You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Mahendra M <ma...@gmail.com> on 2010/08/05 16:11:01 UTC
Issues while using couchdb http cookie auth
Hi,
I was trying to setup and use couchdb http cookie auth. I could
not find any "official" documentation for the same. A bit of searching around
gave me these.
1. http://pierrel.posterous.com/securing-couchdb (seems new)
2. http://www.mail-archive.com/dev@couchdb.apache.org/msg02631.html (2009)
3. http://www.jasondavies.com/blog/2009/05/27/secure-cookie-authentication-couchdb
My requirement is this.
* Have one db with user related docs.
* The key of the doc is the userid
* The sha1 hashed password for each user is stored in his doc.
* I want to issue cookies based on a userid and password posted to couchdb.
Originally, I was trying on writing my own show function to do an
auth. Then I saw
that couchdb itself has support for doing this.
The methods discussed in the above thread(s) are really good and I wanted to
try it out. However, it is not working even after following both the examples.
I keep getting an error
{"error":"unauthorized","reason":"Name or password is incorrect."}
The debug logs also don't give out much information.
Looks like I have not set up things properly and the above docs are a bit
confusing. Also, could not find anything on the couchdb wiki.
So, I wanted to check if there is any other documentation on how to make
use of http cookie auth.
Or has anyone tried and got it working ?
In link(1), it explains how to setup a single auth scheme for a couchdb node and
making use of /_session to get a cookie.
In link(2), it looks like adding _login and _logout handlers to each
db. Does this
mean that each db can have it's own user/password sets ? Also, what parameters
must be passed to _login ? Also, this says that the "users" view
values must have
a member "password" whereas the previous link asks for a member "password_sha".
Which is the correct approach to follow ? or are both valid ?
I am a bit confused as of now :-)
Regards,
Mahendra
http://twitter.com/mahendra
Re: Issues while using couchdb http cookie auth
Posted by Nils Breunese <N....@vpro.nl>.
Mahendra M wrote:
> So, I wanted to check if there is any other documentation on how to make
> use of http cookie auth.
These links may help:
http://books.couchdb.org/relax/reference/security
http://wiki.apache.org/couchdb/Security_Features_Overview
Nils.
De informatie vervat in deze e-mail en meegezonden bijlagen is uitsluitend bedoeld voor gebruik door de geadresseerde en kan vertrouwelijke informatie bevatten. Openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking van deze informatie aan derden is voorbehouden aan geadresseerde. De VPRO staat niet in voor de juiste en volledige overbrenging van de inhoud van een verzonden e-mail, noch voor tijdige ontvangst daarvan.
Re: Issues while using couchdb http cookie auth
Posted by Mahendra M <ma...@gmail.com>.
On Thu, Aug 5, 2010 at 10:41 PM, J Chris Anderson <jc...@apache.org> wrote:
> This is pretty much how the built-in auth works. Jan is working on a document here:
>
> http://wiki.couchapp.org/page/authn-preview
Thanks for this link. It really helped.
> The other thing to do is just use the signup and login buttons on Futon to do the same thing. Look in the lower right corner of http://localhost:5984/_utils/
Yes, I thought about using that code. I actually wanted an API with
which my other modules could login to couchdb. I was sort of trying to
get ejabberd, drupal etc. to use couchdb's user database. Sort of a
single sign-on thingy.
Regards,
Mahendra
http://twitter.com/mahendra
Re: Issues while using couchdb http cookie auth
Posted by J Chris Anderson <jc...@apache.org>.
On Aug 5, 2010, at 7:11 AM, Mahendra M wrote:
> Hi,
>
> I was trying to setup and use couchdb http cookie auth. I could
> not find any "official" documentation for the same. A bit of searching around
> gave me these.
>
> 1. http://pierrel.posterous.com/securing-couchdb (seems new)
> 2. http://www.mail-archive.com/dev@couchdb.apache.org/msg02631.html (2009)
> 3. http://www.jasondavies.com/blog/2009/05/27/secure-cookie-authentication-couchdb
>
> My requirement is this.
> * Have one db with user related docs.
> * The key of the doc is the userid
> * The sha1 hashed password for each user is stored in his doc.
> * I want to issue cookies based on a userid and password posted to couchdb.
>
This is pretty much how the built-in auth works. Jan is working on a document here:
http://wiki.couchapp.org/page/authn-preview
The other thing to do is just use the signup and login buttons on Futon to do the same thing. Look in the lower right corner of http://localhost:5984/_utils/
I have code here that also does signup and login (using the jquery plugin that ships with couch)
http://github.com/couchapp/couchapp/blob/master/vendor/evently/account/doSignup.js
> Originally, I was trying on writing my own show function to do an
> auth. Then I saw
> that couchdb itself has support for doing this.
>
> The methods discussed in the above thread(s) are really good and I wanted to
> try it out. However, it is not working even after following both the examples.
>
> I keep getting an error
> {"error":"unauthorized","reason":"Name or password is incorrect."}
>
> The debug logs also don't give out much information.
>
> Looks like I have not set up things properly and the above docs are a bit
> confusing. Also, could not find anything on the couchdb wiki.
>
> So, I wanted to check if there is any other documentation on how to make
> use of http cookie auth.
>
> Or has anyone tried and got it working ?
>
> In link(1), it explains how to setup a single auth scheme for a couchdb node and
> making use of /_session to get a cookie.
>
> In link(2), it looks like adding _login and _logout handlers to each
> db. Does this
> mean that each db can have it's own user/password sets ? Also, what parameters
> must be passed to _login ? Also, this says that the "users" view
> values must have
> a member "password" whereas the previous link asks for a member "password_sha".
>
> Which is the correct approach to follow ? or are both valid ?
> I am a bit confused as of now :-)
>
> Regards,
> Mahendra
>
> http://twitter.com/mahendra