Bug#600169: couchdb missing WWW-Authentication HTTP header

[David Paleino]

reassign 600169 couchdb
retitle 600169 couchdb missing WWW-Authentication HTTP header
thanks

Seems like a couchdb bug.

Full-quoting for couchdb's maintainers usage:

On Thu, 14 Oct 2010 04:33:23 -0400, Jason Woofenden wrote:

 First, note that CouchDB seems to only support the Basic HTTP
 authentication method:
 
 $
 FUTON_URL=http://username:passw...@localhost:`/usr/lib/desktopcouch/desktopcouch-get-port`/util/;
 $ curl --digest $FUTON_URL {error:unauthorized,reason:Authentication
 required.} $ curl --ntlm $FUTON_URL
 {error:unauthorized,reason:Authentication required.}
 $ curl --negotiate $FUTON_URL
 {error:unauthorized,reason:Authentication required.}
 $ curl --basic $FUTON_URL
 !DOCTYPE html
 [...]
 
 Then see that there's no WWW-Authenticate header telling which authentication
 method to use:
 
 $ wget -S
 http://localhost:`/usr/lib/desktopcouch/desktopcouch-get-port`/util/; -O -
 --2010-10-14 04:01:37--  http://localhost:42837/util/ Resolving
 localhost... ::1, 127.0.0.1 Connecting to localhost|::1|:42837... failed:
 Connection refused. Connecting to localhost|127.0.0.1|:42837... connected.
 HTTP request sent, awaiting response... 
   HTTP/1.0 401 Unauthorized
   Server: CouchDB/0.11.0 (Erlang OTP/R14B)
   Date: Thu, 14 Oct 2010 08:01:37 GMT
   Content-Type: text/plain;charset=utf-8
   Content-Length: 61
   Connection: Keep-Alive
   Cache-Control: must-revalidate
 Authorization failed.
 zsh: exit 6 wget -S
 http://localhost:`/usr/lib/desktopcouch/desktopcouch-get-port`/util/
 
 
 Here's what it looks like in a few clients:
 
 Chromium: warning message about possible trickery, then unauthorized
 
 IceWeasel: warning message about no authorization requested by server, then
 unauthorized
 
 curl: fails unless you pass --basic
 
 wget: fails unless you pass --auth-no-challenge
 
 Midory: fails because it only tries ipv6. But if you use 127.0.0.1 instead of
 localhost, it says unauthorized.
 
 
 I'm pretty sure all it would take to fix this is to get desktopcouch to send
 the WWW-Authentication: Basic [...] header
 
 
 Thank you all,   - Jason

-- 
 . ''`.   Debian developer | http://wiki.debian.org/DavidPaleino
 : :'  : Linuxer #334216 --|-- http://www.hanskalabs.net/
 `. `'`  GPG: 1392B174 | http://deb.li/dapal
   `-   2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174


signature.asc
Description: PGP signature

Bug#600169: couchdb missing WWW-Authentication HTTP header

[Jason Woofenden]

On 2010-10-14 12:32PM, David Paleino wrote:
 Seems like a couchdb bug.

Huh, seems you're right! It took me a minute to find a URL on my
regular couchdb (on port 5984) that required authorization, but I
found a good one, and here's evidence that there's no
WWW-Authentication HTTP header there either:

$ wget -S http://localhost:5984/_active_tasks -O - -q 
  HTTP/1.0 401 Unauthorized
  Server: CouchDB/0.11.0 (Erlang OTP/R14B)
  Date: Thu, 14 Oct 2010 12:42:15 GMT
  Content-Type: text/plain;charset=utf-8
  Content-Length: 64
  Connection: Keep-Alive
  Cache-Control: must-revalidate

$ wget -S http://secret:sec...@localhost:5984/_active_tasks -O - -q
  HTTP/1.0 401 Unauthorized
  Server: CouchDB/0.11.0 (Erlang OTP/R14B)
  Date: Thu, 14 Oct 2010 12:42:23 GMT
  Content-Type: text/plain;charset=utf-8
  Content-Length: 64
  Connection: Keep-Alive
  Cache-Control: must-revalidate

$ wget --auth-no-challenge -S http://secret:sec...@localhost:5984/_active_tasks 
-O - -q
  HTTP/1.0 200 OK
  Server: CouchDB/0.11.0 (Erlang OTP/R14B)
  Date: Thu, 14 Oct 2010 12:42:40 GMT
  Content-Type: text/plain;charset=utf-8
  Content-Length: 3
  Connection: Keep-Alive
  Cache-Control: must-revalidate
[]


Note: the --auth-no-challenge flag for wget forces it to use
Basic authentication.

Note2: The [] at the end there is the file content from the
_active_tasks url


Thank you,   - Jason



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org