Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Basic Authentication for _utils does not work if require_valid_user_except_for_up is set #5186

Open
hpop opened this issue Aug 20, 2024 · 2 comments
Open

Basic Authentication for _utils does not work if require_valid_user_except_for_up is set #5186

hpop opened this issue Aug 20, 2024 · 2 comments
Labels
bug needs-triage

Comments

@hpop
Copy link

hpop commented Aug 20, 2024

Description

When setting require_valid_user_except_for_up instead of require_valid_user in the CouchDB configuration, the system does not prompt for username and password when accessing the _utils endpoint. Instead, a 401 is returned. {"error":"unauthorized","reason":"Authentication required."}

When changing the configuration back to require_valid_user, the basic authentication prompt appears as expected.

Steps to Reproduce

  1. Set require_valid_user_except_for_up = true in local.ini
  2. Restart CouchDB to apply the configuration change.
  3. Attempt to access the _utils endpoint (e.g., http://localhost:5984/_utils).

Expected Behaviour

The _utils endpoint should prompt for authentication

Your Environment

  • CouchDB version used: 3.3 (Docker)
  • Browser name and version: Firefox
  • Operating system and version: MacOS
{
  "couchdb": "Welcome",
  "version": "3.3.3",
  "git_sha": "40afbcfc7",
  "uuid": "3a7f2e8d1c9b4f6e0d5a2c8b7f3e1d9a",
  "features": [
    "access-ready",
    "partitioned",
    "pluggable-storage-engines",
    "reshard",
    "scheduler"
  ],
  "vendor": {
    "name": "The Apache Software Foundation"
  }
}

local.ini

[couchdb]
single_node=true
uuid = 3a7f2e8d1c9b4f6e0d5a2c8b7f3e1d9a

[chttpd]
require_valid_user_except_for_up = true
bind_address = any
authentication_handlers = {chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}
enable_cors = true

[jwt_keys]
....

[jwt_auth]
roles_claim_path = cognito:groups

[couch_peruser]
enable = true

[admins]
admin = -pbkdf2-...

[cors]
origins = *
headers = accept, authorization, content-type, origin, referer
credentials = true
methods = GET, PUT, POST, HEAD, DELETE
@hpop
Copy link
Author

hpop commented Aug 20, 2024

After writing this, I discovered that the issue seems to be resolved when both require_valid_user and require_valid_user_except_for_up are set to true.

If this is the intended behavior, the documentation may be misleading.

@kusold
Copy link

kusold commented Nov 22, 2024

Thanks for posting the resolution. It was not obvious to me that both were required.

I'm adding a link to #1305 because that was the recommended solution for CouchDB 2.x, but the option no longer exists in 3.x

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hpop @kusold