1 files changed, 19 insertions, 4 deletions

diff --git a/node_modules/request/lib/auth.js b/node_modules/request/lib/auth.js
index 1be1f4258..1cb695216 100644
--- a/node_modules/request/lib/auth.js
+++ b/node_modules/request/lib/auth.js
@@ -50,8 +50,6 @@ Auth.prototype.bearer = function (bearer, sendImmediately) {
 
 Auth.prototype.digest = function (method, path, authHeader) {
   // TODO: More complete implementation of RFC 2617.
-  //   - check challenge.algorithm
-  //   - support algorithm="MD5-sess"
   //   - handle challenge.domain
   //   - support qop="auth-int" only
   //   - handle Authentication-Info (not necessarily?)
@@ -73,11 +71,28 @@ Auth.prototype.digest = function (method, path, authHeader) {
     challenge[match[1]] = match[2] || match[3]
   }
 
-  var ha1 = md5(self.user + ':' + challenge.realm + ':' + self.pass)
-  var ha2 = md5(method + ':' + path)
+  /**
+   * RFC 2617: handle both MD5 and MD5-sess algorithms.
+   *
+   * If the algorithm directive's value is "MD5" or unspecified, then HA1 is
+   *   HA1=MD5(username:realm:password)
+   * If the algorithm directive's value is "MD5-sess", then HA1 is
+   *   HA1=MD5(MD5(username:realm:password):nonce:cnonce)
+   */
+  var ha1Compute = function (algorithm, user, realm, pass, nonce, cnonce) {
+    var ha1 = md5(user + ':' + realm + ':' + pass)
+    if (algorithm && algorithm.toLowerCase() === 'md5-sess') {
+      return md5(ha1 + ':' + nonce + ':' + cnonce)
+    } else {
+      return ha1
+    }
+  }
+
   var qop = /(^|,)\s*auth\s*($|,)/.test(challenge.qop) && 'auth'
   var nc = qop && '00000001'
   var cnonce = qop && uuid().replace(/-/g, '')
+  var ha1 = ha1Compute(challenge.algorithm, self.user, challenge.realm, self.pass, challenge.nonce, cnonce)
+  var ha2 = md5(method + ':' + path)
   var digestResponse = qop
     ? md5(ha1 + ':' + challenge.nonce + ':' + nc + ':' + cnonce + ':' + qop + ':' + ha2)
     : md5(ha1 + ':' + challenge.nonce + ':' + ha2)