You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by "Isaac Z. Schlueter (JIRA)" <ji...@apache.org> on 2010/11/28 23:29:43 UTC
[jira] Created: (COUCHDB-969) Basic Auth fails when : is present in
password
Basic Auth fails when : is present in password
----------------------------------------------
Key: COUCHDB-969
URL: https://issues.apache.org/jira/browse/COUCHDB-969
Project: CouchDB
Issue Type: Bug
Components: HTTP Interface
Affects Versions: 1.0.1
Reporter: Isaac Z. Schlueter
To reproduce:
1. Create a new user "testfunkychars" with password "12:12"
2. Logging in as this user in futon works, and will show up as "testfunkychars" in the userCtx in a validate_doc_update function.
3. Presenting a header of "Authorization: Basic dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=" does not work, and shows up as "null" in userCtx.
According to the RFC 2617, the proper way to supply a Basic authorization header is:
Authorization: Basic [basic-credentials]
where [basic-credentials] is the base64 of userid + ":" + pass, where userid is *<TEXT except ":"> and pass is *<TEXT>.
Thus, the proper way to construct this header is:
echo -n "testfunkychars:12:12" | base64
which outputs: dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=.
The only way to log in, however, is to POST the data to /_session, and then supply the cookie.
For now, rather than add the complexity of cookie and session management to my application, I will simply not allow : characters in passwords. It would be better if couchdb handled : characters in passwords.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (COUCHDB-969) Basic Auth fails when : is present
in password
Posted by "Benoit Chesneau (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12988027#action_12988027 ]
Benoit Chesneau commented on COUCHDB-969:
-----------------------------------------
Are you url encoding your password ? It shouldn't be encoded if you provided it non encoded.
> Basic Auth fails when : is present in password
> ----------------------------------------------
>
> Key: COUCHDB-969
> URL: https://issues.apache.org/jira/browse/COUCHDB-969
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 1.0.1
> Reporter: Isaac Z. Schlueter
>
> To reproduce:
> 1. Create a new user "testfunkychars" with password "12:12"
> 2. Logging in as this user in futon works, and will show up as "testfunkychars" in the userCtx in a validate_doc_update function.
> 3. Presenting a header of "Authorization: Basic dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=" does not work, and shows up as "null" in userCtx.
> According to the RFC 2617, the proper way to supply a Basic authorization header is:
> Authorization: Basic [basic-credentials]
> where [basic-credentials] is the base64 of userid + ":" + pass, where userid is *<TEXT except ":"> and pass is *<TEXT>.
> Thus, the proper way to construct this header is:
> echo -n "testfunkychars:12:12" | base64
> which outputs: dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=.
> The only way to log in, however, is to POST the data to /_session, and then supply the cookie.
> For now, rather than add the complexity of cookie and session management to my application, I will simply not allow : characters in passwords. It would be better if couchdb handled : characters in passwords.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (COUCHDB-969) Basic Auth fails when : is present
in password
Posted by "Isaac Z. Schlueter (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12964603#action_12964603 ]
Isaac Z. Schlueter commented on COUCHDB-969:
--------------------------------------------
More data:
I tried sending this header via curl using -H "Authorization: Basic <hash>", as well as -u "testfunkychars:12:12" and watched with a packet sniffer to see what headers were actually being sent.
> Basic Auth fails when : is present in password
> ----------------------------------------------
>
> Key: COUCHDB-969
> URL: https://issues.apache.org/jira/browse/COUCHDB-969
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 1.0.1
> Reporter: Isaac Z. Schlueter
>
> To reproduce:
> 1. Create a new user "testfunkychars" with password "12:12"
> 2. Logging in as this user in futon works, and will show up as "testfunkychars" in the userCtx in a validate_doc_update function.
> 3. Presenting a header of "Authorization: Basic dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=" does not work, and shows up as "null" in userCtx.
> According to the RFC 2617, the proper way to supply a Basic authorization header is:
> Authorization: Basic [basic-credentials]
> where [basic-credentials] is the base64 of userid + ":" + pass, where userid is *<TEXT except ":"> and pass is *<TEXT>.
> Thus, the proper way to construct this header is:
> echo -n "testfunkychars:12:12" | base64
> which outputs: dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=.
> The only way to log in, however, is to POST the data to /_session, and then supply the cookie.
> For now, rather than add the complexity of cookie and session management to my application, I will simply not allow : characters in passwords. It would be better if couchdb handled : characters in passwords.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (COUCHDB-969) Basic Auth fails when : is present
in password
Posted by "Robert Newson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-969?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Newson resolved COUCHDB-969.
