GitHub user realistschuckle added a comment to the discussion: How does 
`users_db_public` work? (CouchDB 3.5.1)

Hi, @rnewson! Thank you for your reply and your examples. Unfortunately, I 
can't reproduce what you have. Here's what I get.

## Unexpected behavior

Using the `example.com/[email protected]` user with Basic Auth to access 
their user record, I get a `403 Forbidden`.

```sh
curl --user 'example.com/[email protected]:password' \
    
'http://localhost:5984/_users/org.couchdb.user%3Aexample.com%2Fperson%40mailhost.com'

{"error":"forbidden","reason":"You are not allowed to access this db."}
```

Using a JWT with the `sub` claim set to `example.com/[email protected]` to 
access their user record, I get a `403 Forbidden`.

```sh
curl -H 'Authorization: Bearer 
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJleGFtcGxlLmNvbS9wZXJzb25AbWFpbGhvc3QuY29tIiwiZXhwIjoxNTE2MjM5MDIyMCwicm9sZXMiOltdfQ.fro4XKGs9JrABBWkvXAtGHnuniwlxYeGGH_YW3OKWwk'
 \
    
http://localhost:5984/_users/org.couchdb.user%3Aexample.com%2Fperson%40mailhost.com

{"error":"forbidden","reason":"You are not allowed to access this db."}
```

## Expected behavior

Using the admin user and Basic Auth, I get a successful response.

```sh
curl --user "admin:password" 
http://localhost:5984/_users/org.couchdb.user%3Aexample.com%2Fperson%40mailhost.com

{"_id":"org.couchdb.user:example.com/[email protected]","_rev":"2-0d3c1123adaf781b754cc34c316b9f58","password_scheme":"pbkdf2","pbkdf2_prf":"sha256","salt":"bc00d465df6bf7c80248cc470116ebdd","iterations":600000,"derived_key":"dc6f67846acbfe4006406e27a9918b77f700ade03918fb4fbbec7f9a1921d1c2","name":"example.com/[email protected]","roles":[],"type":"user"}
```

Using a user with a JWT and the `_admin` role, I get a successful response.

```sh
curl -H "Authorization: Bearer 
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTUxNjIzOTAyMjAsInJvbGVzIjpbIl9hZG1pbiJdfQ.MPNmweY1wwOdNwAjW8CTnaNYHs3yC_xRlNGT8vx_3Oo"
  \
    
http://localhost:5984/_users/org.couchdb.user%3Aexample.com%2Fperson%40mailhost.com

{"_id":"org.couchdb.user:example.com/[email protected]","_rev":"2-0d3c1123adaf781b754cc34c316b9f58","password_scheme":"pbkdf2","pbkdf2_prf":"sha256","salt":"bc00d465df6bf7c80248cc470116ebdd","iterations":600000,"derived_key":"dc6f67846acbfe4006406e27a9918b77f700ade03918fb4fbbec7f9a1921d1c2","name":"example.com/[email protected]","roles":[],"type":"user"}
```

Using the `example.com/[email protected]` user with Basic Auth to access 
their **user-specific database**, I get a successful response.

```sh
curl --user 'example.com/[email protected]:password' \
    
http://localhost:5984/userdb-6578616d706c652e636f6d2f706572736f6e406d61696c686f73742e636f6d/_all_docs

{"total_rows":0,"offset":0,"rows":[]}
```

Using a JWT with the `sub` claim set to `example.com/[email protected]` to 
access their **user-specific database**, I get a successful response.

```sh
curl -H 'Authorization: Bearer 
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJleGFtcGxlLmNvbS9wZXJzb25AbWFpbGhvc3QuY29tIiwiZXhwIjoxNTE2MjM5MDIyMCwicm9sZXMiOltdfQ.fro4XKGs9JrABBWkvXAtGHnuniwlxYeGGH_YW3OKWwk'
 \
    
http://localhost:5984/userdb-6578616d706c652e636f6d2f706572736f6e406d61696c686f73742e636f6d/_all_docs

{"total_rows":0,"offset":0,"rows":[]}
```

## Extra info

<details>
<summary>My <code>_users</code> security object</summary>

```sh
curl --user "admin:password" http://localhost:5984/_users/_security | jq
```

```json
{
  "members": {
    "roles": [
      "_admin"
    ]
  },
  "admins": {
    "roles": [
      "_admin"
    ]
  }
}
```

</details>

<details>
<summary>My server config object</summary>

The server is running locally in a docker container.

```json
{
  "uuids": {
    "algorithm": "uuid_v7"
  },
  "cors": {
    "credentials": "true",
    "headers": "authorization, accept, content-type, origin, referer",
    "origins": "http://localhost:1234";
  },
  "chttpd": {
    "authentication_handlers": "{chttpd_auth, jwt_authentication_handler}, 
{chttpd_auth, cookie_authentication_handler}, {chttpd_auth, 
default_authentication_handler}",
    "bind_address": "any",
    "enable_cors": "true",
    "port": "5984",
    "server_header_versions": "false"
  },
  "admins": {
    "admin": "PASSWORD-HASH"
  },
  "vendor": {
    "name": "Escribo Application Server",
    "version": "1.0.0"
  },
  "nouveau": {
    "url": "http://127.0.0.1:5987";
  },
  "jwt_keys": {
    "hmac:_default": "BASE64-ENCODED-SECRET"
  },
  "feature_flags": {
    "partitioned||*": "true"
  },
  "chttpd_auth": {
    "hash_algorithms": "sha256, sha",
    "secret": "SECRET",
    "users_db_public": "true"
  },
  "indexers": {
    "couch_mrview": "true"
  },
  "couch_peruser": {
    "enable": "true"
  },
  "prometheus": {
    "additional_port": "false",
    "bind_address": "127.0.0.1",
    "port": "17986"
  },
  "httpd": {
    "bind_address": "127.0.0.1",
    "port": "5986"
  },
  "smoosh": {
    "state_dir": "./data"
  },
  "jwt_auth": {
    "roles_claim_path": "roles"
  },
  "couch_httpd_auth": {
    "authentication_db": "_users"
  },
  "couchdb_engines": {
    "couch": "couch_bt_engine"
  },
  "couchdb": {
    "database_dir": "./data",
    "single_node": "true",
    "uuid": "UUID",
    "view_index_dir": "./data"
  }
}
```

</details>



GitHub link: 
https://github.com/apache/couchdb/discussions/5957#discussioncomment-16425980

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: 
[email protected]

Reply via email to