/_session doesn't respond correctly to missing authorization

[Jens Alfke <je...@couchbase.com>]

CouchDB’s _session endpoint is violating the HTTP 1.1 spec in the way it responds when not given a valid username/password.

Here’s what RFC 2616 says:
> 10.4.2 401 Unauthorized
> The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.

Note the “MUST”. Here’s what CouchDB does when there’s no Authorization header in the request:
> $ curl -i -X POST http://localhost:5984/_session
> HTTP/1.1 401 Unauthorized
> Set-Cookie: AuthSession=; Version=1; Path=/; HttpOnly
> Server: CouchDB/1.2.0a-b11df55-git (Erlang OTP/R14B01)
> Date: Fri, 11 Nov 2011 00:36:22 GMT
> Content-Type: text/plain;charset=utf-8
> Content-Length: 67
> Cache-Control: must-revalidate
> 
> {"error":"unauthorized","reason":"Name or password is incorrect.”}

No "WWW-Authenticate” header. :(

Why is this bad? It’s preventing Cocoa’s NSURLConnection class (on Mac and iOS) from treating this as a valid authentication challenge, so it doesn’t ask the delegate to provide the username/password. This is preventing me from being able to authenticate successfully using this API. (No, manually adding an Authorization: header doesn’t work. I believe NSURLConnection removes these from the input since it manages authorization itself.)

—Jens

Re: /_session doesn't respond correctly to missing authorization

[Marcello Nuccio <ma...@gmail.com>]

There's already a ticket: https://issues.apache.org/jira/browse/COUCHDB-1175

Marcello ;-)


2011/11/11 Jason Smith <jh...@iriscouch.com>:
> On Fri, Nov 11, 2011 at 7:46 AM, Jens Alfke <je...@couchbase.com> wrote:
>> CouchDB’s _session endpoint is violating the HTTP 1.1 spec in the way it responds when not given a valid username/password.
>>
>> Here’s what RFC 2616 says:
>>> 10.4.2 401 Unauthorized
>>> The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.
>
> Interesting. What is the link to the JIRA ticket you created about this? :p
>
> You can work around this in the meantime by setting whatever header
> value you want in /_config/httpd/WWW-Authenticate. It will appear in
> your 401s.
>
> --
> Iris Couch
>

Re: /_session doesn't respond correctly to missing authorization

[Robert Newson <rn...@apache.org>]

This deviation is deliberate. The reason we don't send it by default
is that the popup dialog cannot be controlled or styled, and the
browser's rendering is considered unacceptable.

There's a setting, described in the stock local.ini, that adds it;

; Uncomment next line to trigger basic-auth popup on unauthorized requests.
;WWW-Authenticate = Basic realm="administrator"

B.

On 11 November 2011 01:10, Jason Smith <jh...@iriscouch.com> wrote:
> On Fri, Nov 11, 2011 at 7:46 AM, Jens Alfke <je...@couchbase.com> wrote:
>> CouchDB’s _session endpoint is violating the HTTP 1.1 spec in the way it responds when not given a valid username/password.
>>
>> Here’s what RFC 2616 says:
>>> 10.4.2 401 Unauthorized
>>> The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.
>
> Interesting. What is the link to the JIRA ticket you created about this? :p
>
> You can work around this in the meantime by setting whatever header
> value you want in /_config/httpd/WWW-Authenticate. It will appear in
> your 401s.
>
> --
> Iris Couch
>

Re: /_session doesn't respond correctly to missing authorization

[Jason Smith <jh...@iriscouch.com>]

On Fri, Nov 11, 2011 at 7:46 AM, Jens Alfke <je...@couchbase.com> wrote:
> CouchDB’s _session endpoint is violating the HTTP 1.1 spec in the way it responds when not given a valid username/password.
>
> Here’s what RFC 2616 says:
>> 10.4.2 401 Unauthorized
>> The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.

Interesting. What is the link to the JIRA ticket you created about this? :p

You can work around this in the meantime by setting whatever header
value you want in /_config/httpd/WWW-Authenticate. It will appear in
your 401s.

-- 
Iris Couch