You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/08/13 12:44:20 UTC
[GitHub] [couchdb] AyanamiSan edited a comment on issue #3074: require_valid_user blocks OPTIONS request against _session
AyanamiSan edited a comment on issue #3074:
URL: https://github.com/apache/couchdb/issues/3074#issuecomment-673455225
Seems my curl request was missing 'Origin' header, here are corrected versions (the spaces after parameters are optional, and does not change result)
```
frater260@frater260 ~ 21:16:10$ curl -i -X OPTIONS -H 'Origin: http://10.23.5.1' -H 'Content-Type: application/json' -d '{"name":"a","password":"a"}' 10.7.7.31:5984/_session
HTTP/1.1 401 Unauthorized
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://10.23.5.1
Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
Cache-Control: must-revalidate
Connection: close
Content-Length: 61
Content-Type: application/json
Date: Thu, 13 Aug 2020 12:16:22 GMT
Server: CouchDB/3.1.0 (Erlang OTP/22)
X-Couch-Request-ID: 6b1c31e832
X-CouchDB-Body-Time: 0
X-Frame-Options: DENY
{"error":"unauthorized","reason":"Authentication required."}
```
```
frater260@frater260 ~ 21:13:54$ curl -i -H 'Origin: http://10.23.5.1' -H 'Content-Type: application/json' -d '{"name":"a","password":"a"}' 10.7.7.31:5984/_session
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://10.23.5.1
Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
Cache-Control: must-revalidate
Content-Length: 34
Content-Type: application/json
Date: Thu, 13 Aug 2020 12:16:09 GMT
Server: CouchDB/3.1.0 (Erlang OTP/22)
Set-Cookie: AuthSession=YTo1RjM1MkYwQTofhP6AIyBfKaDYe0v5_VK3b8zrUQ; Version=1; Expires=Fri, 14-Aug-2020 12:16:10 GMT; Max-Age=86400; Path=/; HttpOnly; SameSite=Strict
X-Frame-Options: DENY
{"ok":true,"name":"a","roles":[]}
```
I think my problem is that OPTIONS request returns 4XX response instead of expected 2XX. I will need to do some more testing to check if that's the problem, and if/how can I fix that problem on my side.
(I also see that OPTIONS returns 405 status code for requests with cookie - I would expect it to send 204 No Content, but seems in some settings or with some browsers it works correctly regardless of the response status)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org