Improve authentication when the server is "ugly" about jssip HOT 8 CLOSED

This will be fixed with the 'stale' parameter handling. Issue #18

from jssip.

Humm, I don't think this should depend on #18 (or maybe... but not sure). Regardless JsSIP reuses nonces or not, it could occur this case:

• JsSIP sends un-REGISTER with credentials by reusing a previous nonce value.
• 401 with "stale=true" since such a nonce has already been invalidated by the registrar. So this 401 contains a new nonce value.
• JsSIP re-sends the un-REGISTER with new credentials according to the new nonce value.
• The registrar is stupid and replies 401 again with "stale=true".

This CAN occur when using Asterisk, so a better improvement for this would be trying un-registration one more time.

from jssip.

@ibc Yes. I will try the stale stuff first anyway.

BTW this could be a known Asterisk bug.

from jssip.

Credential re-use has been implemented in 85ca354 5ed612 and 96b9f6c

The scenario described above should result in a registration failure IMHO. If JsSIP re-generates the credentials with a new response according to a new nonce value and it receives a 401 again, that means that the credentials are invalid or the server buggy, but I don't think re-sending the REGISTER would solve the problem anyway.

from jssip.

Please, recheck my issue description. The case exposed there is real and ugly, but still valid. And I insist: this has nothing to do with credentials reuse.

from jssip.

I mean, if the server responds 401 and an un-REGISTER is re-sent with re-calculated credendials, I think I should give the request as failed if receiving a 401 again. Don`t you?

from jssip.

If the second 401 has not "stale=true" then I agree at 100%. But in the case I describe (and that is a real case with Asterisk) the second 401 has "stale=true" and then I consider JsSIP should give it another chance for authentication with the new nonce.

It's ugly that Asterisk replies 401 and then another 401 with "stale=true" (it means "I've sent you this nonce for authenticating against me but then I invalidate it when you send me the Digest response"). Anyhow we should be ready for that.

from jssip.

JsSIP does already manage the defined situation. It is Asterisk compilant in that way.

from jssip.