You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Will Holcomb <wi...@dhappy.org> on 2014/05/14 16:36:24 UTC
authentication issues
I have a couch server running and I am attempting to access it from a web
application server from port 80. I am having difficulty authenticating.
The code I am using to test is:
var host = 'http://localhost:5984'
var url = host + "/wells/"
var username = 'will'
var password = 'secret'
// Succeeds
$.post(
host + "/_session",
{ name: username, password: password },
function() {
console.log( 'cookie', document.cookie ) // doesn't include
AuthSession
$.get( url ) // Fails 401 unauthorized
}
)
var hostParts = host.split( '://' )
var hostWithAuth = hostParts[1] + "://" + username + ":" + password + "@" +
hostParts[2]
$.get( hostWithAuth ) // Fails unauthorized, credentials removed from url
// Fails unauthorized
$.ajax( {
url: url,
username: username,
password: password,
success: function() {
console.log( arguments )
},
xhrFields: { withCredentials: true },
headers: {
Authorization: "Basic " + btoa( username + ":" + password )
}
} )
// Fails unauthorized
var xmlHttp = new XMLHttpRequest()
xmlHttp.open( 'GET', url, false, username, password )
xmlHttp.send( null )
console.log( xmlHttp.responseText )
It seems as though my credentials are being removed when I try to pass them
in the url and none of the other methods work.
-Will
Re: authentication issues
Posted by Robert Samuel Newson <rn...@apache.org>.
Jens,
config changes are persistent but it sounds like you’re editing the file underneath couch rather than using /_config -X PUT.
the reason we don’t send this header is to avoid the modal dialog prompt that user agents present when they see that header. Instead, we send a 301 redirect to a (configurable) login page. If your Accept header includes text/html, that is. If it doesn’t, we serve a 'proper' response, since we reason you are a machine or library and not a user agent.
B.
On 16 May 2014, at 01:02, Jens Alfke <je...@couchbase.com> wrote:
>
> On May 14, 2014, at 7:36 AM, Will Holcomb <wi...@dhappy.org> wrote:
>
>> I have a couch server running and I am attempting to access it from a web
>> application server from port 80. I am having difficulty authenticating.
>
> CouchDB doesn’t send a WWW-Authenticate header in the response when it returns a 401 status. There was some reason for doing this (having to do with clients accessing CouchDB from a web browser?) but it’s nonstandard and it really messes up a lot of HTTP client libraries.
>
> The workaround is to edit your CouchDB config and add a new variable to the ‘httpd’ section, whose key is “WWW-Authenticate” and value is something like
> Basic realm=“CouchDB"
>
> And it gets worse! You have to do this workaround *every time CouchDB starts up* because it fails to persist the changed config properly — after relaunch the key will have changed to “www-authenticate” which doesn’t work.
>
> Yes, I filed a bug on this. It’s really annoying.
>
> —Jens
Re: authentication issues
Posted by Robert Samuel Newson <rn...@apache.org>.
You can ask it to with an X-CouchDB-WWW-Authenticate: "realm string" request header.
B.
On 16 May 2014, at 01:02, Jens Alfke <je...@couchbase.com> wrote:
>
> On May 14, 2014, at 7:36 AM, Will Holcomb <wi...@dhappy.org> wrote:
>
>> I have a couch server running and I am attempting to access it from a web
>> application server from port 80. I am having difficulty authenticating.
>
> CouchDB doesn’t send a WWW-Authenticate header in the response when it returns a 401 status. There was some reason for doing this (having to do with clients accessing CouchDB from a web browser?) but it’s nonstandard and it really messes up a lot of HTTP client libraries.
>
> The workaround is to edit your CouchDB config and add a new variable to the ‘httpd’ section, whose key is “WWW-Authenticate” and value is something like
> Basic realm=“CouchDB"
>
> And it gets worse! You have to do this workaround *every time CouchDB starts up* because it fails to persist the changed config properly — after relaunch the key will have changed to “www-authenticate” which doesn’t work.
>
> Yes, I filed a bug on this. It’s really annoying.
>
> —Jens
Re: authentication issues
Posted by Jens Alfke <je...@couchbase.com>.
On May 14, 2014, at 7:36 AM, Will Holcomb <wi...@dhappy.org> wrote:
> I have a couch server running and I am attempting to access it from a web
> application server from port 80. I am having difficulty authenticating.
CouchDB doesn’t send a WWW-Authenticate header in the response when it returns a 401 status. There was some reason for doing this (having to do with clients accessing CouchDB from a web browser?) but it’s nonstandard and it really messes up a lot of HTTP client libraries.
The workaround is to edit your CouchDB config and add a new variable to the ‘httpd’ section, whose key is “WWW-Authenticate” and value is something like
Basic realm=“CouchDB"
And it gets worse! You have to do this workaround *every time CouchDB starts up* because it fails to persist the changed config properly — after relaunch the key will have changed to “www-authenticate” which doesn’t work.
Yes, I filed a bug on this. It’s really annoying.
—Jens
Re: authentication issues
Posted by Stanley Iriele <si...@gmail.com>.
You don't need to keep re-sending your credentials...also..the header is
set to HttpOnly so you cannot access it from javascript land
try this or just remove your credentials:
$.ajax({
type: "GET",
url: "/_session",
contentType: "application/json",
dataType: "json",
async: false,
success: function(data){
if (!data.userCtx.name){
alert("You get GTFO of here!");
}else{
name=data.userCtx.name;
}
//some kind of documentation bug?
},
failure: function(errMsg) {
alert(errMsg);
}
});
On Wed, May 14, 2014 at 7:36 AM, Will Holcomb <wi...@dhappy.org> wrote:
> I have a couch server running and I am attempting to access it from a web
> application server from port 80. I am having difficulty authenticating.
>
> The code I am using to test is:
>
> var host = 'http://localhost:5984'
> var url = host + "/wells/"
> var username = 'will'
> var password = 'secret'
>
> // Succeeds
> $.post(
> host + "/_session",
> { name: username, password: password },
> function() {
> console.log( 'cookie', document.cookie ) // doesn't include
> AuthSession
> $.get( url ) // Fails 401 unauthorized
> }
> )
>
> var hostParts = host.split( '://' )
> var hostWithAuth = hostParts[1] + "://" + username + ":" + password + "@" +
> hostParts[2]
> $.get( hostWithAuth ) // Fails unauthorized, credentials removed from url
>
> // Fails unauthorized
> $.ajax( {
> url: url,
> username: username,
> password: password,
> success: function() {
> console.log( arguments )
> },
> xhrFields: { withCredentials: true },
> headers: {
> Authorization: "Basic " + btoa( username + ":" + password )
> }
> } )
>
> // Fails unauthorized
> var xmlHttp = new XMLHttpRequest()
> xmlHttp.open( 'GET', url, false, username, password )
> xmlHttp.send( null )
> console.log( xmlHttp.responseText )
>
> It seems as though my credentials are being removed when I try to pass them
> in the url and none of the other methods work.
>
> -Will
>