Skip to content

fix: decode bytes credentials in HTTPDigestAuth to prevent b'...' repr in hashes#7557

Closed
webdevdot wants to merge 1 commit into
psf:mainfrom
webdevdot:fix/digest-auth-bytes-credentials
Closed

fix: decode bytes credentials in HTTPDigestAuth to prevent b'...' repr in hashes#7557
webdevdot wants to merge 1 commit into
psf:mainfrom
webdevdot:fix/digest-auth-bytes-credentials

Conversation

@webdevdot

Copy link
Copy Markdown

Summary

  • HTTPDigestAuth stores username and password as bytes | str, but build_digest_header interpolated them directly into f-strings
  • For bytes credentials, Python's f-string produces b'username' (with the b prefix and quotes) instead of the raw string value
  • This causes two bugs: (1) the A1 hash is computed over the wrong string, producing an incorrect digest; (2) the Authorization header contains username="b'user'" instead of username="user", which servers reject

Changes

  • Decode bytes username/password to UTF-8 strings before constructing A1 and the Authorization header base string
  • Both the hash computation (A1 = f"{_username}:{realm}:{_password}") and the header value (username="{_username}") are fixed
  • Matches the convention already used in prepare_url and elsewhere in the codebase

Test plan

  • Create HTTPDigestAuth(b"user", b"pass") and confirm the Authorization header contains username="user" not username="b'user'"
  • Verify HTTPDigestAuth("user", "pass") (str credentials) still works identically
  • Run existing digest auth tests: pytest tests/test_auth.py -v

🤖 Generated with Claude Code

…gestAuth

When username or password are bytes, f-string interpolation produces
b'...' repr instead of the raw string, causing an incorrect A1 hash
value and a malformed Authorization header in digest auth flows.

Decode bytes to str via UTF-8 before building A1 and the base header
string, mirroring how the basic-auth path handles bytes credentials.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@nateprewitt nateprewitt closed this Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants