In the Digest constructor the 1st function passes in the username, which is where you validate the user exists and then pass back the decrypted password. In the 2nd function, you can validate nonces to avoid replay attacks, but the only parameter passed in, beside the done function, is the params object containing the nonce, cnonce, nc, and opaque values.

I'm not sure how we're supposed to determine which user we're dealing within the nonce validation function. I assume the functions are asynchronous, so theoretically if more than one user is authenticating at the same time, I can't assume that the functions will be synchronously called for the same user and save off the user in a static variable somewhere.

Am I missing something? Thanks.

Why would nonces be user-specific?