🐛 Ensure that `HTTPDigest` only raises an exception when `auto_error is True` (#2939)

Co-authored-by: svlandeg <sofie.vanlandeghem@gmail.com>

diff --git a/fastapi/security/http.py b/fastapi/security/http.py
index e06f3d66d884c9040686da057565e3aa866e2d8d..9ab2df3c98e1e08a920de9439e78ecd65c2daada 100644 (file)
--- a/fastapi/security/http.py
+++ b/fastapi/security/http.py
@@ -413,8 +413,11 @@ class HTTPDigest(HTTPBase):
             else:
                 return None
         if scheme.lower() != "digest":
-            raise HTTPException(
-                status_code=HTTP_403_FORBIDDEN,
-                detail="Invalid authentication credentials",
-            )
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=HTTP_403_FORBIDDEN,
+                    detail="Invalid authentication credentials",
+                )
+            else:
+                return None
         return HTTPAuthorizationCredentials(scheme=scheme, credentials=credentials)

diff --git a/tests/test_security_http_digest_optional.py b/tests/test_security_http_digest_optional.py
index 1e6eb8bd7f6738359b50bae97bbf4fa91f7274e9..0d66f9c72e5652e1a34a3b423388bc27a5a7130a 100644 (file)
--- a/tests/test_security_http_digest_optional.py
+++ b/tests/test_security_http_digest_optional.py
@@ -37,8 +37,8 @@ def test_security_http_digest_incorrect_scheme_credentials():
     response = client.get(
         "/users/me", headers={"Authorization": "Other invalidauthorization"}
     )
-    assert response.status_code == 403, response.text
-    assert response.json() == {"detail": "Invalid authentication credentials"}
+    assert response.status_code == 200, response.text
+    assert response.json() == {"msg": "Create an account first"}
 
 
 def test_openapi_schema():