Couchdb: Cookie-only, no-basic-auth "require_valid_user=true" (except for /_session)

Created on 27 Feb 2019  路  9Comments  路  Source: apache/couchdb

Summary

If you enable require_valid_user=true then the first request to CouchDB needs a Basic-Auth Header in the request. So, if you want to retrieve a Auth-Cookie from the /_session endpoint, you need to add the Basic-Auth Header (for the first request) and then add additional body request header {"username": "user","password": "pass"}.

Desired Behaviour

It should be possible to have the feature of require_valid_user=true and only use Cookie-Auth (from the beginning of the request routes) without the first Basic-Auth step.

enhancement

Most helpful comment

I think this falls under the general theme of #2191, happy to add it.

All 9 comments

How would you get the cookie in the first place?

How would you get the cookie in the first place?

Sorry, but I don't know.

As I understand, the meaning of require_valid_user is to protect all request by default. So you can't access /, _all_dbs, etc. without Basic-Auth. Why is this not the default behavior for Cookie-Auth? Restrict all access and if you do a POST request to /_session with the correct credentials, you will get the cookie and are allowed to access these "global" endpoints.

Is it correct to summarise your enhancement request as wanting a new mode in which:

  • Access to /_session can be performed with Basic authentication to obtain a cookie, and
  • Cookie access is mandatory for all other access

Is this right?

No, not really.

  • required_valid_user=true to protect all endpoints
  • don't need a basic auth for the first request. Start with the first request against /_session (with cookie auth) to obtain the cookie and then access all allowed endpoints.

Is that understandable what I mean?

No, because you can't get the cookie from /_session if you require a cookie to access it in the first place. That's a Catch-22.

Ok, maybe i didn't explain it good enough.

What is the actual behavior (require_valid_user=true):

  1. All endpoints are protected.
  2. (1st request) Send a POST request to /_session WITH an Authorization Header (Basic Auth).
  3. You get an Auth-Cookie.
  4. For the next requests, send the Auth-Cookie in the request to access the endpoints.

A desirable behavior (require_valid_user=true):

  1. All endpoints are protected.
  2. (1st request) Send a POST request to /_session WITHOUT the need of an Authorization Header (Basic Auth).
  3. You get an Auth-Cookie.
  4. For the next requests, send the Auth-Cookie in the request to access the endpoints.

Is this technically possible in principle or do I overlook technical details that prevent this behavior?

Got it - this is an enhancement request.

It would be good to have this fix, it is really unexpected that you are required to submit the same auth details twice (as a header and in the body) to get a session cookie when require_valid_user=true.

Given https://github.com/apache/couchdb/issues/1550 - with this change the replicator would also stop falling back to Basic auth when require_valid_user=true. That would be beneficial in cases where the PBKDF2 iterations are configured strongly and the session cookie has performance advantages over checking the basic creds on each request.

EDIT: it seems perhaps I misunderstood the fallback behaviour in the replicator, but regardless this would be a lot less burdensome if POST _session "just worked" when the body had the correct creds.

I think this falls under the general theme of #2191, happy to add it.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ghost picture ghost  路  5Comments

andrasbacsai picture andrasbacsai  路  5Comments

maciozo picture maciozo  路  5Comments

mtabb13 picture mtabb13  路  5Comments

JohnOllhorn picture JohnOllhorn  路  5Comments