Implement full RFC 7616 HTTP Digest Authentication compliance (#2148)

Motivation:
Achieve full RFC 7616 compliance for HTTP Digest Authentication —
supporting stale nonce recovery, nonce count tracking, userhash,
Authentication-Info processing, multiple challenge negotiation,
algorithm-aware auth-int, and Proxy-Authenticate parity.

Modification:
- Add stale, userhash, entityBodyHash fields to Realm/Realm.Builder;
replace quoted-only match() with matchParam() supporting both quoted and
unquoted header values; fix parseProxyAuthenticateHeader to match
parseWWWAuthenticateHeader parity for charset, qop, stale, and userhash.
- Add NonceCounter for thread-safe nc tracking,
selectBestDigestChallenge() for multi-challenge negotiation,
computeUserhash()/computeRspAuth() helpers; wire stale-nonce retry, nc
increment, auth-int body hashing, and Authentication-Info
nextnonce/rspauth processing into both 401/407 interceptors via shared
NonceCounter.

Result:
Fixes #2068

---------

Co-authored-by: Pratik Katti <90851204+pratt4@users.noreply.github.com>

Author: hyperxpro

client/src/main/java/org/asynchttpclient/Dsl.java

@@ -112,7 +112,9 @@ public static Realm.Builder realm(Realm prototype) {
                 .setServicePrincipalName(prototype.getServicePrincipalName())
                 .setUseCanonicalHostname(prototype.isUseCanonicalHostname())
                 .setCustomLoginConfig(prototype.getCustomLoginConfig())
-                .setLoginContextName(prototype.getLoginContextName());
+                .setLoginContextName(prototype.getLoginContextName())
+                .setUserhash(prototype.isUserhash());
+        // Note: stale is NOT copied — it's challenge-specific, always starts false
     }
 
     public static Realm.Builder realm(AuthScheme scheme, String principal, String password) {

client/src/main/java/org/asynchttpclient/Realm.java

@@ -32,15 +32,22 @@
 import org.asynchttpclient.netty.channel.ChannelManager;
 import org.asynchttpclient.netty.request.NettyRequestSender;
 import org.asynchttpclient.proxy.ProxyServer;
+import org.asynchttpclient.util.AuthenticatorUtils;
+import org.asynchttpclient.util.NonceCounter;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import static io.netty.handler.codec.http.HttpHeaderNames.SET_COOKIE;
+import static org.asynchttpclient.Dsl.realm;
 import static org.asynchttpclient.util.HttpConstants.ResponseStatusCodes.CONTINUE_100;
 import static org.asynchttpclient.util.HttpConstants.ResponseStatusCodes.OK_200;
 import static org.asynchttpclient.util.HttpConstants.ResponseStatusCodes.PROXY_AUTHENTICATION_REQUIRED_407;
 import static org.asynchttpclient.util.HttpConstants.ResponseStatusCodes.UNAUTHORIZED_401;
 
 public class Interceptors {
 
+    private static final Logger LOGGER = LoggerFactory.getLogger(Interceptors.class);
+
     private final AsyncHttpClientConfig config;
     private final Unauthorized401Interceptor unauthorized401Interceptor;
     private final ProxyUnauthorized407Interceptor proxyUnauthorized407Interceptor;
@@ -50,13 +57,15 @@ public class Interceptors {
     private final ResponseFiltersInterceptor responseFiltersInterceptor;
     private final boolean hasResponseFilters;
     private final ClientCookieDecoder cookieDecoder;
+    private final NonceCounter nonceCounter;
 
