couchdb icon indicating copy to clipboard operation
couchdb copied to clipboard
verified publisher icon apache

CouchDB v3.4.1 return 403 on GET /_session with a wrong password

Open H--o-l opened this issue 1 year ago • 5 comments

Description

This morning I upgraded one node of my CouchDB cluster node to v3.4.1 while the two other nodes of the cluster are still on CouchDB v3.3.3.

Since then, I have had multiple exceptions on my backend related to users using the wrong password and CouchDB returning an HTTP status 403 instead of the usual HTTP status 401.

Usually, I catch the 401 to return a nice message to users so they can understand what's wrong. But since the update, for some users (not all users and I don't know why on these users specifically) CouchDB returns an unexpected 403 on the GET /_session. This has pushed me to create a temporary urgent release where I catch both the 401 and the 403 to return a nice error in both cases.

The CouchDB documentation for v3.4.1 is explicit: the route should only return HTTP 200 or HTTP 401, not HTTP 403.

Steps to Reproduce

I don't know for sure, I wasn't able to code a reproducer, it happens only on my production servers. There is something on the production cluster that makes the case appear:

  • maybe it's the fact of having one node on v3.4.1 and the two others on v3.3.3?
  • maybe it's something user-specific? But I don't know what specificities to look at.

Expected Behaviour

GET /_session should always return HTTP 200 or HTTP 401, never HTTP 403.

Your Environment

  • CouchDB version used: v3.4.1 and v3.3.3. The error occurs only on GET /_session made on the v3.4.1 node.
  • Browser name and version: NA
  • Operating system and version: NA

Additional Context

I don't know, you tell me!

H--o-l avatar Oct 21 '24 14:10 H--o-l

This is a feature added recently https://github.com/apache/couchdb/blob/main/rel/overlay/etc/default.ini#L1074. Probably the API docs need to be updated.

\cc @rnewson

iilyak avatar Oct 21 '24 15:10 iilyak

agree, the docs need updating. what a chore :(

rnewson avatar Oct 21 '24 15:10 rnewson

OK, understood, thanks. What about the changelog, did the change appear inside it? Because I read it carefully before doing the update and I haven't noticed that change. It would have avoided inconvenience for my users if I had been able to notice it before the update.

H--o-l avatar Oct 21 '24 15:10 H--o-l

The new lockout support was documented in the changelog (https://docs.couchdb.org/en/stable/whatsnew/3.4.html), but we (I) didn't update the api docs to list 403 as a possibility for all endpoints, we'll sort that out.

rnewson avatar Oct 21 '24 15:10 rnewson

OK, my bad, thanks for the answer. I let you see then, and you can close the issue when you want :+1:

H--o-l avatar Oct 21 '24 15:10 H--o-l