You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2020/09/25 07:39:49 UTC
[GitHub] [couchdb] jmichiel opened a new issue #3176: JWT auth doesn't take roles into account
jmichiel opened a new issue #3176:
URL: https://github.com/apache/couchdb/issues/3176
## Description
I have a CouchDB v3.1.0 setup to use JWT auth. It works if the user is a member of the database. However, if the user is not a member, but has a member role, all access is denied.
## Steps to Reproduce
This is the _security object of my db:
`{"members":{"roles":["_admin","firmwares:editor","firmwares:viewer"],"names":[]},"admins":{"roles":["_admin"]}}`
This is the user object:
`{"_id":"org.couchdb.user:test","_rev":"6-88c30f6d01f94819121a9a224b956173","name":"test","roles":["firmwares:viewer"],"type":"user"}`
I know the roles specified here don't matter for JWT: they have to be inserted in the JWT with the _couchdb.roles attribute, but my JWT generator will use those roles.
The user does NOT have a password, so only JWT auth is possible for this user (auth for getting a JWT is done elsewhere)
This is the _session object for that user, using a valid JWT:
`$ curl -k https://$HOST/_session -H "Authorization: $TOKEN"`
`{"ok":true,"userCtx":{"name":"test","roles":["firmwares.viewer"]},"info":{"authentication_handlers":["cookie","jwt","default"],"authenticated":"jwt"}}`
So the server clearly understood the JWT and applied the role.
However trying to access the db, I get:
`$ curl -k https://$HOST/firmwares -H "Authorization: $TOKEN"`
`{"error":"forbidden","reason":"You are not allowed to access this db."}`
If i try with another user with the same roles, but with a password and NOT using a JWT it works:
`$ curl -k https://test2:test2@$HOST/firmwares`
`{"db_name":"firmwares","purge_seq":"0-g1AAAABXeJzLYWBgYMpgTmEQTM4vTc5ISXIwNDLXMwBCwxyQVB4LkGRoAFL_gSArkQGP2kSGpHqIoiwAtOgYRA","update_seq":"45-g1AAAABXeJzLYWBgYMpgTmEQTM4vTc5ISXIwNDLXMwBCwxyQVB4LkGRoAFL_gSArUR6P2kSGpHqwIr4sALm9GHE","sizes":{"file":162992540,"external":162058620,"active":162130012},"props":{},"doc_del_count":3,"doc_count":4,"disk_format_version":8,"compact_running":false,"cluster":{"q":2,"n":1,"w":1,"r":1},"instance_start_time":"0"}`
## Expected Behaviour
It should behave the exact same in both cases.
## Your Environment
[TIP]: # ( Include as many relevant details about your environment as possible. )
[TIP]: # ( You can paste the output of curl http://YOUR-COUCHDB:5984/ here. )
* CouchDB version used: 3.1.0
`{"couchdb":"Welcome","version":"3.1.0","git_sha":"ff0feea20","uuid":"97a60c1bdc82e14be90cc6a169fc671a","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}`
* Operating system and version: Ubuntu 18.04 LTS
## Additional Context
I also have a validate_doc_update configured on the DB to enforce the roles, but since this only triggers on writes, this shouldn't interfere
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jmichiel edited a comment on issue #3176: JWT auth doesn't take roles into account
Posted by GitBox <gi...@apache.org>.
jmichiel edited a comment on issue #3176:
URL: https://github.com/apache/couchdb/issues/3176#issuecomment-698778159
And just after posting, I immediately spotted my own stupid mistake the role in the JWT is 'firmwares.viewer' and not 'firmwares:viewer'... (my JWT generation code was still hard-coded at that point). I spent over an hour looking at my code yesterday and couldn't find anything wrong with it...
Sorry about that, feel free to delete
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jmichiel commented on issue #3176: JWT auth doesn't take roles into account
Posted by GitBox <gi...@apache.org>.
jmichiel commented on issue #3176:
URL: https://github.com/apache/couchdb/issues/3176#issuecomment-698778159
And just after posting, I immediately spotted my own stupid mistake the role in the JWT is 'firmwares.viewer' and not 'firmwares:viewer'... (my JWT generation code was still hard-coded at that point). I spent over an hour looking at my code yesterday and couldn't find anything wrong with it...
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jmichiel commented on issue #3176: JWT auth doesn't take roles into account
Posted by GitBox <gi...@apache.org>.
jmichiel commented on issue #3176:
URL: https://github.com/apache/couchdb/issues/3176#issuecomment-698778159
And just after posting, I immediately spotted my own stupid mistake the role in the JWT is 'firmwares.viewer' and not 'firmwares:viewer'... (my JWT generation code was still hard-coded at that point). I spent over an hour looking at my code yesterday and couldn't find anything wrong with it...
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jmichiel closed issue #3176: JWT auth doesn't take roles into account
Posted by GitBox <gi...@apache.org>.
jmichiel closed issue #3176:
URL: https://github.com/apache/couchdb/issues/3176
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jmichiel closed issue #3176: JWT auth doesn't take roles into account
Posted by GitBox <gi...@apache.org>.
jmichiel closed issue #3176:
URL: https://github.com/apache/couchdb/issues/3176
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [couchdb] jmichiel edited a comment on issue #3176: JWT auth doesn't take roles into account
Posted by GitBox <gi...@apache.org>.
jmichiel edited a comment on issue #3176:
URL: https://github.com/apache/couchdb/issues/3176#issuecomment-698778159
And just after posting, I immediately spotted my own stupid mistake the role in the JWT is 'firmwares.viewer' and not 'firmwares:viewer'... (my JWT generation code was still hard-coded at that point). I spent over an hour looking at my code yesterday and couldn't find anything wrong with it...
Sorry about that, feel free to delete
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org