You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@couchdb.apache.org by Will Holcomb <wi...@dhappy.org> on 2014/05/14 16:36:24 UTC

authentication issues

I have a couch server running and I am attempting to access it from a web
application server from port 80. I am having difficulty authenticating.

The code I am using to test is:

var host = 'http://localhost:5984'
var url = host + "/wells/"
var username = 'will'
var password = 'secret'

// Succeeds
$.post(
    host + "/_session",
    { name: username, password: password },
    function() {
        console.log( 'cookie', document.cookie ) // doesn't include
AuthSession
        $.get( url ) // Fails 401 unauthorized
    }
)

var hostParts = host.split( '://' )
var hostWithAuth = hostParts[1] + "://" + username + ":" + password + "@" +
hostParts[2]
$.get( hostWithAuth ) // Fails unauthorized, credentials removed from url

// Fails unauthorized
$.ajax( {
    url: url,
    username: username,
    password: password,
    success: function() {
        console.log( arguments )
    },
    xhrFields: { withCredentials: true },
    headers: {
        Authorization: "Basic " + btoa( username + ":" + password )
    }
} )

// Fails unauthorized
var xmlHttp = new XMLHttpRequest()
xmlHttp.open( 'GET', url, false, username, password )
xmlHttp.send( null )
console.log( xmlHttp.responseText )

It seems as though my credentials are being removed when I try to pass them
in the url and none of the other methods work.

-Will

Re: authentication issues

Posted by Robert Samuel Newson <rn...@apache.org>.

Jens,

config changes are persistent but it sounds like you’re editing the file underneath couch rather than using /_config -X PUT.

the reason we don’t send this header is to avoid the modal dialog prompt that user agents present when they see that header. Instead, we send a 301 redirect to a (configurable) login page. If your Accept header includes text/html, that is. If it doesn’t, we serve a 'proper' response, since we reason you are a machine or library and not a user agent.

B.

On 16 May 2014, at 01:02, Jens Alfke <je...@couchbase.com> wrote:

> 
> On May 14, 2014, at 7:36 AM, Will Holcomb <wi...@dhappy.org> wrote:
> 
>> I have a couch server running and I am attempting to access it from a web
>> application server from port 80. I am having difficulty authenticating.
> 
> CouchDB doesn’t send a WWW-Authenticate header in the response when it returns a 401 status. There was some reason for doing this (having to do with clients accessing CouchDB from a web browser?) but it’s nonstandard and it really messes up a lot of HTTP client libraries.
> 
> The workaround is to edit your CouchDB config and add a new variable to the ‘httpd’ section, whose key is “WWW-Authenticate” and value is something like
> 	Basic realm=“CouchDB"
> 
> And it gets worse! You have to do this workaround *every time CouchDB starts up* because it fails to persist the changed config properly — after relaunch the key will have changed to “www-authenticate” which doesn’t work.
> 
> Yes, I filed a bug on this. It’s really annoying.
> 
> —Jens

Re: authentication issues

Posted by Robert Samuel Newson <rn...@apache.org>.

You can ask it to with an X-CouchDB-WWW-Authenticate: "realm string" request header.

B.

On 16 May 2014, at 01:02, Jens Alfke <je...@couchbase.com> wrote:

> 
> On May 14, 2014, at 7:36 AM, Will Holcomb <wi...@dhappy.org> wrote:
> 
>> I have a couch server running and I am attempting to access it from a web
>> application server from port 80. I am having difficulty authenticating.
> 
> CouchDB doesn’t send a WWW-Authenticate header in the response when it returns a 401 status. There was some reason for doing this (having to do with clients accessing CouchDB from a web browser?) but it’s nonstandard and it really messes up a lot of HTTP client libraries.
> 
> The workaround is to edit your CouchDB config and add a new variable to the ‘httpd’ section, whose key is “WWW-Authenticate” and value is something like
> 	Basic realm=“CouchDB"
> 
> And it gets worse! You have to do this workaround *every time CouchDB starts up* because it fails to persist the changed config properly — after relaunch the key will have changed to “www-authenticate” which doesn’t work.
> 
> Yes, I filed a bug on this. It’s really annoying.
> 
> —Jens

Re: authentication issues

Posted by Jens Alfke <je...@couchbase.com>.

On May 14, 2014, at 7:36 AM, Will Holcomb <wi...@dhappy.org> wrote:

> I have a couch server running and I am attempting to access it from a web
> application server from port 80. I am having difficulty authenticating.

CouchDB doesn’t send a WWW-Authenticate header in the response when it returns a 401 status. There was some reason for doing this (having to do with clients accessing CouchDB from a web browser?) but it’s nonstandard and it really messes up a lot of HTTP client libraries.

The workaround is to edit your CouchDB config and add a new variable to the ‘httpd’ section, whose key is “WWW-Authenticate” and value is something like
	Basic realm=“CouchDB"

And it gets worse! You have to do this workaround *every time CouchDB starts up* because it fails to persist the changed config properly — after relaunch the key will have changed to “www-authenticate” which doesn’t work.

Yes, I filed a bug on this. It’s really annoying.

—Jens

Re: authentication issues

Posted by Stanley Iriele <si...@gmail.com>.

You don't need to keep re-sending your credentials...also..the header is
set to HttpOnly so you cannot access it from javascript land
try this or just remove your credentials:
$.ajax({
        type: "GET",
        url: "/_session",
        contentType: "application/json",
        dataType: "json",
        async: false,
        success: function(data){
            if (!data.userCtx.name){
                alert("You get GTFO of here!");
            }else{
                name=data.userCtx.name;
            }
        //some kind of documentation bug?

        },
        failure: function(errMsg) {
            alert(errMsg);
        }

    });


On Wed, May 14, 2014 at 7:36 AM, Will Holcomb <wi...@dhappy.org> wrote:

> I have a couch server running and I am attempting to access it from a web
> application server from port 80. I am having difficulty authenticating.
>
> The code I am using to test is:
>
> var host = 'http://localhost:5984'
> var url = host + "/wells/"
> var username = 'will'
> var password = 'secret'
>
> // Succeeds
> $.post(
>     host + "/_session",
>     { name: username, password: password },
>     function() {
>         console.log( 'cookie', document.cookie ) // doesn't include
> AuthSession
>         $.get( url ) // Fails 401 unauthorized
>     }
> )
>
> var hostParts = host.split( '://' )
> var hostWithAuth = hostParts[1] + "://" + username + ":" + password + "@" +
> hostParts[2]
> $.get( hostWithAuth ) // Fails unauthorized, credentials removed from url
>
> // Fails unauthorized
> $.ajax( {
>     url: url,
>     username: username,
>     password: password,
>     success: function() {
>         console.log( arguments )
>     },
>     xhrFields: { withCredentials: true },
>     headers: {
>         Authorization: "Basic " + btoa( username + ":" + password )
>     }
> } )
>
> // Fails unauthorized
> var xmlHttp = new XMLHttpRequest()
> xmlHttp.open( 'GET', url, false, username, password )
> xmlHttp.send( null )
> console.log( xmlHttp.responseText )
>
> It seems as though my credentials are being removed when I try to pass them
> in the url and none of the other methods work.
>
> -Will
>