couchdb icon indicating copy to clipboard operation
couchdb copied to clipboard
verified publisher icon apache

Basic Authentication for `_utils` does not work if `require_valid_user_except_for_up` is set

Open hpop opened this issue 1 year ago • 2 comments

Description

When setting require_valid_user_except_for_up instead of require_valid_user in the CouchDB configuration, the system does not prompt for username and password when accessing the _utils endpoint. Instead, a 401 is returned. {"error":"unauthorized","reason":"Authentication required."}

When changing the configuration back to require_valid_user, the basic authentication prompt appears as expected.

Steps to Reproduce

  1. Set require_valid_user_except_for_up = true in local.ini
  2. Restart CouchDB to apply the configuration change.
  3. Attempt to access the _utils endpoint (e.g., http://localhost:5984/_utils).

Expected Behaviour

The _utils endpoint should prompt for authentication

Your Environment

  • CouchDB version used: 3.3 (Docker)
  • Browser name and version: Firefox
  • Operating system and version: MacOS
{
  "couchdb": "Welcome",
  "version": "3.3.3",
  "git_sha": "40afbcfc7",
  "uuid": "3a7f2e8d1c9b4f6e0d5a2c8b7f3e1d9a",
  "features": [
    "access-ready",
    "partitioned",
    "pluggable-storage-engines",
    "reshard",
    "scheduler"
  ],
  "vendor": {
    "name": "The Apache Software Foundation"
  }
}

local.ini

[couchdb]
single_node=true
uuid = 3a7f2e8d1c9b4f6e0d5a2c8b7f3e1d9a

[chttpd]
require_valid_user_except_for_up = true
bind_address = any
authentication_handlers = {chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}
enable_cors = true

[jwt_keys]
....

[jwt_auth]
roles_claim_path = cognito:groups

[couch_peruser]
enable = true

[admins]
admin = -pbkdf2-...

[cors]
origins = *
headers = accept, authorization, content-type, origin, referer
credentials = true
methods = GET, PUT, POST, HEAD, DELETE

hpop avatar Aug 20 '24 16:08 hpop

After writing this, I discovered that the issue seems to be resolved when both require_valid_user and require_valid_user_except_for_up are set to true.

If this is the intended behavior, the documentation may be misleading.

hpop avatar Aug 20 '24 16:08 hpop

Thanks for posting the resolution. It was not obvious to me that both were required.

I'm adding a link to https://github.com/apache/couchdb/issues/1305 because that was the recommended solution for CouchDB 2.x, but the option no longer exists in 3.x

kusold avatar Nov 22 '24 21:11 kusold