You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/05/18 08:19:47 UTC
[GitHub] [couchdb] jo opened a new issue #2892: Replicator authentication breaks if password contains @
jo opened a new issue #2892:
URL: https://github.com/apache/couchdb/issues/2892
## Description
It looks like CouchDB 3.0 does not correctly handle replication urls with credentials containing an `@` char. Other preserved characters does not seem to cause any problems, though.
The correct way for basic auth urls is to percent encode (e.g. using encodeURIComponent()) the credential part, see [chapter 2 of the URI RFC](http://www.faqs.org/rfcs/rfc3986.html). For example, consider a username `bob@me.com` and a password `secure`, a basic auth url would look like this: `https://bob%40me.com:secure@example.com`.
There are different ways to trigger replications, but I have only tested the issue with the classic `_replicate` endpoint. Here we post a JSON specifying the replication, eg:
```json
{
"source": "https://couch.example.com/my-db",
"target": "https://anothercouch.example.com/another-db"
}
```
If the databases are protected, we can use basic authentication:
```json
{
"source": "https://alice:password@couch.example.com/my-db",
"target": "https://bob:password@anothercouch.example.com/another-db"
}
```
And this is where we were hit. Now our password contained an @ char, for example p@ssword. The correct way to supply the password would be:
```json
{
"source": "https://alice:password@couch.example.com/my-db",
"target": "https://bob:p%40ssword@anothercouch.example.com/another-db"
}
```
We can circumvent this problem by using the object syntax for replication source and target:
```json
{
"source": {
"url": "https://couch.example.com/my-db",
"headers": {
"Authorization": "Basic YWxpY2U6cGFzc3dvcmQ="
}
},
"target": {
"url": "https://anothercouch.example.com/another-db",
"headers": {
"Authorization": "Basic Ym9iOnBAc3N3b3Jk"
}
}
```
The Authorization headers include the base64 encoded credential string like the usual Basic auth header:
```sh
echo -n "alice:password" | base64
echo -n "bob:p@ssword" | base64
```
## Steps to Reproduce
### Start a couch. I used Docker for this:
```sh
docker run --rm -p 5984:5984 --name couchdb -e COUCHDB_USER=admin -e COUCHDB_PASSWORD=admin couchdb:3.0
```
and set `COUCHDB_ADMIN_URL` environment variable including admin credentials for convenience:
```sh
export COUCHDB_ADMIN_URL="http://admin:admin@localhost:5984"
```
### Configure an admin user containing `@` char:
```sh
curl -XPUT "$COUCHDB_ADMIN_URL/_node/nonode@nohost/_config/admins/bob" -d '"p@ssword"'
```
### Create a db to replicate
```sh
curl -XPUT "$COUCHDB_ADMIN_URL/alice-db"
```
### Issue replication
```sh
curl -XPOST "$COUCHDB_ADMIN_URL/_replicate" \
-H 'Content-Type:application/json' \
-d "{\"source\": \"$COUCHDB_ADMIN_URL/alice-db\", \"target\": \"http://bob:p%40ssword@localhost:5984/alice-db-copy-for-bob\", \"create_target\": true }"
```
replication fails with
```
{"error":"replication_auth_error","reason":"{session_request_unauthorized,\"http://localhost:5984/_session\",\"bob\"}"}
```
## Expected Behaviour
* URLs provided in replication requests should support basic authentication even if special chars like `@` is used, in which case the credentials part should be percent encoded.
## Your Environment
* CouchDB version used: 3.0.0
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] wohali commented on issue #2892: Replicator authentication breaks if password contains @
Posted by GitBox <gi...@apache.org>.
wohali commented on issue #2892:
URL: https://github.com/apache/couchdb/issues/2892#issuecomment-630340004
Hi @jo ,
A workaround (for now) is to create the replication using the Basic authentication header in your replication document, instead of specifying the credentials in the URL.
This is just a workaround, we need to determine if this is a regression or not and resolve the issue. Just want to get you on your way :)
The source and target properties can be urls, or they can be a json object with `{“url”:”url in here”, “headers”: {“header1”:”value1”, …}}` properties. You could specify a `Bearer` or `Authorization` header in there.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] nickva closed issue #2892: Replicator authentication breaks if password contains @
Posted by GitBox <gi...@apache.org>.
nickva closed issue #2892:
URL: https://github.com/apache/couchdb/issues/2892
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] nickva commented on issue #2892: Replicator authentication breaks if password contains @
Posted by GitBox <gi...@apache.org>.
nickva commented on issue #2892:
URL: https://github.com/apache/couchdb/issues/2892#issuecomment-968212229
The fix for this is provided in https://github.com/apache/couchdb/commit/1860ebbf2fa1731a62f3c9b107b2e52811489c1e
Documentation was updated as well: https://docs.couchdb.org/en/stable/replication/replicator.html?highlight=auth#specifying-usernames-and-passwords
The preferred version is:
```
{
"target": {
"url": "http://someurl.com/mydb",
"auth": {
"basic": {
"username": "$username",
"password": "$password"
}
}
},
...
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org