (causing problems with the OPTIONS request required for JSON-RPC CORS support, which cannot/shouldnot authenticate).

Password with current mongoose 6.4 is more complicated. It does not call authentication at all (except when serving files? this is not well documented) and most functions required to do authentication have been made private (but thank you for exporting mg_http_check_digest_auth() in the latest development version).

In addition, in our web server, I want to implement an in-memory password file. This needs a custom version of mg_http_check_digest_auth() which in turn needs following functions to be made public: mg_mkmd5resp, mg_check_nonce.

Also mg_http_send_digest_auth_request needs to be public to make the browser prompt for the user name and password.

Then, to implement application-level per-user permissions, I would like for mg_http_check_digest_auth() to return the name of the authenticated user. (I suppose I can get the user name indirectly by looking at the http headers).

So this is a request for either: (a) export private functions needed for digest authentication, (b) improve mg_http_check_digest_auth() to use in-memory password file and return authenticated username (or password file entry).



  • SergeySergey Dublin, Ireland
    edited June 2016

    Ok, so the list of functions to be exported is:

    To summarize,

    • Export mg_http_send_digest_auth_request()
    • Change mg_http_check_digest_auth() to allow custom checks.

    Could you suggest an API for the custom checks please ?

  • I can now say that the digest authentication code inside the mongoose library is useless (as in "cannot be used usefully"): a) reading a file from disk to serve each http request is silly, b) a whole bunch of private functions have to be copied into user code, c) it fails on URLs in the form "http://host/?" (notice the unusual trailing "?" character).

    With some modifications, the mongoose code can be made to work, but to do so, I had to read enough RFCs that at the end it may have been faster to write my own code from scratch.

    This is a big step back from mongoose version 4 where digest authentication "just worked" out of the box.

    You are welcome to take a look at my working digest authentication and include my structure and/or ideas into the mongoose library, see
    functions check_digest_auth() and read_passwords() in mhttpd.cxx at


  • SergeySergey Dublin, Ireland

    Thank you for sharing it.
    In your code, passwd file is cached in memory, which may or may not be desirable. Mongoose does not use any caching. Maybe it makes sense to disable auth by default to prevent file checking on each request.

    @alex could you take a look at disabling Digest auth by default, and fixing it fails on URLs in the form "http://host/?" (notice the unusual trailing "?" character). please?

Sign In or Register to comment.