couchdb icon indicating copy to clipboard operation
couchdb copied to clipboard
verified publisher icon apache

Support safe secret rotation

Open rnewson opened this issue 1 month ago • 0 comments

Overview

Allow the rotation of couch_httpd_auth secret without disruption.

CouchDB will now react to the runtime changing of chttpd_auth/couch_httpd_auth secret by;

  1. caching the old value for the duration of the session timeout
  2. checking any cookie again the current secret and any cached old secret
  3. each node will synchronously tell the other nodes in the cluster of its new secret before it starts using it

The PR also optimizes the case where there is more than one hash algorithm configured by skipping any calculation if the presented MAC value is of a different length to the algorithm (so we won't compare an hmac-sha1 against a hmac-sha256, say).

Testing recommendations

covered by tests

Related Issues or Pull Requests

N/A

Checklist

  • [x] Code is written and works correctly
  • [x] Changes are covered by tests
  • [ ] Any new configurable parameters are documented in rel/overlay/etc/default.ini
  • [ ] Documentation changes were made in the src/docs folder
  • [ ] Documentation changes were backported (separated PR) to affected branches

rnewson avatar Nov 19 '25 16:11 rnewson