You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/08/12 21:06:40 UTC
[GitHub] [couchdb] AyanamiSan opened a new issue #3074: require_valid_user blocks OPTIONS request against _session
AyanamiSan opened a new issue #3074:
URL: https://github.com/apache/couchdb/issues/3074
[NOTE]: # ( ^^ Provide a general summary of the issue in the title above. ^^ )
## Description
CouchDB set up with cookie auth and require_valid_user blocks login attempts from the browser in a cross-domain setting, due to OPTIONS request to _session being blocked.
## Steps to Reproduce
enable require_valid_user and cookie authentication
```
$ curl -i -XOPTIONS -H'Content-Type: application/json' -d'{"name":"a","password":"a"}' 10.7.7.31:5984/_session
HTTP/1.1 401 Unauthorized
Cache-Control: must-revalidate
Connection: close
Content-Length: 61
Content-Type: application/json
Date: Wed, 12 Aug 2020 20:24:09 GMT
Server: CouchDB/3.1.0 (Erlang OTP/22)
X-Couch-Request-ID: 0354a136fc
X-CouchDB-Body-Time: 0
X-Frame-Options: DENY
```
## Expected Behaviour
OPTIONS header returns status 200 with correct CORS headers as set in the configuration.
## Your Environment
Entire dev setup is inside VPN, CouchDB runs in FreeBSD jail and is accessed from the javascript web app (PouchDB-based) running from another jail. Also, direct access to the _utils.
NOTE: I have www authentication enabled, but without WWW-Authenticate, since I don't want the popup to show up - basic auth is used only for curl requests and for access from the backend server running on another node. This should be unrelated, and the database behaves correctly when accessing _session endpoint with CORS disabled in the browser.
CORS settings from local.ini:
```
[cors]
origins = http://10.0.1.1,http://10.0.1.1:8080
credentials = true
headers = accept, authorization, content-type, origin, referer
methods = GET, PUT, POST, HEAD, OPTIONS, DELETE
max_age = 3600
```
```
$ curl admin:<password>@10.0.1.2:5984/
{"couchdb":"Welcome","version":"3.1.0","git_sha":"ff0feea20","uuid":"...","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"FreeBSD"}}
```
* CouchDB version used: couchdb3-3.1.0_1 (built from FreeBSD ports)
* Browser name and version: all modern browsers
* Operating system and version: any (client), FreeBSD 11.3 (server)
## Additional Context
Related to:
https://github.com/apache/couchdb/issues/1947
https://github.com/apache/couchdb/pull/2321
PS. If you don't have time to fix the issue I can try to fix this myself and create a pull request, but I only know the very basics of erlang.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] wohali commented on issue #3074: require_valid_user blocks OPTIONS request against _session
Posted by GitBox <gi...@apache.org>.
wohali commented on issue #3074:
URL: https://github.com/apache/couchdb/issues/3074#issuecomment-673146796
This is not my code, so I can't answer how fast the team will get to this part, but any pull request will accelerate getting the problem resolved. At the very least, it'll get more attention than just filing an issue.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] AyanamiSan edited a comment on issue #3074: require_valid_user blocks OPTIONS request against _session
Posted by GitBox <gi...@apache.org>.
AyanamiSan edited a comment on issue #3074:
URL: https://github.com/apache/couchdb/issues/3074#issuecomment-673455225
Seems my curl request was missing 'Origin' header, here are corrected versions (the spaces after parameters are optional, and does not change result)
```
frater260@frater260 ~ 21:16:10$ curl -i -X OPTIONS -H 'Origin: http://10.23.5.1' -H 'Content-Type: application/json' -d '{"name":"a","password":"a"}' 10.7.7.31:5984/_session
HTTP/1.1 401 Unauthorized
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://10.23.5.1
Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
Cache-Control: must-revalidate
Connection: close
Content-Length: 61
Content-Type: application/json
Date: Thu, 13 Aug 2020 12:16:22 GMT
Server: CouchDB/3.1.0 (Erlang OTP/22)
X-Couch-Request-ID: 6b1c31e832
X-CouchDB-Body-Time: 0
X-Frame-Options: DENY
{"error":"unauthorized","reason":"Authentication required."}
```
```
frater260@frater260 ~ 21:13:54$ curl -i -H 'Origin: http://10.23.5.1' -H 'Content-Type: application/json' -d '{"name":"a","password":"a"}' 10.7.7.31:5984/_session
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://10.23.5.1
Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
Cache-Control: must-revalidate
Content-Length: 34
Content-Type: application/json
Date: Thu, 13 Aug 2020 12:16:09 GMT
Server: CouchDB/3.1.0 (Erlang OTP/22)
Set-Cookie: AuthSession=YTo1RjM1MkYwQTofhP6AIyBfKaDYe0v5_VK3b8zrUQ; Version=1; Expires=Fri, 14-Aug-2020 12:16:10 GMT; Max-Age=86400; Path=/; HttpOnly; SameSite=Strict
X-Frame-Options: DENY
{"ok":true,"name":"a","roles":[]}
```
I think my problem is that OPTIONS request returns 4XX response instead of expected 2XX. I will need to do some more testing to check if that's the problem, and if/how can I fix that problem on my side.
(I also see that OPTIONS returns 405 status code for requests with cookie - I would expect it to send 204 No Content, but seems in some settings or with some browsers it works correctly regardless of the response status)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] AyanamiSan commented on issue #3074: require_valid_user blocks OPTIONS request against _session
Posted by GitBox <gi...@apache.org>.
