[I] CouchDB v3.4.1 return 403 on GET /_session with a wrong password [couchdb]

Mon, 21 Oct 2024 07:52:14 -0700 


H--o-l opened a new issue, #5315:
URL: https://github.com/apache/couchdb/issues/5315

   ## Description
   
   This morning I upgraded one node of my CouchDB cluster node to v3.4.1 while 
the two other nodes of the cluster are still on CouchDB v3.3.3.
   
   Since then, I have had multiple exceptions on my backend related to users 
using the wrong password and CouchDB returning an HTTP status 403 instead of 
the usual HTTP status 401.
   
   Usually, I catch the 401 to return a nice message to users so they can 
understand what's wrong. But since the update, for some users (not all users 
and I don't know why on these users specifically) CouchDB returns an unexpected 
403 on the `GET /_session`. This has pushed me to create a temporary urgent 
release where I catch both the 401 and the 403 to return a nice error in both 
cases.
   
   [The CouchDB documentation for v3.4.1 is 
explicit](https://docs.couchdb.org/en/3.4.1/api/server/authn.html#get--_session):
 the route should only return HTTP 200 or HTTP 401, not HTTP 403.
   
   
   ## Steps to Reproduce
   
   I don't know for sure, I wasn't able to code a reproducer, it happens only 
on my production servers. There is something on the production cluster that 
makes the case appear:
   
   - maybe it's the fact of having one node on v3.4.1 and the two others on 
v3.3.3?
   - maybe it's something user-specific? But I don't know what specificities to 
look at.
   
   
   ## Expected Behaviour
   
   `GET /_session` should always return HTTP 200 or HTTP 401, never HTTP 403.
   
   ## Your Environment
   
   [TIP]:  # ( Include as many relevant details about your environment as 
possible. )
   [TIP]:  # ( You can paste the output of curl http://YOUR-COUCHDB:5984/ here. 
)
   
   * CouchDB version used: v3.4.1 and v3.3.3. The error occurs only on `GET 
/_session` made on the v3.4.1 node.
   * Browser name and version: NA
   * Operating system and version: NA
   
   ## Additional Context
   
   I don't know, you tell me!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to