🐛 Ensure that HTTPDigest only raises an exception when auto_error is True (#2939)

Co-authored-by: svlandeg <sofie.vanlandeghem@gmail.com>
2026-04-08 17:10:44 -04:00 · 2025-02-27 05:29:20 -07:00
parent b021569913
commit ccc7c8fef9
2 changed files with 9 additions and 6 deletions
--- a/fastapi/security/http.py
+++ b/fastapi/security/http.py
@@ -413,8 +413,11 @@ class HTTPDigest(HTTPBase):
            else:
                return None
        if scheme.lower() != "digest":
-            raise HTTPException(
-                status_code=HTTP_403_FORBIDDEN,
-                detail="Invalid authentication credentials",
-            )
+            if self.auto_error:
+                raise HTTPException(
+                    status_code=HTTP_403_FORBIDDEN,
+                    detail="Invalid authentication credentials",
+                )
+            else:
+                return None
        return HTTPAuthorizationCredentials(scheme=scheme, credentials=credentials)
--- a/tests/test_security_http_digest_optional.py
+++ b/tests/test_security_http_digest_optional.py
@@ -37,8 +37,8 @@ def test_security_http_digest_incorrect_scheme_credentials():
    response = client.get(
        "/users/me", headers={"Authorization": "Other invalidauthorization"}
    )
-    assert response.status_code == 403, response.text
-    assert response.json() == {"detail": "Invalid authentication credentials"}
+    assert response.status_code == 200, response.text
+    assert response.json() == {"msg": "Create an account first"}


 def test_openapi_schema():