So, the CouchDB replicator works with HTTP authentication already. Since we have no restrictions on reader access, we only have to worry about two cases: local target and remote target.
Local Target: specify credentials in the POST to replicate. Either of the following works:
curl -X POST http://admin:mysecretpassword@localhost:5984/_replicate works
curl -X POST http://localhost:5984/_replicate -H "Authorization:Basic YWRtaW46bXlzZWNyZXRwYXNzd29yZA=="
Remote Target: specify credentials in the JSON body. This works in trunk:
This works if you the header value in couch_httpd_misc_handlers:handle_replicate_req using ?b2l:
One thing we could do is format a nice 401 response if the replicator fails because of missing credentials. Currently the replicator crashes when update_docs fails and no response is sent to the client. In the local target case returning a 401 is a no brainer.
In the remote target case it's a little weird because the credentials need to be sent in the JSON body. One idea might be to set realm="target" in the response. CouchDB-aware clients would know that means the credentials need to go in the body, not the URL or Headers.