This is an automated email from the ASF dual-hosted git repository.
rnewson pushed a commit to branch preemptive-cookie
in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit cfee5236bcdbf0591ceed7116d5ee9bf383c8257
Author: Robert Newson <rnew...@apache.org>
AuthorDate: Fri Jul 21 12:50:37 2023 +0100
send cookie on successful basic auth
---
src/couch/src/couch_httpd_auth.erl | 15 +++++++++++++--
src/docs/src/api/server/authn.rst | 7 +++++++
test/elixir/test/cookie_auth_test.exs | 17 +++++++++++++++++
3 files changed, 37 insertions(+), 2 deletions(-)
diff --git a/src/couch/src/couch_httpd_auth.erl
b/src/couch/src/couch_httpd_auth.erl
index 652fb3996..2b00cd96b 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -114,12 +114,23 @@ default_authentication_handler(Req, AuthModule) ->
Password = ?l2b(Pass),
case authenticate(Password, UserProps) of
true ->
- Req#httpd{
+ Req0 = Req#httpd{
user_ctx = #user_ctx{
name = UserName,
roles = couch_util:get_value(<<"roles">>,
UserProps, [])
}
- };
+ },
+ case chttpd_util:get_chttpd_auth_config("secret")
of
+ undefined ->
+ Req0;
+ SecretStr ->
+ Secret = ?l2b(SecretStr),
+ UserSalt =
couch_util:get_value(<<"salt">>, UserProps, <<"">>),
+ FullSecret = <<Secret/binary,
UserSalt/binary>>,
+ Req0#httpd{
+ auth = {FullSecret, true}
+ }
+ end;
false ->
authentication_warning(Req, UserName),
throw({unauthorized, <<"Name or password is
incorrect.">>})
diff --git a/src/docs/src/api/server/authn.rst
b/src/docs/src/api/server/authn.rst
index 7744d12fd..789eec277 100644
--- a/src/docs/src/api/server/authn.rst
+++ b/src/docs/src/api/server/authn.rst
@@ -27,6 +27,13 @@ Interfaces for obtaining session and authorization data.
Basic Authentication
====================
+.. versionchanged:: 3.4 In order to aid transition to stronger password hashing
+ without causing a performance penalty, CouchDB will send a Set-Cookie
header
+ when a request authenticates successfully with Basic authentication. All
browsers
+ and many http libraries will automatically send this cookie on subsequent
requests.
+ The cost of verifying the cookie is significantly less than PBKDF2 with a
high
+ iteration count, for example.
+
`Basic authentication`_ (:rfc:`2617`) is a quick and simple way to authenticate
with CouchDB. The main drawback is the need to send user credentials with each
request which may be insecure and could hurt operation performance (since
diff --git a/test/elixir/test/cookie_auth_test.exs
b/test/elixir/test/cookie_auth_test.exs
index 6e42963f0..cb28c1ea8 100644
--- a/test/elixir/test/cookie_auth_test.exs
+++ b/test/elixir/test/cookie_auth_test.exs
@@ -389,6 +389,23 @@ defmodule CookieAuthTest do
&test_change_admin_fun/0
)
+ # performing a successful basic authentication will
+ # create a session cookie
+ resp = Couch.get(
+ "/_all_dbs",
+ headers: [authorization: "Basic #{:base64.encode("jan:apple")}"])
+ assert resp.status_code == 200
+
+ # extract cookie value
+ cookie = resp.headers[:"set-cookie"]
+ [token | _] = String.split(cookie, ";")
+
+ resp = Couch.get(
+ "/_session",
+ headers: [cookie: token])
+ assert resp.status_code == 200
+ assert resp.body["info"]["authenticated"] == "cookie"
+
# log in one last time so run_on_modified_server can clean up the admin
account
login("jan", "apple")
end
