I got a question last week from a poor bastard who had bought a box full of chinese IP camera's. He could access the IP camera's from within the browser without problems. However from within a Node-RED flow (e.g. httprequest node) he received an unauthorised exception, although he entered the SAME url/username/password combination ...
I found out that his camera expected digest authentication, while the httprequest node only offers basic authentication. Here is the difference in a nutshell:
Basic authentication: The client sends a HTTP request with an 'authorization' header that contains the word Basic followed by a space and a base64-encoded string username:password. For example:
Authorization: Basic ZGVtbzpwQDU1dzByZA==
When such a request is send across an unsecure http connection, a hacker can see the username and password (by simple base64 decoding). This means a secure https connection should be used instead ...
Digest authentication: The client sends a HTTP request with an 'authorization' header that contains an MD5 hashed password. For example:
Authorization: Digest username="Mufasa", realm="email@example.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", ...
Such a password can safely be exchanged across an http connection.
And that works fine! When I set the sendImmediately to true, the basic authentication still works on my own IP camera and the digest authentication works fine on the chinese IP camera's. Only a single line of code need to be added:
Some questions about this change:
- Is this an acceptable change?
- Does the node's config screen need to show the 'digest' somewhere?