From 22e31b4b737c2a3b61b3ab4fccd534b2eee65a87 Mon Sep 17 00:00:00 2001
From: Ian Cordasco <graffatcolmingov@gmail.com>
Date: Fri, 13 Sep 2013 22:29:39 -0500
Subject: [PATCH] Handle case when WWW-Authenticate returns multiple qops

In Digest Access Authentication there are two possible values (four if you
count the not-present and both cases) for authentication. We were narrowly
handling one of the four cases. Now we handle two.
---
 requests/auth.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/requests/auth.py b/requests/auth.py
index 81a3d93..30529e2 100644
--- a/requests/auth.py
+++ b/requests/auth.py
@@ -105,7 +105,9 @@ class HTTPDigestAuth(AuthBase):
         A1 = '%s:%s:%s' % (self.username, realm, self.password)
         A2 = '%s:%s' % (method, path)
 
-        if qop == 'auth':
+        if qop is None:
+            respdig = KD(hash_utf8(A1), "%s:%s" % (nonce, hash_utf8(A2)))
+        elif qop == 'auth' or 'auth' in qop.split(','):
             if nonce == self.last_nonce:
                 self.nonce_count += 1
             else:
@@ -120,8 +122,6 @@ class HTTPDigestAuth(AuthBase):
             cnonce = (hashlib.sha1(s).hexdigest()[:16])
             noncebit = "%s:%s:%s:%s:%s" % (nonce, ncvalue, cnonce, qop, hash_utf8(A2))
             respdig = KD(hash_utf8(A1), noncebit)
-        elif qop is None:
-            respdig = KD(hash_utf8(A1), "%s:%s" % (nonce, hash_utf8(A2)))
         else:
             # XXX handle auth-int.
             return None
-- 
2.34.1