couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Isaac Z. Schlueter (JIRA)" <>
Subject [jira] Commented: (COUCHDB-969) Basic Auth fails when : is present in password
Date Sun, 28 Nov 2010 22:31:37 GMT


Isaac Z. Schlueter commented on COUCHDB-969:

More data:

I tried sending this header via curl using -H "Authorization: Basic <hash>", as well
as -u "testfunkychars:12:12" and watched with a packet sniffer to see what headers were actually
being sent.

> Basic Auth fails when : is present in password
> ----------------------------------------------
>                 Key: COUCHDB-969
>                 URL:
>             Project: CouchDB
>          Issue Type: Bug
>          Components: HTTP Interface
>    Affects Versions: 1.0.1
>            Reporter: Isaac Z. Schlueter
> To reproduce:
> 1. Create a new user "testfunkychars" with password "12:12"
> 2. Logging in as this user in futon works, and will show up as "testfunkychars" in the
userCtx in a validate_doc_update function.
> 3. Presenting a header of "Authorization: Basic dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=" does not
work, and shows up as "null" in userCtx.
> According to the RFC 2617, the proper way to supply a Basic authorization header is:
> Authorization: Basic [basic-credentials]
> where [basic-credentials] is the base64 of userid + ":" + pass, where userid is *<TEXT
except ":"> and pass is *<TEXT>.
> Thus, the proper way to construct this header is:
> echo -n "testfunkychars:12:12" | base64
> which outputs: dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=.
> The only way to log in, however, is to POST the data to /_session, and then supply the
> For now, rather than add the complexity of cookie and session management to my application,
I will simply not allow : characters in passwords.  It would be better if couchdb handled
: characters in passwords.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message