0

So, ESPAsyncWebServer library is using the Digest MD5 Authentication by default, and I want to use this feature in my webserver, but there is a problem, I don't like the ugly prompt box, and I don't want to write a form for authentication, because is sends the password in clear text. I have searched all files in the Src folder of the ESPAsyncWebServer library, Yet I had no luck up to my beginner programming knowledge. So, how can I do this? it is something totally browser side and I cannot change it?

Update: I was able to get the following from the Wireshark.

Hypertext Transfer Protocol
    GET /openthefdoor HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET /openthefdoor HTTP/1.1\r\n]
            [GET /openthefdoor HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /openthefdoor
        Request Version: HTTP/1.1
    Host: 192.168.1.3\r\n
    Connection: keep-alive\r\n
    Cache-Control: max-age=0\r\n
     [truncated]Authorization: Digest username="admin", realm="asyncesp", nonce="d13ba3040a4ed5c661a47d28c08554f4", uri="/openthefdoor", response="ca8806aa058dda66838784e784e67f8b", opaque="90ba2cd8a2870065f4daa582fd57105a", qop=auth, nc=0000
         username="admin"
         realm="asyncesp"
         nonce="d13ba3040a4ed5c661a47d28c08554f4"
         uri="/openthefdoor"
         response="ca8806aa058dda66838784e784e67f8b"
         opaque="90ba2cd8a2870065f4daa582fd57105a"
         qop=auth
         nc=00000002

2nd update: based on this question I guess the popup is coming up from the browser and I was looking in a wrong place!

Improve this question
8
  • searched all files in the Src folder ... what did you search for? Commented Dec 11, 2023 at 19:05
  • If you write a nice webpage to login, why can't you do the login exactly the same way, with a webrequest from the browser through javascript? Why would that be any less encrypted than doing it directly? Commented Dec 11, 2023 at 19:45
  • @chrisl Can I implement Digest MD5 Authentication? also I don't have enough memory on my esp8266. Commented Dec 12, 2023 at 7:05
  • @jsotola for theauthenticate() and requestDigestAuthentication() and WWW-Authenticate and to my knowledge I couldn't find anything useful to me. Commented Dec 12, 2023 at 7:25
  • try searching for HTML tags ... if you can determine the HTML code for the login popup, it may help to search for the tags in the popup Commented Dec 12, 2023 at 7:28

1 Answer 1

Reset to default
1

The authentication dialog, that you get, is provided by the browser. You cannot change this, since it is part of the browser software.

I don't want to write a form for authentication, because is sends the password in clear text.

That is false. How exactly the data is send depends on how you implement your login/action site. You can also tap into the forms submit event and use javascript with something other than Basic Authentication, like the Digest Authentication, that you mentioned. So your webpage, that gets served from the ESP, would contain the nice looking HTML form and javascript code, that uses the submit event of the form and does a webrequest to the ESP for the /openthefdoor endpoint, providing the credentials as digest (hashes).

From the ESPs (aka webservers) perspective, it is functionally irrelevant, if the login webrequest is done by typing in the login address in the address bar, or by javascript code embedded inside the served website. Both are just simple webrequests. You don't need to submit data from a form directly (unencrypted)

I cannot give you a ready made example of such javascript code and this is off topic for this Arduino site. Though you should be able to find example code online. Maybe by searching for something like "javascript digest authentication" or similar.

Note: Digest authentication transmits hashes of the credentials. That is not the same as encryption, especially with an easy hash standard like MD5. Better than plain text, but with a hash table an attacker would still be able to read the credentials. For encryption you would need TLS (https).

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.