     public Interceptors(AsyncHttpClientConfig config,
                         ChannelManager channelManager,
                         NettyRequestSender requestSender) {
         this.config = config;
-        unauthorized401Interceptor = new Unauthorized401Interceptor(channelManager, requestSender);
-        proxyUnauthorized407Interceptor = new ProxyUnauthorized407Interceptor(channelManager, requestSender);
+        nonceCounter = new NonceCounter();
+        unauthorized401Interceptor = new Unauthorized401Interceptor(channelManager, requestSender, nonceCounter);
+        proxyUnauthorized407Interceptor = new ProxyUnauthorized407Interceptor(channelManager, requestSender, nonceCounter);
         continue100Interceptor = new Continue100Interceptor(requestSender);
         redirect30xInterceptor = new Redirect30xInterceptor(channelManager, config, requestSender);
         connectSuccessInterceptor = new ConnectSuccessInterceptor(channelManager, requestSender);
@@ -109,6 +118,52 @@ public boolean exitAfterIntercept(Channel channel, NettyResponseFuture<?> future
         if (httpRequest.method() == HttpMethod.CONNECT && statusCode == OK_200) {
             return connectSuccessInterceptor.exitAfterHandlingConnect(channel, future, request, proxyServer);
         }
+
+        // Process Authentication-Info / Proxy-Authentication-Info headers (RFC 7616 Section 3.5)
+        if (realm != null && realm.getScheme() == Realm.AuthScheme.DIGEST) {
+            processAuthenticationInfo(future, responseHeaders, realm, false);
+        }
+        Realm proxyRealm = future.getProxyRealm();
+        if (proxyRealm != null && proxyRealm.getScheme() == Realm.AuthScheme.DIGEST) {
+            processAuthenticationInfo(future, responseHeaders, proxyRealm, true);
+        }
+
         return false;
     }
+
+    private void processAuthenticationInfo(NettyResponseFuture<?> future, HttpHeaders responseHeaders,
+                                           Realm currentRealm, boolean proxy) {
+        String headerName = proxy ? "Proxy-Authentication-Info" : "Authentication-Info";
+        String authInfoHeader = responseHeaders.get(headerName);
+        if (authInfoHeader == null) {
+            return;
+        }
+
+        String nextnonce = Realm.Builder.matchParam(authInfoHeader, "nextnonce");
+        if (nextnonce != null) {
+            // Rotate to the new nonce
+            String oldNonce = currentRealm.getNonce();
+            if (oldNonce != null) {
+                nonceCounter.reset(oldNonce);
+            }
+            Realm newRealm = realm(currentRealm)
+                    .setNonce(nextnonce)
+                    .setNc("00000001")
+                    .build();
+            if (proxy) {
+                future.setProxyRealm(newRealm);
+            } else {
+                future.setRealm(newRealm);
+            }
+            LOGGER.debug("Rotated to nextnonce from {} header", headerName);
+        }
+
+        String rspauth = Realm.Builder.matchParam(authInfoHeader, "rspauth");
+        if (rspauth != null) {
+            String expectedRspauth = AuthenticatorUtils.computeRspAuth(currentRealm);
+            if (!rspauth.equalsIgnoreCase(expectedRspauth)) {
+                LOGGER.warn("Server rspauth mismatch: expected={}, got={}", expectedRspauth, rspauth);
+            }
+        }
+    }
 }

client/src/main/java/org/asynchttpclient/netty/handler/intercept/Interceptors.java

@@ -34,6 +34,8 @@
 import org.asynchttpclient.proxy.ProxyServer;
 import org.asynchttpclient.spnego.SpnegoEngine;
 import org.asynchttpclient.spnego.SpnegoEngineException;
+import org.asynchttpclient.util.AuthenticatorUtils;
+import org.asynchttpclient.util.NonceCounter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -44,6 +46,7 @@
 import static org.asynchttpclient.Dsl.realm;
 import static org.asynchttpclient.util.AuthenticatorUtils.NEGOTIATE;
 import static org.asynchttpclient.util.AuthenticatorUtils.getHeaderWithPrefix;
+import static org.asynchttpclient.util.AuthenticatorUtils.selectBestDigestChallenge;
 import static org.asynchttpclient.util.HttpConstants.Methods.CONNECT;
 
 public class ProxyUnauthorized407Interceptor {
@@ -52,20 +55,17 @@ public class ProxyUnauthorized407Interceptor {
 
     private final ChannelManager channelManager;
     private final NettyRequestSender requestSender;
+    private final NonceCounter nonceCounter;
 
-    ProxyUnauthorized407Interceptor(ChannelManager channelManager, NettyRequestSender requestSender) {
+    ProxyUnauthorized407Interceptor(ChannelManager channelManager, NettyRequestSender requestSender, NonceCounter nonceCounter) {
         this.channelManager = channelManager;
         this.requestSender = requestSender;
+        this.nonceCounter = nonceCounter;
     }
 
     public boolean exitAfterHandling407(Channel channel, NettyResponseFuture<?> future, HttpResponse response, Request request,
                                         ProxyServer proxyServer, HttpRequest httpRequest) {
 
-        if (future.isAndSetInProxyAuth(true)) {
-            LOGGER.info("Can't handle 407 as auth was already performed");
-            return false;
-        }
-
         Realm proxyRealm = future.getProxyRealm();
 
         if (proxyRealm == null) {
@@ -80,6 +80,81 @@ public boolean exitAfterHandling407(Channel channel, NettyResponseFuture<?> futu
             return false;
         }
 
