CouchDB’s _session endpoint is violating the HTTP 1.1 spec in the way it responds when not given a valid username/password.
Here’s what RFC 2616 says: > 10.4.2 401 Unauthorized > The request requires user authentication. The response MUST include a > WWW-Authenticate header field (section 14.47) containing a challenge > applicable to the requested resource. Note the “MUST”. Here’s what CouchDB does when there’s no Authorization header in the request: > $ curl -i -X POST http://localhost:5984/_session > HTTP/1.1 401 Unauthorized > Set-Cookie: AuthSession=; Version=1; Path=/; HttpOnly > Server: CouchDB/1.2.0a-b11df55-git (Erlang OTP/R14B01) > Date: Fri, 11 Nov 2011 00:36:22 GMT > Content-Type: text/plain;charset=utf-8 > Content-Length: 67 > Cache-Control: must-revalidate > > {"error":"unauthorized","reason":"Name or password is incorrect.”} No "WWW-Authenticate” header. :( Why is this bad? It’s preventing Cocoa’s NSURLConnection class (on Mac and iOS) from treating this as a valid authentication challenge, so it doesn’t ask the delegate to provide the username/password. This is preventing me from being able to authenticate successfully using this API. (No, manually adding an Authorization: header doesn’t work. I believe NSURLConnection removes these from the input since it manages authorization itself.) —Jens
