GitHub user KlausTrainer opened a pull request:
https://github.com/apache/couchdb/pull/172
Use cookie authentication during replication
In `couch_replicator_httpc:setup/1`, if the URL contains basic auth
credentials, the replicator now removes those credentials from the URL
and inserts them into a new ets table, whose identifier is stored in the
returned `httpdb` record in a new field named `credentials`.
Then, if during replication there's a HTTP status code 401, the
replicator does a POST-request to the remote DB's `/_session` endpoint,
in which the request body contains the user name and password from the
basic auth credentials stored in the ets table. If that request is
successful, the session cookie is inserted into the ets table together
with the current timestamp returned by `os:timestamp/0`. From that
point on, `couch_replicator_httpc:send_req/3` always retrieves the
cookie from the ets table and sets it as value in the "Cookie" request
header. When a new session cookie is set, the cookie value, together
with a new timestamp, will be updated in the ets table accordingly.
Now, after having started a new session, the request that generated the
response status code 401 is repeated.
In order to prevent the replicator from wrongly starting a new session
after getting a 401 status code and then repeating the request again
(and thereby causing an infinite loop), it is checked whether the
difference between the current timestamp returned by `os:timestamp/0`
and the timestamp stored together with the session cookie is greater
than one minute. A new session is started and the request is repeated
only if the difference is greater than one minute. Otherwise it is
proceeded as ever, i.e., the response with the 401 status code is
returned.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/KlausTrainer/couchdb
2069-cookie-auth-replication
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/couchdb/pull/172.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #172
----
commit 97b7b4e4b2aa48f9f03fb781f0754cc1e2b14543
Author: Klaus Trainer <[email protected]>
Date: 2014-03-09T19:10:53Z
Use cookie authentication during replication
In `couch_replicator_httpc:setup/1`, if the URL contains basic auth
credentials, the replicator now removes those credentials from the URL
and inserts them into a new ets table, whose identifier is stored in the
returned `httpdb` record in a new field named `credentials`.
Then, if during replication there's a HTTP status code 401, the
replicator does a POST-request to the remote DB's `/_session` endpoint,
in which the request body contains the user name and password from the
basic auth credentials stored in the ets table. If that request is
successful, the session cookie is inserted into the ets table together
with the current timestamp returned by `os:timestamp/0`. From that
point on, `couch_replicator_httpc:send_req/3` always retrieves the
cookie from the ets table and sets it as value in the "Cookie" request
header. When a new session cookie is set, the cookie value, together
with a new timestamp, will be updated in the ets table accordingly.
Now, after having started a new session, the request that generated the
response status code 401 is repeated.
In order to prevent the replicator from wrongly starting a new session
after getting a 401 status code and then repeating the request again
(and thereby causing an infinite loop), it is checked whether the
difference between the current timestamp returned by `os:timestamp/0`
and the timestamp stored together with the session cookie is greater
than one minute. A new session is started and the request is repeated
only if the difference is greater than one minute. Otherwise it is
proceeded as ever, i.e., the response with the 401 status code is
returned.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
