KTOR-9336 Digest Auth Docs. Document RFC 7616

[zibet27]

The implementation issue: KTOR-7578 Update Digest authentication implementation according to RFC 7616

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a959b2a3-b8ea-47e2-9661-95243bd83cdb

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Digest authentication support expanded from MD5-only to multi-algorithm approach supporting SHA-512-256, SHA-256, and MD5. Password configuration changed from precomputed byte arrays to plaintext passwords with dynamic hashing. Documentation updated to reflect RFC 7616 compliance with QoP support and advanced configuration options.

Changes

Cohort / File(s)	Summary
Digest Authentication Implementation codeSnippets/snippets/auth-digest/src/main/kotlin/authdigest/Application.kt	Replaced hardcoded MD5 user hash table with flexible password map (Map<String, String>). Introduced computeHash function to support multiple digest algorithms. Updated digestProvider signature to accept algorithm parameter and compute hashes dynamically. Removed legacy getMd5Digest function.
Digest Authentication Documentation topics/server-digest-auth.md	Expanded documentation to cover RFC 7616 digest authentication with multi-algorithm support (SHA-512-256, SHA-256, MD5). Added configuration sections for algorithm selection, Quality of Protection (QoP), user hash support, and strict RFC 7616 mode. Updated code examples and included Authentication-Info header details for mutual authentication.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating Digest authentication documentation to document RFC 7616 compliance, which aligns with the file changes.
Description check	✅ Passed	The description is related to the changeset, referencing the implementation issue KTOR-7578 that tracks the RFC 7616 digest authentication updates reflected in the documentation changes.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch zibet27/server-auth-digest-rfc7616

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@topics/server-digest-auth.md`:
- Around line 241-243: Update the "Strict mode" description to explicitly state
whether the session variants are permitted: change the sentence that reads
"Removes MD5 algorithms (only allows SHA-256 and SHA-512-256)" to specify
inclusion/exclusion of the "-sess" variants (e.g., "allows SHA-256 and
SHA-512-256 and their -sess variants" or "allows only the non-session variants
SHA-256 and SHA-512-256, excluding -sess variants"), and add a short clarifying
note in the algorithm table explaining the policy for -sess variants to keep
both places consistent (refer to the "Strict mode" heading and the algorithm
table entries for SHA-256/SHA-512-256).
- Around line 152-154: The snippet include range is invalid (references lines
50-52 that don't exist); update the include-lines for the Application.kt snippet
to cover the actual main() function and CustomPrincipal declaration—e.g., change
the include-lines to encompass lines that contain the install {
realm/algorithms/digestProvider/validate } block and the CustomPrincipal data
class (adjust to the file's real line numbers so the main() body and line with
CustomPrincipal are included); ensure the include-lines end at the actual last
line of the file (not beyond 49) so rendering succeeds.
- Around line 284-316: The migration example incorrectly claims RFC 7616 support
and shows non-existent symbols (DigestAlgorithm.SHA_512_256 and a three-arg
digestProvider with an algorithm parameter); remove or rewrite that "After (RFC
7616)" block so it only documents the real, current RFC 2069-style API: keep the
legacy -> current example using install(Authentication) { digest("auth") { realm
= ... digestProvider { userName, realm -> ... } } }, delete references to
DigestAlgorithm and the algorithm parameter, and add a short note stating RFC
7616 is not implemented in released Ktor versions.

🧹 Nitpick comments (2)

codeSnippets/snippets/auth-digest/src/main/kotlin/authdigest/Application.kt (1)

11-17: Plaintext password storage is acceptable for a documentation snippet, but consider adding a cautionary comment.

This is a code sample that will be included in the documentation. While storing plaintext passwords in a map is fine for a demo, users may copy-paste this pattern. A brief comment noting that passwords should not be stored in plaintext in production could help prevent misuse.

💡 Suggested comment

+// In production, store pre-computed HA1 hashes or use a secure credential store
 val userPasswords: Map<String, String> = mapOf(
     "jetbrains" to "foobar",
     "admin" to "password"
 )

topics/server-digest-auth.md (1)

196-223: Userhash example iterates all users for each request — note the scalability caveat.

The userHashResolver example linearly scans all users with users.find { ... } to match the hash. For documentation purposes this is fine, but consider adding a brief note that production implementations should use a pre-computed lookup table for efficiency.

[vnikolova]

Great job! Thanks for updating this one @zibet27 🙏
There's one broken code block and some minor improvements in comments.

[vnikolova]

We don't include migration or deprecation sections in our general topics. If required, we need to add a separate migration guide (when there are breaking changes) or document this in a "What's new" document. Otherwise, we can add a short note somewhere above about the deprecation if no separate topic is required.

[zibet27]

Yeah, it makes sense not to include it in general topics
I think mentioning it in the "What's new" document should be enough