Avoid throwing an exception if authentication isn't requested

Only process authentication if there are credentials available or an
authenticate callback to get credentials. This prevents an exception
being thrown for a malformed www-authenticate header when the client
code hasn't asked HttpClient to perform authentication.

[email protected]

Bug: #46442
Change-Id: I3d3e70cec936f717f822b2fe170ddc526a74ebf9
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/405280
Reviewed-by: Brian Quinlan <[email protected]>
Commit-Queue: Brian Quinlan <[email protected]>
Reviewed-by: Alexander Aprelev <[email protected]>

Author: PaulAllanSturm

sdk/lib/_http/http_impl.dart

@@ -773,11 +773,14 @@ class _HttpClientResponse extends _HttpInboundMessageListInt
   }
 
   bool get _shouldAuthenticate {
-    // Only try to authenticate if there is a challenge in the response.
+    // Only try to authenticate if there is a challenge in the response and
+    // the client has credentials or an authentication function.
     List<String>? challenge = headers[HttpHeaders.wwwAuthenticateHeader];
     return statusCode == HttpStatus.unauthorized &&
         challenge != null &&
-        challenge.length == 1;
+        challenge.length == 1 &&
+        (_httpClient._credentials.isNotEmpty ||
+            _httpClient._authenticate != null);
   }
 
   Future<HttpClientResponse> _authenticate(bool proxyAuth) {

tests/standalone/io/http_auth_digest_test.dart

@@ -7,6 +7,7 @@ import 'dart:io';
 
 import "package:convert/convert.dart";
 import "package:crypto/crypto.dart";
+import "package:expect/async_helper.dart";
 import "package:expect/expect.dart";
 
 class Server {
@@ -37,6 +38,15 @@ class Server {
     HttpServer.bind("127.0.0.1", 0).then((s) {
       server = s;
       server.listen((HttpRequest request) {
+        if (request.uri.path == "/malformedAuthenticate") {
+          request.response.statusCode = HttpStatus.unauthorized;
+          // This authenticate header is malformed because of missing commas
+          request.response.headers.set(HttpHeaders.wwwAuthenticateHeader,
+              'Digest realm="$realm" nonce="$nonce" domain="/digest/"');
+          request.response.close();
+          return;
+        }
+
         sendUnauthorizedResponse(HttpResponse response, {stale = false}) {
           response.statusCode = HttpStatus.unauthorized;
           StringBuffer authHeader = new StringBuffer();
@@ -309,6 +319,54 @@ void testNextNonce() {
   });
 }
 
+void testMalformedAuthenticateHeaderNoAuthHandler() {
+  Server.start('MD5', 'auth').then((server) async {
+    HttpClient client = new HttpClient();
+    final uri = Uri.parse(
+        'http://${InternetAddress.loopbackIPv4.address}:${server.port}/malformedAuthenticate');
+
+    // Request should resolve normally if no authentication is configured
+    await client.getUrl(uri).then((request) => request.close());
+
+    server.shutdown();
+    client.close();
+  });
+}
+
+void testMalformedAuthenticateHeaderWithAuthHandler() {
+  Server.start('MD5', 'auth').then((server) async {
+    HttpClient client = new HttpClient();
+    final uri = Uri.parse(
+        'http://${InternetAddress.loopbackIPv4.address}:${server.port}/malformedAuthenticate');
+
+    // Request should throw an exception if the authenticate handler is set
+    client.authenticate =
+        (Uri url, String scheme, String? realm) async => false;
+    await asyncExpectThrows<HttpException>(
+      client.getUrl(uri).then((request) => request.close()));
+
+    server.shutdown();
+    client.close();
+  });
+}
+
+void testMalformedAuthenticateHeaderWithCredentials() {
+  Server.start('MD5', 'auth').then((server) async {
+    HttpClient client = new HttpClient();
+    final uri = Uri.parse(
+        'http://${InternetAddress.loopbackIPv4.address}:${server.port}/malformedAuthenticate');
+
+    // Request should throw an exception if credentials have been added
+    client.addCredentials(
+        uri, 'realm', HttpClientDigestCredentials('dart', 'password'));
+    await asyncExpectThrows<HttpException>(
+      client.getUrl(uri).then((request) => request.close()));
+
+    server.shutdown();
+    client.close();
+  });
+}
+
 // An Apache virtual directory configuration like this can be used for
 // running the local server tests.
 //
@@ -375,6 +433,9 @@ main() {
   testAuthenticateCallback("MD5", "auth-int");
   testStaleNonce();
   testNextNonce();
+  testMalformedAuthenticateHeaderNoAuthHandler();
+  testMalformedAuthenticateHeaderWithAuthHandler();
+  testMalformedAuthenticateHeaderWithCredentials();
   // These teste are not normally run. They can be used for locally
   // testing with another web server (e.g. Apache).
   //testLocalServerDigest();

