> On 19. Jul 2018, at 11:36, Olaf Krueger <[email protected]> wrote:
>
> Hi Eric,
> thanks for the explanation!
>
> I just tested the effect of "require_valid_user=true/false" by using the
> CouchDB endpoints directly and it seems to me that it works as expected:
> You always have to add the credentials (using Basic-Auth) with each call in
> order to be able to access the CouchDB API.
>
> So, I took a look at the nano source code and it seems to me that
> "nano.auth()" method is using the "_session" API in order to authenticate and
> to retrieve a token.
> That said and if I understand it correctly, our issue is maybe not a bug in
> nano but something like "works as designed"?:
> (Because of "require_valid_user=true" the "_session" endpoint cannot be
> accessed and nano always returns with "Authentication required”)
Nano could try a Basic Auth request to /_session.
> However, the only reason why we stumbled over this issue is that in our Linux
> CouchDB distribution (Bitnami) "require_valid_user" is set to "true" by
> default which is vice versa to our local Windows environment.
Heads up: we don’t recommend using Bitnami images. They make odd configuration
choices and on places like AWS, the review of the AMIs takes a couple of weeks,
which is too long for severe security updates.
> Because we are not concerned about security issues here, I guess we can
> resolve this by just always setting "require_valid_user=false”.
>
> Makes sense?
It is certainly an option (and it’s the default setting we ship CouchDB with).
You probably want to block /_all_dbs in a proxy (or using the related
configuration setting in the upcoming 2.2.0 release).
Best
Jan
--
Professional Support for Apache CouchDB:
https://neighbourhood.ie/couchdb-support/
