incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: passwords
Date Tue, 23 Apr 2013 14:18:23 GMT
All pushed now, I even added a test (to users_db.js, it was closest).

On 23 April 2013 15:00, Mike West <mw@data.io> wrote:
> +1 as a security feature, not a bug.
>
> Mike
>
>
> On Tue, Apr 23, 2013 at 9:26 AM, Robert Newson <rnewson@apache.org> wrote:
>
>> svilen,
>>
>> I don't think that's considered a bug, though. Admins can delete
>> users, users can't delete themselves. We can certainly debate that,
>> but I think our position is that this is intentional.
>>
>> I'm also backporting the configure.ac fix as it makes it hard to run my
>> tests.
>>
>> B.
>>
>> On 23 April 2013 14:19, svilen <az@svilendobrev.com> wrote:
>> > the one of user unable to DELETE itself, from the other day..
>> > don't know if it has been fixed or not.
>> >
>> > On Tue, 23 Apr 2013 14:14:23 +0100
>> > Noah Slater <nslater@apache.org> wrote:
>> >
>> >> Any other bugs while we're at it. I'll be sending out a formal request
>> >> tonight for people to do merges. But may as well mention it now.
>> >>
>> >>
>> >> On 23 April 2013 14:11, Robert Newson <rnewson@apache.org> wrote:
>> >>
>> >> > good thought.
>> >> >
>> >> > On 23 April 2013 14:07, Noah Slater <nslater@apache.org> wrote:
>> >> > > Can we put this into one or more of the bugfixes branches?
>> >> > >
>> >> > >
>> >> > > On 23 April 2013 14:02, Robert Newson <rnewson@apache.org>
wrote:
>> >> > >
>> >> > >> I believe the fix for this is 5d4ef930 which is on master
(which
>> >> > >> will be 1.4) only.
>> >> > >>
>> >> > >> specifically;
>> >> > >>
>> >> > >> -        [Name, Pass] = re:split(NamePass, ":", [{return,
>> >> > >> list}]),
>> >> > >> +        [Name, Pass] = re:split(NamePass, ":", [{return,
list},
>> >> > >> {parts, 2}]),
>> >> > >>
>> >> > >> B.
>> >> > >>
>> >> > >>
>> >> > >>
>> >> > >>
>> >> > >> On 23 April 2013 13:59, Robert Newson <rnewson@apache.org>
wrote:
>> >> > >> > Ah, that's a great distinction, rings a bell!
>> >> > >> >
>> >> > >> > On 23 April 2013 13:39, Dave Cottlehuber <dch@jsonified.com>
>> >> > >> > wrote:
>> >> > >> >> On 23 April 2013 13:15, svilen <az@svilendobrev.com>
wrote:
>> >> > >> >>> g'day
>> >> > >> >>>
>> >> > >> >>> i am trying to set a user with a password that
is not just
>> >> > >> alphanumeric.
>> >> > >> >>> e.g. "b:@" (or if uri-encoded, b%3A%40)
>> >> > >> >>>
>> >> > >> >>> but the result of getting the /_users/ doc is
always
>> >> > 401-unauthorized.
>> >> > >> >>>
>> >> > >> >>> if i login in Futon, it seems to work.
>> >> > >> >>> when i compute the pasword_sha myself and compare
to whats in
>> >> > user/doc,
>> >> > >> >>> it matches.
>> >> > >> >>>
>> >> > >> >>> but http via basic authentication won't let me
in.
>> >> > >> >>> e.g.
>> >> > >> >>> curl -vX GET
>> >> > >> >>> http://auser:b%3A%40@server
>> :5984/_users/org.couchdb.user%3Aauser
>> >> > >> >>>
>> >> > >> >>> (seems the subject is very tricky and rarely
paid attention
>> >> > >> >>> to in various http libraries i looked recently.
Everyone
>> >> > >> >>> just lumps the usr+":"+psw and uri-encoding/decoding
is left
>> >> > >> >>> out..)
>> >> > >> >>
>> >> > >> >> Hi Svilen,
>> >> > >> >>
>> >> > >> >> From curl, you can:
>> >> > >> >>
>> >> > >> >> curl -vX GET $COUCH -u tricky:p@sswd
>> >> > >> >>
>> >> > >> >> and leaving off the password field allows you to
enter it
>> >> > >> >> manually or even echo ':p@sswd' | curl …
>> >> > >> >>
>> >> > >> >> or if you're POSTing I think you can also use this:
>> >> > >> >> http://curl.haxx.se/docs/manpage.html#--data-urlencode
>> >> > >> >>
>> >> > >> >> curl -d name=john --data-urlencode passwd=@31&3*J
>> >> > >> https://www.mysite.com
>> >> > >> >>
>> >> > >> >> Anyway AFAICT there's a bug in CouchDB if the password
starts
>> >> > >> >> with a
>> >> > `:`
>> >> > >> >>
>> >> > >> >> $COUCH=http://admin:pwd@localhost:5984
>> >> > >> >>
>> >> > >> >> curl -HContent-Type:application/json \
>> >> > >> >>   -vXPUT $COUCH/_users/org.couchdb.user:mrtricky
\
>> >> > >> >>   --data-binary '{"_id": "org.couchdb.user:mrtricky","name":
>> >> > >> >> "mrtricky","roles": [],"type": "user","password":
":pwd"}'
>> >> > >> >>
>> >> > >> >> I would expect that I can subsequently use either
curl or
>> >> > >> >> httpie.org
>> >> > ,
>> >> > >> >> neither of them succeed with -u mrtricky::pwd or
-u mrtricky &
>> >> > getting
>> >> > >> >> password from terminal.
>> >> > >> >>
>> >> > >> >> A+
>> >> > >> >> Dave
>> >> > >>
>> >> > >
>> >> > >
>> >> > >
>> >> > > --
>> >> > > NS
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> NS
>>

Mime
View raw message