tests/standalone/io/http_auth_test.dart

@@ -6,6 +6,7 @@ import 'dart:async';
 import 'dart:convert';
 import 'dart:io';
 
+import "package:expect/async_helper.dart";
 import "package:expect/expect.dart";
 
 class Server {
@@ -23,7 +24,14 @@ class Server {
           response.close();
           return;
         }
-        ;
+
+        if (request.uri.path == "/malformedAuthenticate") {
+          response.statusCode = HttpStatus.unauthorized;
+          response.headers.set(HttpHeaders.wwwAuthenticateHeader,
+              'Basic malformed header no commas');
+          response.close();
+          return;
+        }
 
         String username;
         String password;
@@ -204,6 +212,53 @@ void testBasicAuthenticateCallback() {
   });
 }
 
+void testMalformedAuthenticateHeaderNoAuthHandler() {
+  setupServer().then((server) async {
+    HttpClient client = new HttpClient();
+    final uri = Uri.parse(
+        'http://${InternetAddress.loopbackIPv4.address}:${server.port}/malformedAuthenticate');
+
+    // Request should resolve normally if no authentication is configured
+    await client.getUrl(uri).then((request) => request.close());
+
+    server.shutdown();
+    client.close();
+  });
+}
+
+void testMalformedAuthenticateHeaderWithAuthHandler() {
+  setupServer().then((server) async {
+    HttpClient client = new HttpClient();
+    final uri = Uri.parse(
+        'http://${InternetAddress.loopbackIPv4.address}:${server.port}/malformedAuthenticate');
+
+    // Request should throw an exception if the authenticate handler is set
+    client.authenticate = (url, scheme, realm) async => false;
+    await asyncExpectThrows<HttpException>(
+      client.getUrl(uri).then((request) => request.close()));
+
+    server.shutdown();
+    client.close();
+  });
+}
+
+void testMalformedAuthenticateHeaderWithCredentials() {
+  setupServer().then((server) async {
+    HttpClient client = new HttpClient();
+    final uri = Uri.parse(
+        'http://${InternetAddress.loopbackIPv4.address}:${server.port}/malformedAuthenticate');
+
+    // Request should throw an exception if credentials have been added
+    client.addCredentials(
+        uri, 'realm', HttpClientBasicCredentials('dart', 'password'));
+    await asyncExpectThrows<HttpException>(
+      client.getUrl(uri).then((request) => request.close()));
+
+    server.shutdown();
+    client.close();
+  });
+}
+
 void testLocalServerBasic() {
   HttpClient client = new HttpClient();
 
@@ -250,6 +305,9 @@ main() {
   testBasicNoCredentials();
   testBasicCredentials();
   testBasicAuthenticateCallback();
+  testMalformedAuthenticateHeaderNoAuthHandler();
+  testMalformedAuthenticateHeaderWithAuthHandler();
+  testMalformedAuthenticateHeaderWithCredentials();
   // These teste are not normally run. They can be used for locally
   // testing with another web server (e.g. Apache).
   //testLocalServerBasic();