Handle case when WWW-Authenticate returns multiple qops

In Digest Access Authentication there are two possible values (four if you
count the not-present and both cases) for authentication. We were narrowly
handling one of the four cases. Now we handle two.

diff --git a/requests/auth.py b/requests/auth.py
index 81a3d93..30529e2 100644 (file)
--- a/requests/auth.py
+++ b/requests/auth.py
@@ -105,7 +105,9 @@ class HTTPDigestAuth(AuthBase):
         A1 = '%s:%s:%s' % (self.username, realm, self.password)
         A2 = '%s:%s' % (method, path)
 
-        if qop == 'auth':
+        if qop is None:
+            respdig = KD(hash_utf8(A1), "%s:%s" % (nonce, hash_utf8(A2)))
+        elif qop == 'auth' or 'auth' in qop.split(','):
             if nonce == self.last_nonce:
                 self.nonce_count += 1
             else:
@@ -120,8 +122,6 @@ class HTTPDigestAuth(AuthBase):
             cnonce = (hashlib.sha1(s).hexdigest()[:16])
             noncebit = "%s:%s:%s:%s:%s" % (nonce, ncvalue, cnonce, qop, hash_utf8(A2))
             respdig = KD(hash_utf8(A1), noncebit)
-        elif qop is None:
-            respdig = KD(hash_utf8(A1), "%s:%s" % (nonce, hash_utf8(A2)))
         else:
             # XXX handle auth-int.
             return None