-----------------------------------
Resolution: Fixed
> Basic Auth fails when : is present in password
> ----------------------------------------------
>
> Key: COUCHDB-969
> URL: https://issues.apache.org/jira/browse/COUCHDB-969
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 1.0.1
> Reporter: Isaac Z. Schlueter
> Assignee: Robert Newson
> Fix For: 1.0.3, 1.1
>
>
> To reproduce:
> 1. Create a new user "testfunkychars" with password "12:12"
> 2. Logging in as this user in futon works, and will show up as "testfunkychars" in the userCtx in a validate_doc_update function.
> 3. Presenting a header of "Authorization: Basic dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=" does not work, and shows up as "null" in userCtx.
> According to the RFC 2617, the proper way to supply a Basic authorization header is:
> Authorization: Basic [basic-credentials]
> where [basic-credentials] is the base64 of userid + ":" + pass, where userid is *<TEXT except ":"> and pass is *<TEXT>.
> Thus, the proper way to construct this header is:
> echo -n "testfunkychars:12:12" | base64
> which outputs: dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=.
> The only way to log in, however, is to POST the data to /_session, and then supply the cookie.
> For now, rather than add the complexity of cookie and session management to my application, I will simply not allow : characters in passwords. It would be better if couchdb handled : characters in passwords.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (COUCHDB-969) Basic Auth fails when : is present
in password
Posted by "Isaac Z. Schlueter (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12988168#action_12988168 ]
Isaac Z. Schlueter commented on COUCHDB-969:
--------------------------------------------
As I mentioned in the comments, if I urlencode the password, it (correctly) says that the password incorrect. However, if I provide the password properly, then the userCtx object is not correctly populated in the validate_doc_update.
> Basic Auth fails when : is present in password
> ----------------------------------------------
>
> Key: COUCHDB-969
> URL: https://issues.apache.org/jira/browse/COUCHDB-969
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 1.0.1
> Reporter: Isaac Z. Schlueter
>
> To reproduce:
> 1. Create a new user "testfunkychars" with password "12:12"
> 2. Logging in as this user in futon works, and will show up as "testfunkychars" in the userCtx in a validate_doc_update function.
> 3. Presenting a header of "Authorization: Basic dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=" does not work, and shows up as "null" in userCtx.
> According to the RFC 2617, the proper way to supply a Basic authorization header is:
> Authorization: Basic [basic-credentials]
> where [basic-credentials] is the base64 of userid + ":" + pass, where userid is *<TEXT except ":"> and pass is *<TEXT>.
> Thus, the proper way to construct this header is:
> echo -n "testfunkychars:12:12" | base64
> which outputs: dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=.
> The only way to log in, however, is to POST the data to /_session, and then supply the cookie.
> For now, rather than add the complexity of cookie and session management to my application, I will simply not allow : characters in passwords. It would be better if couchdb handled : characters in passwords.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (COUCHDB-969) Basic Auth fails when : is present in
password
Posted by "Robert Newson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-969?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Newson updated COUCHDB-969:
----------------------------------
Fix Version/s: 1.1
1.0.3
> Basic Auth fails when : is present in password
> ----------------------------------------------
>
> Key: COUCHDB-969
> URL: https://issues.apache.org/jira/browse/COUCHDB-969
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 1.0.1
> Reporter: Isaac Z. Schlueter
> Assignee: Robert Newson
> Fix For: 1.0.3, 1.1
>
>
> To reproduce:
> 1. Create a new user "testfunkychars" with password "12:12"
> 2. Logging in as this user in futon works, and will show up as "testfunkychars" in the userCtx in a validate_doc_update function.
> 3. Presenting a header of "Authorization: Basic dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=" does not work, and shows up as "null" in userCtx.
> According to the RFC 2617, the proper way to supply a Basic authorization header is:
> Authorization: Basic [basic-credentials]
> where [basic-credentials] is the base64 of userid + ":" + pass, where userid is *<TEXT except ":"> and pass is *<TEXT>.
> Thus, the proper way to construct this header is:
> echo -n "testfunkychars:12:12" | base64
> which outputs: dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=.
> The only way to log in, however, is to POST the data to /_session, and then supply the cookie.
