You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2018/09/18 20:04:09 UTC

[GitHub] ahayes opened a new issue #1607: Replicator fails to authenticate to open db after cookie timeout

ahayes opened a new issue #1607: Replicator fails to authenticate to open db after cookie timeout
URL: https://github.com/apache/couchdb/issues/1607
 
 
   <!--- Provide a general summary of the issue in the Title above -->
   
   ## Expected Behavior
   <!--- If you're describing a bug, tell us what should happen -->
   <!--- If you're suggesting a change/improvement, tell us how it should work -->
   
   A replicator document with valid credentials for a target database should continue to present valid credentials when replicating. Even when a target database allows anonymous writes, there may be validate_doc_update scripts that make decisions based on the user performing the replication.
   
   ## Current Behavior
   <!--- If describing a bug, tell us what happens instead of the expected behavior -->
   <!--- If suggesting a change/improvement, explain the difference from current behavior -->
   
   If the target database does not require authentication, the replicator may function with the user context of the administrator creating the replication document until the authentication cookie expires. At this point, the target database will ignore the expired cookie and accept documents but any validate_doc_update scripts that make decisions based on user context will instead receive an 'undefined' user context.
   
   ## Possible Solution
   <!--- Not obligatory, but suggest a fix/reason for the bug, -->
   <!--- or ideas how to implement the addition or change -->
   
   - Reject expired authentication cookies.
   - Use basic auth
   
   ## Steps to Reproduce (for bugs)
   <!--- Provide a link to a live example, or an unambiguous set of steps to -->
   <!--- reproduce this bug. Include code to reproduce, if relevant -->
   1. Set up target database that is open for anonymous writing.
   2. Create VDU on target database that rejects documents from non-admin users.
   3. Create a continuous replication document from a source database to the target database and specify admin credentials.
   4. Wait over 10 minutes (cookie session timeout) and add a document to the source database.
   
   ## Context
   <!--- How has this issue affected you? What are you trying to accomplish? -->
   <!--- Providing context helps us come up with a solution that is most useful in the real world -->
   
   Our Nunaliit tool makes a lot of decisions in the VDU about which documents can be updated based on roles and fields in documents. The configuration of Nunaliit permits decisions about whether or not to accept anonymous writes or to require valid users. In addition, valid users may be required to agree to terms (attribute on user doc because terms may be versioned, etc.) of use or take other steps before being granted write or edit permissions.
   
   We have designed Nunaliit to work with couchdb without assuming that we are the only code touching it. Making configuration changes at a database level or customizing plugin settings is something we'd like to avoid. Ideally the cookie auth would have the same behaviour as the basic auth.
   
   ## Your Environment
   <!--- Include as many relevant details about the environment you experienced the bug in -->
   * Version used: 2.2.0
   * Browser Name and version: Chrome/Firefox (latest)
   * Operating System and version (desktop or mobile): Ubuntu 16.04 server. Various clients.
   * Link to your project: http://nunaliit.org
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services