If you enable require_valid_user=true then the first request to CouchDB needs a Basic-Auth Header in the request. So, if you want to retrieve a Auth-Cookie from the /_session endpoint, you need to add the Basic-Auth Header (for the first request) and then add additional body request header {"username": "user","password": "pass"}.
It should be possible to have the feature of require_valid_user=true and only use Cookie-Auth (from the beginning of the request routes) without the first Basic-Auth step.
How would you get the cookie in the first place?
How would you get the cookie in the first place?
Sorry, but I don't know.
As I understand, the meaning of require_valid_user is to protect all request by default. So you can't access /, _all_dbs, etc. without Basic-Auth. Why is this not the default behavior for Cookie-Auth? Restrict all access and if you do a POST request to /_session with the correct credentials, you will get the cookie and are allowed to access these "global" endpoints.
Is it correct to summarise your enhancement request as wanting a new mode in which:
Is this right?
No, not really.
required_valid_user=true to protect all endpoints/_session (with cookie auth) to obtain the cookie and then access all allowed endpoints.Is that understandable what I mean?
No, because you can't get the cookie from /_session if you require a cookie to access it in the first place. That's a Catch-22.
Ok, maybe i didn't explain it good enough.
What is the actual behavior (require_valid_user=true):
POST request to /_session WITH an Authorization Header (Basic Auth).A desirable behavior (require_valid_user=true):
POST request to /_session WITHOUT the need of an Authorization Header (Basic Auth).Is this technically possible in principle or do I overlook technical details that prevent this behavior?
Got it - this is an enhancement request.
It would be good to have this fix, it is really unexpected that you are required to submit the same auth details twice (as a header and in the body) to get a session cookie when require_valid_user=true.
Given https://github.com/apache/couchdb/issues/1550 - with this change the replicator would also stop falling back to Basic auth when require_valid_user=true. That would be beneficial in cases where the PBKDF2 iterations are configured strongly and the session cookie has performance advantages over checking the basic creds on each request.
EDIT: it seems perhaps I misunderstood the fallback behaviour in the replicator, but regardless this would be a lot less burdensome if POST _session "just worked" when the body had the correct creds.
I think this falls under the general theme of #2191, happy to add it.
Most helpful comment
I think this falls under the general theme of #2191, happy to add it.