rnewson opened a new pull request, #4702: URL: https://github.com/apache/couchdb/pull/4702
## Overview As a way to migrate users to a strong password hashing scheme without getting a performance hit each time, assuming the client will send back the cookie we send them. we check the cookie first and avoid the hit, but we still fall back to basic auth if necessary. The AuthSession cookie is extended with a new field that indicates whether it was issued by the default authentication handler or the cookie authentication handler. If the cookie was issued by the default authentication handler the cookie authentication handler will check the username in the basic auth header, if present, is a match for the name in the cookie. If it is not, the cookie is ignored. This ensures that the basic auth header takes precedence for any client that got an unasked-for cookie and ensures their operations are performed as the user they intended. h/t @glynnbird for the idea ## Testing recommendations covered by tests in cookie_auth_tests.exs ## Related Issues or Pull Requests N/A ## Checklist - [x] Code is written and works correctly - [x] Changes are covered by tests - [ ] Any new configurable parameters are documented in `rel/overlay/etc/default.ini` - [x] Documentation changes were made in the `src/docs` folder - [ ] Documentation changes were backported (separated PR) to affected branches -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
