You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/08/13 12:44:20 UTC

[GitHub] [couchdb] AyanamiSan edited a comment on issue #3074: require_valid_user blocks OPTIONS request against _session

AyanamiSan edited a comment on issue #3074:
URL: https://github.com/apache/couchdb/issues/3074#issuecomment-673455225


   Seems my curl request was missing 'Origin' header, here are corrected versions (the spaces after parameters are optional, and does not change result)
   
   ```
   frater260@frater260 ~ 21:16:10$ curl -i -X OPTIONS -H 'Origin: http://10.23.5.1' -H 'Content-Type: application/json' -d '{"name":"a","password":"a"}' 10.7.7.31:5984/_session
   HTTP/1.1 401 Unauthorized
   Access-Control-Allow-Credentials: true
   Access-Control-Allow-Origin: http://10.23.5.1
   Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
   Cache-Control: must-revalidate
   Connection: close
   Content-Length: 61
   Content-Type: application/json
   Date: Thu, 13 Aug 2020 12:16:22 GMT
   Server: CouchDB/3.1.0 (Erlang OTP/22)
   X-Couch-Request-ID: 6b1c31e832
   X-CouchDB-Body-Time: 0
   X-Frame-Options: DENY
   
   {"error":"unauthorized","reason":"Authentication required."}
   ```
   ```
   frater260@frater260 ~ 21:13:54$ curl -i -H 'Origin: http://10.23.5.1' -H 'Content-Type: application/json' -d '{"name":"a","password":"a"}' 10.7.7.31:5984/_session
   HTTP/1.1 200 OK
   Access-Control-Allow-Credentials: true
   Access-Control-Allow-Origin: http://10.23.5.1
   Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
   Cache-Control: must-revalidate
   Content-Length: 34
   Content-Type: application/json
   Date: Thu, 13 Aug 2020 12:16:09 GMT
   Server: CouchDB/3.1.0 (Erlang OTP/22)
   Set-Cookie: AuthSession=YTo1RjM1MkYwQTofhP6AIyBfKaDYe0v5_VK3b8zrUQ; Version=1; Expires=Fri, 14-Aug-2020 12:16:10 GMT; Max-Age=86400; Path=/; HttpOnly; SameSite=Strict
   X-Frame-Options: DENY
   
   {"ok":true,"name":"a","roles":[]}
   ```
   
   I think my problem is that OPTIONS request returns 4XX response instead of expected 2XX. I will need to do some more testing to check if that's the problem, and if/how can I fix that problem on my side.
   (I also see that OPTIONS returns 405 status code for requests with cookie - I would expect it to send 204 No Content, but seems in some settings or with some browsers it works correctly regardless of the response status)


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org