Merge branch 'master' of https://github.com/aio-libs/aiohttp into py314

Author: kumaraditya303

.github/workflows/ci-cd.yml

@@ -190,7 +190,7 @@ jobs:
         python -m pip install -r requirements/test.in -c requirements/test.txt
     - name: Restore llhttp generated files
       if: ${{ matrix.no-extensions == '' }}
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v5
       with:
         name: llhttp
         path: vendor/llhttp/build/
@@ -277,7 +277,7 @@ jobs:
       run: |
         python -m pip install -r requirements/test.in -c requirements/test.txt
     - name: Restore llhttp generated files
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v5
       with:
         name: llhttp
         path: vendor/llhttp/build/
@@ -341,7 +341,7 @@ jobs:
         python -m
         pip install -r requirements/cython.in -c requirements/cython.txt
     - name: Restore llhttp generated files
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v5
       with:
         name: llhttp
         path: vendor/llhttp/build/
@@ -428,15 +428,15 @@ jobs:
         python -m
         pip install -r requirements/cython.in -c requirements/cython.txt
     - name: Restore llhttp generated files
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v5
       with:
         name: llhttp
         path: vendor/llhttp/build/
     - name: Cythonize
       run: |
         make cythonize
     - name: Build wheels
-      uses: pypa/[email protected].1
+      uses: pypa/[email protected].3
       env:
         CIBW_SKIP: pp* ${{ matrix.musl == 'musllinux' && '*manylinux*' || '*musllinux*' }}
         CIBW_ARCHS_MACOS: x86_64 arm64 universal2
@@ -473,7 +473,7 @@ jobs:
       run: |
         echo "${{ secrets.GITHUB_TOKEN }}" | gh auth login --with-token
     - name: Download distributions
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v5
       with:
         path: dist
         pattern: dist-*

CHANGES.rst

@@ -10,6 +10,63 @@
 
 .. towncrier release notes start
 
+3.12.15 (2025-07-28)
+====================
+
+Bug fixes
+---------
+
+- Fixed :class:`~aiohttp.DigestAuthMiddleware` to preserve the algorithm case from the server's challenge in the authorization response. This improves compatibility with servers that perform case-sensitive algorithm matching (e.g., servers expecting ``algorithm=MD5-sess`` instead of ``algorithm=MD5-SESS``)
+  -- by :user:`bdraco`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`11352`.
+
+
+
+
+Improved documentation
+----------------------
+
+- Remove outdated contents of ``aiohttp-devtools`` and ``aiohttp-swagger``
+  from Web_advanced docs.
+  -- by :user:`Cycloctane`
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`11347`.
+
+
+
+
+Packaging updates and notes for downstreams
+-------------------------------------------
+
+- Started including the ``llhttp`` :file:`LICENSE` file in wheels by adding ``vendor/llhttp/LICENSE`` to ``license-files`` in :file:`setup.cfg` -- by :user:`threexc`.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`11226`.
+
+
+
+
+Contributor-facing changes
+--------------------------
+
+- Updated a regex in `test_aiohttp_request_coroutine` for Python 3.14.
+
+
+  *Related issues and pull requests on GitHub:*
+  :issue:`11271`.
+
+
+
+
+----
+
+
 3.12.14 (2025-07-10)
 ====================
 

CHANGES/11226.packaging.rst

@@ -245,7 +245,9 @@ async def _encode(
             )
 
         qop_raw = challenge.get("qop", "")
-        algorithm = challenge.get("algorithm", "MD5").upper()
+        # Preserve original algorithm case for response while using uppercase for processing
+        algorithm_original = challenge.get("algorithm", "MD5")
+        algorithm = algorithm_original.upper()
         opaque = challenge.get("opaque", "")
 
         # Convert string values to bytes once
@@ -342,7 +344,7 @@ def KD(s: bytes, d: bytes) -> bytes:
             "nonce": escape_quotes(nonce),
             "uri": path,
             "response": response_digest.decode(),
-            "algorithm": algorithm,
+            "algorithm": algorithm_original,
         }
 
         # Optional fields

CHANGES/11271.contrib.rst

@@ -1268,20 +1268,13 @@ the middleware might use :meth:`BaseRequest.clone`.
    for modifying *scheme*, *host* and *remote* attributes according
    to ``Forwarded`` and ``X-Forwarded-*`` HTTP headers.
 
-Swagger support
----------------
-
-`aiohttp-swagger <https://github.com/cr0hn/aiohttp-swagger>`_ is a
-library that allow to add Swagger documentation and embed the
-Swagger-UI into your :mod:`aiohttp.web` project.
-
 CORS support
 ------------
 
 :mod:`aiohttp.web` itself does not support `Cross-Origin Resource
 Sharing <https://en.wikipedia.org/wiki/Cross-origin_resource_sharing>`_, but
 there is an aiohttp plugin for it:
-`aiohttp_cors <https://github.com/aio-libs/aiohttp_cors>`_.
+`aiohttp-cors <https://github.com/aio-libs/aiohttp-cors>`_.
 
