You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2018/11/19 20:04:22 UTC

[GitHub] joep opened a new issue #134: CORS authentication issues

joep opened a new issue #134: CORS authentication issues
URL: https://github.com/apache/couchdb-nano/issues/134
 
 
   <!--- Provide a general summary of the issue in the Title above -->
   
   ## Expected Behavior
   <!--- If you're describing a bug, tell us what should happen -->
   <!--- If you're suggesting a change/improvement, tell us how it should work -->
   
   Nano.auth can be problematic in a COR setting (which I imagine is nearly all of them, since even different ports to the same host are considered cross origin requests). The _withCredentials_ flag isn't being set (https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials) on the authentication request and none of the browsers I tested (safari, firefox, chrome) will store nor use the returned couchdb authentication cookie for any of the following requests to nano. 
   
   ## Current Behavior
   <!--- If describing a bug, tell us what happens instead of the expected behavior -->
   <!--- If suggesting a change/improvement, explain the difference from current behavior -->
   
   This was a bit of challenge to figure out since whenever I ran a simple couple of requests (nano.auth followed by a nano.session) on nodejs it had the expected behavior but from any browser, even though the authentication request would succeed (i.e., I could see the valid authentication cookie being returned), all of the following requests that require authentication would fail because the browser discarded the authentication cookie due to the lack of the _withCredentials_ flag.
   
   ## Possible Solution
   <!--- Not obligatory, but suggest a fix/reason for the bug, -->
   <!--- or ideas how to implement the addition or change -->
   
   I would suggest setting the _withCredentials_ flag true on the request since, according to the info linked above, the flag has no effect on non-COR requests anyway. If that is deemed some sort of security issue, then maybe at least put something in the docs?
   
   ## Steps to Reproduce (for bugs)
   <!--- Provide a link to a live example, or an unambiguous set of steps to -->
   <!--- reproduce this bug. Include code to reproduce, if relevant -->
   1. Run on any of firefox, safari, or chrome (provide correct url, username, and password of course).
   
   ```
      const nano = require('nano')({url: 'http://127.0.0.1:5984'})
     
      nano.auth(username, password).then((ctx) => {
           console.log(ctx)
           nano.session().then((ctx) => {
             console.log(ctx)
           });
       })
   ```
   
   2. Change the first line to:
   `const nano = require('nano')({url: 'http://127.0.0.1:5984',  requestDefaults: {withCredentials: true}})`
   and it works as expected.
   
   ## Your Environment
   <!--- Include as many relevant details about the environment you experienced the bug in -->
   Nano version 7.1.1
   Firefox 63.0.3
   
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services