You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2018/03/22 17:01:21 UTC
[GitHub] eiri opened a new pull request #1230: Validate password_scheme in user doc
eiri opened a new pull request #1230: Validate password_scheme in user doc
URL: https://github.com/apache/couchdb/pull/1230
## Overview
We allow to specify `password_scheme` in user doc, but never check that it is one of the supported types. As a result it is possible to successfully create a user that'd throw error 500 on access attempt.
```bash
$ curl -X PUT http://localhost:15984/_users/org.couchdb.user:wooser -d'{"name":"wooser", "roles":[], "derived_key":"0123456789acbdef", "iterations":10, "salt":"heteronym", "password_sha":"alalalalalalalalala", "password_scheme":"wooser", "type":"user"}'
{"ok":true,"id":"org.couchdb.user:wooser","rev":"1-65c51dd556a8b03f040309e87308eda1"}
$ curl http://localhost:15984/_users/org.couchdb.user:wooser -u wooser:wooser
{"error":"case_clause","reason":"wooser","ref":17603030}
```
## Testing recommendations
With this patch validator should output a proper warning
```bash
$ curl -X PUT http://localhost:15984/_users/org.couchdb.user:wooser -d'{"name":"wooser", "roles":[], "derived_key":"0123456789acbdef", "iterations":10, "salt":"heteronym", "password_sha":"alalalalalalalalala", "password_scheme":"wooser", "type":"user"}'
{"error":"forbidden","reason":"Password scheme `wooser` not supported."}
```
## Checklist
- [x] Code is written and works correctly;
- [ ] Changes are covered by tests;
- [ ] Documentation reflects the changes;
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services