AyanamiSan commented on issue #3074:
URL: https://github.com/apache/couchdb/issues/3074#issuecomment-674432544
Found the core of the issue. Seems the request without `Access-Control-Request-Methods` header return 4XX response. As long as I add this header I get the expected 204.
So in the end, this seems to be an error on my side, sorry for the trouble.
Below curl request that show the difference.
```
$ curl -i -H'Origin: http://10.23.5.1:8080' -XOPTIONS http://10.7.7.31:5984/_session
HTTP/1.1 401 Unauthorized
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://10.23.5.1:8080
Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
Cache-Control: must-revalidate
Content-Length: 61
Content-Type: application/json
Date: Sat, 15 Aug 2020 18:16:11 GMT
Server: CouchDB/3.1.0 (Erlang OTP/22)
X-Couch-Request-ID: 1e2bde9334
X-CouchDB-Body-Time: 0
X-Frame-Options: DENY
{"error":"unauthorized","reason":"Authentication required."}
```
```
$ curl -i -H'Origin: http://10.23.5.1:8080' -H'Access-Control-Request-Method: POST' -XOPTIONS http://10.7.7.31:5984/_session
HTTP/1.1 204 No Content
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers:
Access-Control-Allow-Methods: GET, PUT, POST, HEAD, OPTIONS, DELETE
Access-Control-Allow-Origin: http://10.23.5.1:8080
Access-Control-Max-Age: 3600
Content-Length: 0
Date: Sat, 15 Aug 2020 18:16:37 GMT
Server: CouchDB/3.1.0 (Erlang OTP/22)
X-Couch-Request-ID: 7be1dd8a0a
X-CouchDB-Body-Time: 0
X-Frame-Options: DENY
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] wohali commented on issue #3074: require_valid_user blocks OPTIONS request against _session
Posted by GitBox <gi...@apache.org>.
wohali commented on issue #3074:
URL: https://github.com/apache/couchdb/issues/3074#issuecomment-674439734
CLosing per user request.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] wohali closed issue #3074: require_valid_user blocks OPTIONS request against _session
Posted by GitBox <gi...@apache.org>.
wohali closed issue #3074:
URL: https://github.com/apache/couchdb/issues/3074
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] SinanGabel commented on issue #3074: require_valid_user blocks OPTIONS request against _session
Posted by GitBox <gi...@apache.org>.
SinanGabel commented on issue #3074:
URL: https://github.com/apache/couchdb/issues/3074#issuecomment-673412582
Couchdb 3.1 cookie authentication works fine on Ubuntu using pouchdb authentication.
Couchdb 3.1 cookie authentication also works fine through couchdb nano nodejs apps.
In your above curl call there are some missing spaces.
You may want to check _users Permissions for your user making the request.
Also try with origins=*
Also ensure there is:
[httpd]
authentication_handlers = {couch_httpd_auth, cookie_authentication_handler}, {couch_httpd_auth, default_authentication_handler}
enable_cors = true
[couch_httpd_auth]
allow_persistent_cookies = true
Also some browsers now require correct SameSite settings.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] AyanamiSan commented on issue #3074: require_valid_user blocks OPTIONS request against _session
Posted by GitBox <gi...@apache.org>.
AyanamiSan commented on issue #3074:
URL: https://github.com/apache/couchdb/issues/3074#issuecomment-673455225
Seems my curl request was missing 'Origin' header, here are corrected versions (the spaces after parameters are optional, and does not change result)
```
frater260@frater260 ~ 21:16:10$ curl -i -X OPTIONS -H 'Origin: http://10.23.5.1' -H 'Content-Type: application/json' -d '{"name":"a","password":"a"}' 10.7.7.31:5984/_session
HTTP/1.1 401 Unauthorized
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://10.23.5.1
Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
Cache-Control: must-revalidate
Connection: close
Content-Length: 61
Content-Type: application/json
Date: Thu, 13 Aug 2020 12:16:22 GMT
Server: CouchDB/3.1.0 (Erlang OTP/22)
X-Couch-Request-ID: 6b1c31e832
X-CouchDB-Body-Time: 0
X-Frame-Options: DENY
{"error":"unauthorized","reason":"Authentication required."}
```
```
frater260@frater260 ~ 21:13:54$ curl -i -H 'Origin: http://10.23.5.1' -H 'Content-Type: application/json' -d '{"name":"a","password":"a"}' 10.7.7.31:5984/_session
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://10.23.5.1
Access-Control-Expose-Headers: content-type, cache-control, accept-ranges, etag, server, x-couch-request-id, x-couch-update-newrev, x-couchdb-body-time
Cache-Control: must-revalidate
Content-Length: 34
Content-Type: application/json
Date: Thu, 13 Aug 2020 12:16:09 GMT
Server: CouchDB/3.1.0 (Erlang OTP/22)
Set-Cookie: AuthSession=YTo1RjM1MkYwQTofhP6AIyBfKaDYe0v5_VK3b8zrUQ; Version=1; Expires=Fri, 14-Aug-2020 12:16:10 GMT; Max-Age=86400; Path=/; HttpOnly; SameSite=Strict
X-Frame-Options: DENY
{"ok":true,"name":"a","roles":[]}
```
I think my problem is that OPTIONS request returns 4XX response instead of expected 2XX. I will need to do some more testing to check if that's true, and if/how can I fix that problem on my side.
(I also see that OPTIONS returns 405 status code for requests with cookie - I would expect it to send 204 No Content, but seems in some settings or with some browsers it works correctly regardless of the response status)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org