+        // For DIGEST, check stale before blocking on isAndSetInProxyAuth
+        if (proxyRealm.getScheme() == AuthScheme.DIGEST) {
+            String digestHeader = selectBestDigestChallenge(proxyAuthHeaders);
+            if (digestHeader == null) {
+                LOGGER.info("Can't handle 407 with Digest realm as Proxy-Authenticate headers don't match");
+                return false;
+            }
+            Realm.Builder realmBuilder = realm(proxyRealm)
+                    .setUri(request.getUri())
+                    .setMethodName(request.getMethod())
+                    .setUsePreemptiveAuth(true)
+                    .parseProxyAuthenticateHeader(digestHeader);
+
+            boolean isStale = realmBuilder.isStale();
+            Realm previousRealm = future.getProxyRealm();
+            boolean alreadyRetriedStale = previousRealm != null && previousRealm.isStale();
+
+            if (isStale && !alreadyRetriedStale) {
+                // First stale response: allow retry by resetting inProxyAuth
+                LOGGER.debug("Proxy indicated stale nonce, retrying with new nonce");
+                future.setInProxyAuth(false);
+                if (proxyRealm.getNonce() != null) {
+                    nonceCounter.reset(proxyRealm.getNonce());
+                }
+            } else if (future.isAndSetInProxyAuth(true)) {
+                LOGGER.info("Can't handle 407 as auth was already performed");
+                return false;
+            }
+
+            // Set nc from counter
+            String nonce = realmBuilder.getNonceValue();
+            if (nonce != null) {
+                realmBuilder.setNc(nonceCounter.nextNc(nonce));
+            }
+
+            // Handle auth-int
+            if ("auth-int".equals(realmBuilder.getQopValue())) {
+                String bodyHash = AuthenticatorUtils.computeBodyHash(request, proxyRealm);
+                realmBuilder.setEntityBodyHash(bodyHash);
+            }
+
+            Realm newDigestRealm = realmBuilder.build();
+            future.setProxyRealm(newDigestRealm);
+
+            future.setChannelState(ChannelState.NEW);
+            HttpHeaders requestHeaders = new DefaultHttpHeaders().add(request.getHeaders());
+
+            RequestBuilder nextRequestBuilder = future.getCurrentRequest().toBuilder().setHeaders(requestHeaders);
+            if (future.getCurrentRequest().getUri().isSecured()) {
+                nextRequestBuilder.setMethod(CONNECT);
+            }
+            final Request nextRequest = nextRequestBuilder.build();
+
+            LOGGER.debug("Sending proxy authentication to {}", request.getUri());
+            if (channel instanceof Http2StreamChannel) {
+                channel.close();
+                requestSender.sendNextRequest(nextRequest, future);
+            } else if (future.isKeepAlive()
+                    && !HttpUtil.isTransferEncodingChunked(httpRequest)
+                    && !HttpUtil.isTransferEncodingChunked(response)) {
+                future.setConnectAllowed(true);
+                future.setReuseChannel(true);
+                requestSender.drainChannelAndExecuteNextRequest(channel, future, nextRequest);
+            } else {
+                channelManager.closeChannel(channel);
+                requestSender.sendNextRequest(nextRequest, future);
+            }
+            return true;
+        }
+
+        if (future.isAndSetInProxyAuth(true)) {
+            LOGGER.info("Can't handle 407 as auth was already performed");
+            return false;
+        }
+
         // FIXME what's this???
         future.setChannelState(ChannelState.NEW);
         HttpHeaders requestHeaders = new DefaultHttpHeaders().add(request.getHeaders());
@@ -92,37 +167,16 @@ public boolean exitAfterHandling407(Channel channel, NettyResponseFuture<?> futu
                 }
 
                 if (proxyRealm.isUsePreemptiveAuth()) {
-                    // FIXME do we need this, as future.getAndSetAuth
-                    // was tested above?
-                    // auth was already performed, most likely auth
-                    // failed
                     LOGGER.info("Can't handle 407 with Basic realm as auth was preemptive and already performed");
                     return false;
                 }
 
-                // FIXME do we want to update the realm, or directly
-                // set the header?
                 Realm newBasicRealm = realm(proxyRealm)
                         .setUsePreemptiveAuth(true)
                         .build();
                 future.setProxyRealm(newBasicRealm);
                 break;
 
-            case DIGEST:
-                String digestHeader = getHeaderWithPrefix(proxyAuthHeaders, "Digest");
-                if (digestHeader == null) {
-                    LOGGER.info("Can't handle 407 with Digest realm as Proxy-Authenticate headers don't match");
-                    return false;
-                }
-                Realm newDigestRealm = realm(proxyRealm)
-                        .setUri(request.getUri())
-                        .setMethodName(request.getMethod())
-                        .setUsePreemptiveAuth(true)
-                        .parseProxyAuthenticateHeader(digestHeader)
-                        .build();
-                future.setProxyRealm(newDigestRealm);
-                break;
-
             case NTLM:
                 String ntlmHeader = getHeaderWithPrefix(proxyAuthHeaders, "NTLM");
                 if (ntlmHeader == null) {