GitHub user realistschuckle added a comment to the discussion: How does `users_db_public` work? (CouchDB 3.5.1)
Hi, @rnewson! Thank you for your reply and your examples. Unfortunately, I can't reproduce what you have. Here's what I get. ## Unexpected behavior Using the `example.com/[email protected]` user with Basic Auth to access their user record, I get a `403 Forbidden`. ```sh curl --user 'example.com/[email protected]:password' \ 'http://localhost:5984/_users/org.couchdb.user%3Aexample.com%2Fperson%40mailhost.com' {"error":"forbidden","reason":"You are not allowed to access this db."} ``` Using a JWT with the `sub` claim set to `example.com/[email protected]` to access their user record, I get a `403 Forbidden`. ```sh curl -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJleGFtcGxlLmNvbS9wZXJzb25AbWFpbGhvc3QuY29tIiwiZXhwIjoxNTE2MjM5MDIyMCwicm9sZXMiOltdfQ.fro4XKGs9JrABBWkvXAtGHnuniwlxYeGGH_YW3OKWwk' \ http://localhost:5984/_users/org.couchdb.user%3Aexample.com%2Fperson%40mailhost.com {"error":"forbidden","reason":"You are not allowed to access this db."} ``` ## Expected behavior Using the admin user and Basic Auth, I get a successful response. ```sh curl --user "admin:password" http://localhost:5984/_users/org.couchdb.user%3Aexample.com%2Fperson%40mailhost.com {"_id":"org.couchdb.user:example.com/[email protected]","_rev":"2-0d3c1123adaf781b754cc34c316b9f58","password_scheme":"pbkdf2","pbkdf2_prf":"sha256","salt":"bc00d465df6bf7c80248cc470116ebdd","iterations":600000,"derived_key":"dc6f67846acbfe4006406e27a9918b77f700ade03918fb4fbbec7f9a1921d1c2","name":"example.com/[email protected]","roles":[],"type":"user"} ``` Using a user with a JWT and the `_admin` role, I get a successful response. ```sh curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTUxNjIzOTAyMjAsInJvbGVzIjpbIl9hZG1pbiJdfQ.MPNmweY1wwOdNwAjW8CTnaNYHs3yC_xRlNGT8vx_3Oo" \ http://localhost:5984/_users/org.couchdb.user%3Aexample.com%2Fperson%40mailhost.com {"_id":"org.couchdb.user:example.com/[email protected]","_rev":"2-0d3c1123adaf781b754cc34c316b9f58","password_scheme":"pbkdf2","pbkdf2_prf":"sha256","salt":"bc00d465df6bf7c80248cc470116ebdd","iterations":600000,"derived_key":"dc6f67846acbfe4006406e27a9918b77f700ade03918fb4fbbec7f9a1921d1c2","name":"example.com/[email protected]","roles":[],"type":"user"} ``` Using the `example.com/[email protected]` user with Basic Auth to access their **user-specific database**, I get a successful response. ```sh curl --user 'example.com/[email protected]:password' \ http://localhost:5984/userdb-6578616d706c652e636f6d2f706572736f6e406d61696c686f73742e636f6d/_all_docs {"total_rows":0,"offset":0,"rows":[]} ``` Using a JWT with the `sub` claim set to `example.com/[email protected]` to access their **user-specific database**, I get a successful response. ```sh curl -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJleGFtcGxlLmNvbS9wZXJzb25AbWFpbGhvc3QuY29tIiwiZXhwIjoxNTE2MjM5MDIyMCwicm9sZXMiOltdfQ.fro4XKGs9JrABBWkvXAtGHnuniwlxYeGGH_YW3OKWwk' \ http://localhost:5984/userdb-6578616d706c652e636f6d2f706572736f6e406d61696c686f73742e636f6d/_all_docs {"total_rows":0,"offset":0,"rows":[]} ``` ## Extra info <details> <summary>My <code>_users</code> security object</summary> ```sh curl --user "admin:password" http://localhost:5984/_users/_security | jq ``` ```json { "members": { "roles": [ "_admin" ] }, "admins": { "roles": [ "_admin" ] } } ``` </details> <details> <summary>My server config object</summary> The server is running locally in a docker container. ```json { "uuids": { "algorithm": "uuid_v7" }, "cors": { "credentials": "true", "headers": "authorization, accept, content-type, origin, referer", "origins": "http://localhost:1234" }, "chttpd": { "authentication_handlers": "{chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}", "bind_address": "any", "enable_cors": "true", "port": "5984", "server_header_versions": "false" }, "admins": { "admin": "PASSWORD-HASH" }, "vendor": { "name": "Escribo Application Server", "version": "1.0.0" }, "nouveau": { "url": "http://127.0.0.1:5987" }, "jwt_keys": { "hmac:_default": "BASE64-ENCODED-SECRET" }, "feature_flags": { "partitioned||*": "true" }, "chttpd_auth": { "hash_algorithms": "sha256, sha", "secret": "SECRET", "users_db_public": "true" }, "indexers": { "couch_mrview": "true" }, "couch_peruser": { "enable": "true" }, "prometheus": { "additional_port": "false", "bind_address": "127.0.0.1", "port": "17986" }, "httpd": { "bind_address": "127.0.0.1", "port": "5986" }, "smoosh": { "state_dir": "./data" }, "jwt_auth": { "roles_claim_path": "roles" }, "couch_httpd_auth": { "authentication_db": "_users" }, "couchdb_engines": { "couch": "couch_bt_engine" }, "couchdb": { "database_dir": "./data", "single_node": "true", "uuid": "UUID", "view_index_dir": "./data" } } ``` </details> GitHub link: https://github.com/apache/couchdb/discussions/5957#discussioncomment-16425980 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
