WWW-Authenticate schema is not title cased, causes the request library to fail, Chrome to reprompted for auth

[myers]

 http://www.faqs.org/rfcs/rfc2617.html shows the auth scheme as being capitalized. Twisted 12.0 doesn't do this right. This causes the 'requests' python library to fail, and causes Chrome to prompt for username/password every time you reload a page.

[myers]

patch against trunk @ 34408

[itamar]

Since this is a patch that is ready for application, you want to add the 'review' keyword in the future so it ends up in the review queue.

[exarkun]

I don't object to changing this, but note that Twisted behaves correctly in this case.  According to RFC 2616, header field names are case insensitive. The bug really belongs to requests and Chrome.

[itamar]

Thanks for the bug report, this is indeed a problem. To clarify to JP, this isn't about the header, it's about the token identifying which schema is being used, e.g. "Basic" where we send "basic". The RFC has hard-coded strings, basically tokens, which we should be using. Therefore:

1. Rather than using title(), I would suggest changing the underlying schema names, e.g. from "basic" to "Basic" in twisted.web._auth.basic, and similarly for digest. That is, we should hard-code the correct schema name, rather than hard-coding a wrong one and then transforming it.
2. Digest will need an equivalent test to the basic making sure we send the correct value.

Please update the patch to address these two issues and re-add the "review" keyword; if you don't have the time to do so let me know and I can do the change, but then someone else will need to review it.

[myers]

I didn't make a test for digest like you asked. Ran out of time.

[itamarst]

(In [34413]) Branching to 'http-auth-5677'

[itamar]

Thanks for the update! Still missing a couple of tests, to make sure Digest is sent, and perhaps a tweak of the HTTP layer's leniency and corresponding test.

[itamar]

Which I've added myself. Ready for hopefully final review, and I started test run:

 http://buildbot.twistedmatrix.com/boxes-supported?branch=/branches/http-auth-5677

[exarkun]

Thanks!

1. The new tests which refer to the RFC could do with a link and a section reference. It's probably also worth pointing out that the string must exactly match, not just case-insensitively match.
2. The docstring (and, arguably, name) of _authorizedBasicLogin is wrong now. It will use whatever scheme the caller supplies. I suggest fixing the docstring, renaming, and making the scheme argument required instead of optional.
3. What's the difference between "correct" and "sufficiently correct"? :)
4. test_renderAuthorizedWrongCapitalizationScheme has a typo in its docstring, capitaliztion.
5. The use of "correct" throughout is a little bit sad. If you can replace it with descriptions of what "correct" actually means, at least in the changed tests, that'd be really great.

[myers]

Re: Chrome, I think I was incorrect about why that keeps prompting. I think it's due to requests coming 15 farther that 15 minutes apart.

[itamar]

Further investigation of RFC suggests that it *is* supposed to be case insensitive. Probably being the wrong case will break some things, though (e.g. requests) so we should do this anyway. Do you want to file a separate bug for the Chrome issue?