lib/atom/http.rb in atom-tools-0.9.3 vs lib/atom/http.rb in atom-tools-0.9.4

@@ -1,11 +1,11 @@
 require "net/http"
 require "net/https"
 require "uri"
 
 require "sha1"
-require "md5"
+require "digest/md5"
 
 module URI # :nodoc: all
   class Generic; def to_uri; self; end; end
 end
 
@@ -15,11 +15,11 @@
 
 module Atom
   UA = "atom-tools 0.9.3"
 
   module DigestAuth
-    CNONCE = Digest::MD5.new("%x" % (Time.now.to_i + rand(65535))).hexdigest
+    CNONCE = Digest::MD5.hexdigest("%x" % (Time.now.to_i + rand(65535)))
 
     @@nonce_count = -1
 
     # quoted-strings plus a few special cases for Digest
     def parse_wwwauth_digest param_string
@@ -221,22 +221,25 @@
       user, pass = username_and_password_for_realm(url, params[:realm])
 
       req.basic_auth user, pass
     end
 
-    # WSSE authentication 
-    #   <http://www.xml.com/pub/a/2003/12/17/dive.html>
+    # is this the right way to do it? who knows, there's no
+    # spec!
+    #   <http://necronomicorp.com/lab/atom-authentication-sucks>
+    #
+    # thanks to H. Miyamoto for clearing things up.
     def wsse_authenticate(req, url, params = {})
       user, pass = username_and_password_for_realm(url, params["realm"])
 
-      # thanks to Sam Ruby
       nonce = rand(16**32).to_s(16)
+      nonce_enc = [nonce].pack('m').chomp
       now = Time.now.gmtime.iso8601
 
       digest = [Digest::SHA1.digest(nonce + now + pass)].pack("m").chomp
       
-      req['X-WSSE'] = %Q<UsernameToken Username="#{user}", PasswordDigest="#{digest}", Nonce="#{nonce}", Created="#{now}">
+      req['X-WSSE'] = %Q<UsernameToken Username="#{user}", PasswordDigest="#{digest}", Nonce="#{nonce_enc}", Created="#{now}">
       req["Authorization"] = 'WSSE profile="UsernameToken"'
     end
 
     def authsub_authenticate req, url
       req["Authorization"] = %{AuthSub token="#{@token}"}
@@ -279,11 +282,12 @@
         h.request(req, body)
       end
 
       case res
       when Net::HTTPUnauthorized
-        if @always_auth or www_authenticate # XXX and not stale (Digest only) 
-          # we've tried the credentials you gave us once and failed
+        if @always_auth or www_authenticate or not res["WWW-Authenticate"] # XXX and not stale (Digest only) 
+          # we've tried the credentials you gave us once
+          # and failed, or the server gave us no way to fix it
           raise Unauthorized, "Your authorization was rejected"
         else
           # once more, with authentication
           res = http_request(url_s, method, body, init_headers, res["WWW-Authenticate"])