Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.0.1
-
None
Description
To reproduce:
1. Create a new user "testfunkychars" with password "12:12"
2. Logging in as this user in futon works, and will show up as "testfunkychars" in the userCtx in a validate_doc_update function.
3. Presenting a header of "Authorization: Basic dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=" does not work, and shows up as "null" in userCtx.
According to the RFC 2617, the proper way to supply a Basic authorization header is:
Authorization: Basic [basic-credentials]
where [basic-credentials] is the base64 of userid + ":" + pass, where userid is *<TEXT except ":"> and pass is *<TEXT>.
Thus, the proper way to construct this header is:
echo -n "testfunkychars:12:12" | base64
which outputs: dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=.
The only way to log in, however, is to POST the data to /_session, and then supply the cookie.
For now, rather than add the complexity of cookie and session management to my application, I will simply not allow : characters in passwords. It would be better if couchdb handled : characters in passwords.