Digest authentication

I’ve got a website that I need to PUT a command to; the page requires Digest authentication with a username and password.
How do I craft my URL and execute a Get Contents of URL action to PUT my command? Can Shortcuts even process authentication like this out of the box? I know cURL can, and find examples all over the place for doing this with cURL – but none for Shortcuts.
Suggestions or tips?

Looking at how Digest Authentication works, it looks like it’s possible in shortcuts. Is the API you’re using a public one where I could test?

No, it’s a private server, and I’m unaware of any sample or demo servers. The app in question is Indigo’s RESTful web interface if you know of an instance.
Do you know of any published Shortcuts that implement this that I could use as an example?

Can you share how you would do this with cURL (with sensitive information redacted), and then we may be able to help translate that into a Shortcuts action?

Sure. Here’s an example cobbled from examples in the RESTful documentation:

curl -u user:password --digest -X PUT -d isOn=1

A simpler example would be this:

curl -u user:password --digest

Ok, I made this based on the references about Digest Authentication i read on the web (1, 2).

Digest seem to be 2 requests, first to find out the authentication parameters from the header. Then do some hashes that will be used as authorization header to do the second request.
It has a few more variations but I only have the very basic implementation. I couldn’t test it though.


1 Like

Whoa, that’s a serious piece of code. I’ve read the references and the API, but what you put together nearly perfectly matches what I understood of digest auth.
Sadly, almost.
I got an “Access denied” error when running it.
I’ll see if I can get details from the server’s logs.
Seriously, dude: major props on coding that in the amount of time you took, and totally in the blind.

one piece that I’m not sure about is the Get Headers of URL since it does not allow passing a Method header. Another thing also is what does the result of Get Headers of URL look like since the next steps depend on that result.

Update: sitting in front of the server, watching the log, when I run the script it actually invokes the action, even though I’m getting the “Access denied” return value. I think your code is running, but something else is misfiring.
I’m not convinced I’ve got the right log file here, though, as I’m not seeing web events, just final actions taken in response to other events. I need to dig some more.
BTW, Method can be replicated using _method=PUT if I remember correctly.

From the specs, the server should return a 401 Unauthorized at the first request, so your server logs should reflect as such. But I think this would be moot because what I’m afraid of is the first request must match the authenticated request, which is logical.

In Shortcuts, the only way to get headers is by using the Get Headers From URL. But that action does not provide a way to set the method as PUT. So, there’s no really a straightforward way to match the initial request and the authenticated request.

You have some options though. If you have control of that server, then you could maybe just use the Run Script Over SSH action and curl to itself.
Another another is, do the initial request with javascript.

I’m interested in packaging this up along with a bunch of other code and sharing it with a home automation community, so relying on SSH is not optimal. Your JS comment intrigues me, however.
I’ve done more testing and can confirm it’s working – it looks like the “access denied” response is for the initial 401, not the subsequent 303 after sending the hashes. I’ve confirmed that running the same login via cURL returns the same URL in the header, but these are very controlled tests. Kinda hate driving in the blind, but at least it’s working at that level.
I’ve been able to verify that a bad password will cause it to fail, however when invalid credentials are given, the Shortcut will time out rather than immediately die; this is a problem, obviously. Doing the same in cURL results in an immediate termination after the second 401 (post-hash) is received. Any ideas, or do you think this is again because of the inaccessible headers?
It would be really nice if Shortcuts handled digest authentication natively, right? I’m not seeing anything on the Developer site about Shortcuts and digest auth, but then I’m not a paid developer and have limited access to the dev beta resources there. Still poking around, however.
Thanks again. If we can get this working, this would be a great shortcut to publish as a runable shortcut with URL, username, password, and body form fields passed in a dictionary. I’m sure lots of folks would be able to benefit.

1 Like

Try this one with the javascript. Hope it brings us a step closer.


The JS response is null and the server logs a denied access attempt, while the final Get Contents of URL spins until it times out.

I used the first shortcut posted above and found it hung during execution. The action took place as requested, but the server never returned anything. I just changed Request Body to json and that solved the problem. I am also getting the same “Access denied” in the Indigo log. But, that is not fatal and I will now look into addressing that as well.

Thanks for the discussion and ideas.