couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jens Alfke <>
Subject /_session doesn't respond correctly to missing authorization
Date Fri, 11 Nov 2011 00:46:02 GMT
CouchDB’s _session endpoint is violating the HTTP 1.1 spec in the way it responds when not
given a valid username/password.

Here’s what RFC 2616 says:
> 10.4.2 401 Unauthorized
> The request requires user authentication. The response MUST include a WWW-Authenticate
header field (section 14.47) containing a challenge applicable to the requested resource.

Note the “MUST”. Here’s what CouchDB does when there’s no Authorization header in
the request:
> $ curl -i -X POST http://localhost:5984/_session
> HTTP/1.1 401 Unauthorized
> Set-Cookie: AuthSession=; Version=1; Path=/; HttpOnly
> Server: CouchDB/1.2.0a-b11df55-git (Erlang OTP/R14B01)
> Date: Fri, 11 Nov 2011 00:36:22 GMT
> Content-Type: text/plain;charset=utf-8
> Content-Length: 67
> Cache-Control: must-revalidate
> {"error":"unauthorized","reason":"Name or password is incorrect.”}

No "WWW-Authenticate” header. :(

Why is this bad? It’s preventing Cocoa’s NSURLConnection class (on Mac and iOS) from treating
this as a valid authentication challenge, so it doesn’t ask the delegate to provide the
username/password. This is preventing me from being able to authenticate successfully using
this API. (No, manually adding an Authorization: header doesn’t work. I believe NSURLConnection
removes these from the input since it manages authorization itself.)

View raw message