Understanding digest authentication - CodeIgniter Rest Server

Question

https://github.com/philsturgeon/codeigniter-restserver/

I have created an api using rest server above and need to login-protect it now. I know there are two methods in the rest server 1) basic, 2) digest

I am also using rest client to test this api

    $this->load->library('rest', array(  
        'server' => 'http://mynew/api/',  
        'http_user' => 'admin',  
        'http_pass' => '1234',  
        'http_auth' => 'basic', // or 'digest'  
        //'http_auth' => 'digest' 
    ));

  $user = $this->rest->get('listrecord', array('key' => 'mykey'), 'json'); 

I have $config['rest_valid_logins'] = array('admin' => '1234');

In the above code the "basic" auth works fine but when I change it to digest it says "Not Authorised". Please note when I make change here I also change config to digest too.

My understanding is that basic is not very secure? so that's why I think digest be better than it. Any ideas how do I get digest working?? thanks for your help. It maynot be codeigniter specific issue, I guess.

Answer 1

You might save yourself some trouble and use Basic authentication over SSL. If you're not using SSL, then I suppose Digest would be the way to go. Then again, if you are not using SSL, you're not really secure.

I would test your REST server using CURL to figure out whether your problem is on the client or server

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://mynew/api/");
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST);
curl_setopt($ch, CURLOPT_USERPWD, "admin:1234");

// need to get WWW-Authenticate header from the server (for realm and nonce) with a HEAD request
curl_setopt($ch, CURLOPT_NOBODY, 1);
curl_exec($ch);        

// the get the real output
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_HTTPGET, 1);
$output = curl_exec($ch);
echo $output;