Add preemptive authentication support to DigestAuthMiddleware

[bdraco]

What do these changes do?

It was discovered that DigestAuthMiddleware doesn't work for some servers because the original implementation didn't implement preemptive support.

This PR adds preemptive authentication support to DigestAuthMiddleware, following RFC 7616 Section 3.6. The middleware now remembers successful authentication challenges and automatically includes the Authorization header in subsequent requests to the same protection space.

Key changes:

• Added preemptive parameter to DigestAuthMiddleware constructor (default: True)
• Implemented protection space tracking based on the domain parameter from server challenges
• When no domain is specified, the entire origin becomes the protection space
• Added support for the stale parameter to handle expired nonces
• The middleware only sends preemptive auth to URLs within the same protection space

Are there changes in behavior for the user?

Yes, but backwards compatible:

• By default, the middleware now uses preemptive authentication (can be disabled with preemptive=False)
• Subsequent requests to the same protection space will include the Authorization header automatically
• This improves performance by avoiding unnecessary 401 round trips
• Matches how modern web browsers handle digest authentication

Related issue number

Fixes #11128

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.85%. Comparing base (e4bffe9) to head (6a121b1).
Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11129      +/-   ##
==========================================
- Coverage   98.85%   98.85%   -0.01%     
==========================================
  Files         131      131              
  Lines       42425    42630     +205     
  Branches     2282     2297      +15     
==========================================
+ Hits        41938    42140     +202     
- Misses        337      340       +3     
  Partials      150      150              

Flag	Coverage Δ
CI-GHA	98.73% <100.00%> (-0.01%)	⬇️
OS-Linux	98.46% <100.00%> (+<0.01%)	⬆️
OS-Windows	96.78% <100.00%> (+0.02%)	⬆️
OS-macOS	97.67% <100.00%> (+0.01%)	⬆️
Py-3.10.11	97.45% <100.00%> (+0.01%)	⬆️
Py-3.10.17	97.94% <100.00%> (+<0.01%)	⬆️
Py-3.11.12	98.10% <100.00%> (+<0.01%)	⬆️
Py-3.11.9	97.62% <100.00%> (+<0.01%)	⬆️
Py-3.12.10	98.50% <100.00%> (+<0.01%)	⬆️
Py-3.13.3	98.48% <100.00%> (+0.01%)	⬆️
Py-3.9.13	97.33% <100.00%> (+0.01%)	⬆️
Py-3.9.22	97.82% <100.00%> (+<0.01%)	⬆️
Py-pypy7.3.16	94.28% <100.00%> (-3.14%)	⬇️
VM-macos	97.67% <100.00%> (+0.01%)	⬆️
VM-ubuntu	98.46% <100.00%> (+<0.01%)	⬆️
VM-windows	96.78% <100.00%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[codspeed-hq]

CodSpeed Performance Report

Merging #11129 will not alter performance

_{Comparing digest_auth_preemptive (6a121b1) with master (e4bffe9)}

Summary

✅ 59 untouched benchmarks

[patchback]

Backport to 3.12: 💚 backport PR created

✅ Backport PR branch: patchback/backports/3.12/c0449bb5bfb49904afdc81fc26fa4634cbc66b40/pr-11129

Backported as #11131

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

[patchback]

Backport to 3.13: 💚 backport PR created

✅ Backport PR branch: patchback/backports/3.13/c0449bb5bfb49904afdc81fc26fa4634cbc66b40/pr-11129

Backported as #11132

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

[Dreamsorcerer]

Is there any point at all to being able to disable this? Seems like a pointless option at a glance. If it's enabled and the server doesn't recognise the header, I think it will respond just the same as if this setting was False, meaning there would be no advantage to disabling it.

[bdraco]

Its compatibility only as some really bad IOT device implementations choke if you send it preemptively so there needs to be a way to disable. I expect 99.9% of the time you never need to touch it.

[webknjaz]

Perhaps, spell it out in the docs? Maybe, in a .. hint:: admonition or similar?

Also, when referencing True / False / None in Sphinx, try using the :py:data: role as that's how they are declared in the CPython docs.

[bdraco]

Added to my queue