incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From muji <>
Subject require_valid_user and session authentication
Date Wed, 14 Aug 2013 02:17:33 GMT

I am trying to understand how to secure couchdb with require_valid_user to
prevent anonymous writes.

So far the documentation I have read indicates that I should create a
validate_doc_update function on a per-database basis (I would prefer to
avoid this if possible).

It appears to me that once require_valid_user is set to true, HTTP
authentication in futon fails and attempting to POST to /_session to
authenticate fails.

The only way to authenticate appears to be by specifying the
username:password in the URL for the request, is this correct?

I imagine I am doing something wrong, but after setting require_valid_user
to true (and uncommenting the WWW-Authenticate configuration option) I can
no longer authenticate to futon using valid administrator credentials.

The application code is fine as it is not using a POST to /_session but
sometimes it is useful to log in to futon and view the data directly.

If the only way is to write a validate_doc_update function then I imagine
userCtx would be null for anonymous users so I can test against that to
send a forbidden response.

Any insights appreciated...

mischa (aka muji).

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message