> For now, rather than add the complexity of cookie and session management to my application, I will simply not allow : characters in passwords. It would be better if couchdb handled : characters in passwords.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (COUCHDB-969) Basic Auth fails when : is present
in password
Posted by "Robert Newson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-969?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Newson reassigned COUCHDB-969:
-------------------------------------
Assignee: Robert Newson
> Basic Auth fails when : is present in password
> ----------------------------------------------
>
> Key: COUCHDB-969
> URL: https://issues.apache.org/jira/browse/COUCHDB-969
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 1.0.1
> Reporter: Isaac Z. Schlueter
> Assignee: Robert Newson
>
> To reproduce:
> 1. Create a new user "testfunkychars" with password "12:12"
> 2. Logging in as this user in futon works, and will show up as "testfunkychars" in the userCtx in a validate_doc_update function.
> 3. Presenting a header of "Authorization: Basic dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=" does not work, and shows up as "null" in userCtx.
> According to the RFC 2617, the proper way to supply a Basic authorization header is:
> Authorization: Basic [basic-credentials]
> where [basic-credentials] is the base64 of userid + ":" + pass, where userid is *<TEXT except ":"> and pass is *<TEXT>.
> Thus, the proper way to construct this header is:
> echo -n "testfunkychars:12:12" | base64
> which outputs: dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=.
> The only way to log in, however, is to POST the data to /_session, and then supply the cookie.
> For now, rather than add the complexity of cookie and session management to my application, I will simply not allow : characters in passwords. It would be better if couchdb handled : characters in passwords.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (COUCHDB-969) Basic Auth fails when : is present
in password
Posted by "Robert Newson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12988182#action_12988182 ]
Robert Newson commented on COUCHDB-969:
---------------------------------------
It's this:
case string:tokens(?b2l(base64:decode(Base64Value)),":")
The password becomes two tokens and then falls into the
_ ->
nil
clause.
Will fix soon.
> Basic Auth fails when : is present in password
> ----------------------------------------------
>
> Key: COUCHDB-969
> URL: https://issues.apache.org/jira/browse/COUCHDB-969
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 1.0.1
> Reporter: Isaac Z. Schlueter
> Assignee: Robert Newson
>
> To reproduce:
> 1. Create a new user "testfunkychars" with password "12:12"
> 2. Logging in as this user in futon works, and will show up as "testfunkychars" in the userCtx in a validate_doc_update function.
> 3. Presenting a header of "Authorization: Basic dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=" does not work, and shows up as "null" in userCtx.
> According to the RFC 2617, the proper way to supply a Basic authorization header is:
> Authorization: Basic [basic-credentials]
> where [basic-credentials] is the base64 of userid + ":" + pass, where userid is *<TEXT except ":"> and pass is *<TEXT>.
> Thus, the proper way to construct this header is:
> echo -n "testfunkychars:12:12" | base64
> which outputs: dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=.
> The only way to log in, however, is to POST the data to /_session, and then supply the cookie.
> For now, rather than add the complexity of cookie and session management to my application, I will simply not allow : characters in passwords. It would be better if couchdb handled : characters in passwords.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (COUCHDB-969) Basic Auth fails when : is present
in password
Posted by "Isaac Z. Schlueter (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/COUCHDB-969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12964605#action_12964605 ]
Isaac Z. Schlueter commented on COUCHDB-969:
--------------------------------------------
Even more data:
When supplying credentials as "testfunkychars:12%3A12" it says that the username and password are incorrect. However, when supplying the correct credentials, it lets me in, but fails when it hits the validate_doc_update.
So, it's as if the login succeeds, but somehow gets mangled before getting to the js functions.
> Basic Auth fails when : is present in password
> ----------------------------------------------
>
> Key: COUCHDB-969
> URL: https://issues.apache.org/jira/browse/COUCHDB-969
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 1.0.1
> Reporter: Isaac Z. Schlueter
>
> To reproduce:
> 1. Create a new user "testfunkychars" with password "12:12"
> 2. Logging in as this user in futon works, and will show up as "testfunkychars" in the userCtx in a validate_doc_update function.
> 3. Presenting a header of "Authorization: Basic dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=" does not work, and shows up as "null" in userCtx.
> According to the RFC 2617, the proper way to supply a Basic authorization header is:
> Authorization: Basic [basic-credentials]
> where [basic-credentials] is the base64 of userid + ":" + pass, where userid is *<TEXT except ":"> and pass is *<TEXT>.
> Thus, the proper way to construct this header is:
> echo -n "testfunkychars:12:12" | base64
> which outputs: dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=.
> The only way to log in, however, is to POST the data to /_session, and then supply the cookie.
> For now, rather than add the complexity of cookie and session management to my application, I will simply not allow : characters in passwords. It would be better if couchdb handled : characters in passwords.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.