incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From svilen ...@svilendobrev.com>
Subject Re: passwords
Date Tue, 23 Apr 2013 12:52:12 GMT
yeah, it fails if password starts or ends (or equals) ':'

probably because of that same function - basic_name_pw

funny how i manage to step on these..

so i'll have to forbid having ':' in userid, and in password... as
workaround.

ciao
svilen

On Tue, 23 Apr 2013 14:39:43 +0200
Dave Cottlehuber <dch@jsonified.com> wrote:

> On 23 April 2013 13:15, svilen <az@svilendobrev.com> wrote:
> > g'day
> >
> > i am trying to set a user with a password that is not just
> > alphanumeric. e.g. "b:@" (or if uri-encoded, b%3A%40)
> >
> > but the result of getting the /_users/ doc is always
> > 401-unauthorized.
> >
> > if i login in Futon, it seems to work.
> > when i compute the pasword_sha myself and compare to whats in
> > user/doc, it matches.
> >
> > but http via basic authentication won't let me in.
> > e.g.
> > curl -vX GET
> > http://auser:b%3A%40@server:5984/_users/org.couchdb.user%3Aauser
> >
> > (seems the subject is very tricky and rarely paid attention to in
> > various http libraries i looked recently. Everyone just lumps the
> > usr+":"+psw and uri-encoding/decoding is left out..)
> 
> Hi Svilen,
> 
> From curl, you can:
> 
> curl -vX GET $COUCH -u tricky:p@sswd
> 
> and leaving off the password field allows you to enter it manually or
> even echo ':p@sswd' | curl …
> 
> or if you're POSTing I think you can also use this:
> http://curl.haxx.se/docs/manpage.html#--data-urlencode
> 
> curl -d name=john --data-urlencode passwd=@31&3*J
> https://www.mysite.com
> 
> Anyway AFAICT there's a bug in CouchDB if the password starts with a
> `:`
> 
> $COUCH=http://admin:pwd@localhost:5984
> 
> curl -HContent-Type:application/json \
>   -vXPUT $COUCH/_users/org.couchdb.user:mrtricky \
>   --data-binary '{"_id": "org.couchdb.user:mrtricky","name":
> "mrtricky","roles": [],"type": "user","password": ":pwd"}'
> 
> I would expect that I can subsequently use either curl or httpie.org,
> neither of them succeed with -u mrtricky::pwd or -u mrtricky & getting
> password from terminal.
> 
> A+
> Dave

Mime
View raw message