 
 Debug Toolbar
@@ -1324,10 +1317,8 @@ Install with ``pip``:
 
     $ pip install aiohttp-devtools
 
-* ``runserver`` provides a development server with auto-reload,
-  live-reload, static file serving.
-* ``start`` is a `cookiecutter command which does the donkey work
-  of creating new :mod:`aiohttp.web` Applications.
+``adev runserver`` provides a development server with auto-reload,
+live-reload, static file serving.
 
 Documentation and a complete tutorial of creating and running an app
 locally are available at `aiohttp-devtools`_.

aiohttp/client_middleware_digest_auth.py

@@ -1,6 +1,7 @@
 """Test digest authentication middleware for aiohttp client."""
 
 import io
+import re
 from hashlib import md5, sha1
 from typing import Generator, Literal, Union
 from unittest import mock
@@ -211,6 +212,48 @@ async def test_encode_unsupported_algorithm(
         await digest_auth_mw._encode("GET", URL("http://example.com/resource"), b"")
 
 
+@pytest.mark.parametrize("algorithm", ["MD5", "MD5-SESS", "SHA-256"])
+async def test_encode_algorithm_case_preservation_uppercase(
+    digest_auth_mw: DigestAuthMiddleware,
+    qop_challenge: DigestAuthChallenge,
+    algorithm: str,
+) -> None:
+    """Test that uppercase algorithm case is preserved in the response header."""
+    # Create a challenge with the specific algorithm case
+    challenge = qop_challenge.copy()
+    challenge["algorithm"] = algorithm
+    digest_auth_mw._challenge = challenge
+
+    header = await digest_auth_mw._encode(
+        "GET", URL("http://example.com/resource"), b""
+    )
+
+    # The algorithm in the response should match the exact case from the challenge
+    assert f"algorithm={algorithm}" in header
+
+
+@pytest.mark.parametrize("algorithm", ["md5", "MD5-sess", "sha-256"])
+async def test_encode_algorithm_case_preservation_lowercase(
+    digest_auth_mw: DigestAuthMiddleware,
+    qop_challenge: DigestAuthChallenge,
+    algorithm: str,
+) -> None:
+    """Test that lowercase/mixed-case algorithm is preserved in the response header."""
+    # Create a challenge with the specific algorithm case
+    challenge = qop_challenge.copy()
+    challenge["algorithm"] = algorithm
+    digest_auth_mw._challenge = challenge
+
+    header = await digest_auth_mw._encode(
+        "GET", URL("http://example.com/resource"), b""
+    )
+
+    # The algorithm in the response should match the exact case from the challenge
+    assert f"algorithm={algorithm}" in header
+    # Also verify it's not the uppercase version
+    assert f"algorithm={algorithm.upper()}" not in header
+
+
 async def test_invalid_qop_rejected(
     digest_auth_mw: DigestAuthMiddleware, basic_challenge: DigestAuthChallenge
 ) -> None:
@@ -1231,3 +1274,55 @@ def test_in_protection_space_multiple_spaces(
         digest_auth_mw._in_protection_space(URL("http://example.com/secure")) is False
     )
     assert digest_auth_mw._in_protection_space(URL("http://example.com/other")) is False
+
+
+async def test_case_sensitive_algorithm_server(
+    aiohttp_server: AiohttpServer,
+) -> None:
+    """Test authentication with a server that requires exact algorithm case matching.
+
+    This simulates servers like Prusa printers that expect the algorithm
+    to be returned with the exact same case as sent in the challenge.
+    """
+    digest_auth_mw = DigestAuthMiddleware("testuser", "testpass")
+    request_count = 0
+    auth_algorithms: list[str] = []
+
+    async def handler(request: Request) -> Response:
+        nonlocal request_count
+        request_count += 1
+
+        if not (auth_header := request.headers.get(hdrs.AUTHORIZATION)):
+            # Send challenge with lowercase-sess algorithm (like Prusa)
+            challenge = 'Digest realm="Administrator", nonce="test123", qop="auth", algorithm="MD5-sess", opaque="xyz123"'
+            return Response(
+                status=401,
+                headers={"WWW-Authenticate": challenge},
+                text="Unauthorized",
+            )
+
+        # Extract algorithm from auth response
+        algo_match = re.search(r"algorithm=([^,\s]+)", auth_header)
+        assert algo_match is not None
+        auth_algorithms.append(algo_match.group(1))
+
+        # Case-sensitive server: only accept exact case match
+        assert "algorithm=MD5-sess" in auth_header
+        return Response(text="Success")
+
+    app = Application()
+    app.router.add_get("/api/test", handler)
+    server = await aiohttp_server(app)
+
+    async with (
+        ClientSession(middlewares=(digest_auth_mw,)) as session,
+        session.get(server.make_url("/api/test")) as resp,
+    ):
+        assert resp.status == 200
+        text = await resp.text()
+        assert text == "Success"
+
+    # Verify the middleware preserved the exact algorithm case
+    assert request_count == 2  # Initial 401 + successful retry
+    assert len(auth_algorithms) == 1
+    assert auth_algorithms[0] == "MD5-sess"  # Not "MD5-SESS"