CouchDB
  1. CouchDB
  2. COUCHDB-969

Basic Auth fails when : is present in password

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.1
    • Fix Version/s: 1.0.3, 1.1
    • Component/s: HTTP Interface
    • Labels:
      None

      Description

      To reproduce:

      1. Create a new user "testfunkychars" with password "12:12"
      2. Logging in as this user in futon works, and will show up as "testfunkychars" in the userCtx in a validate_doc_update function.
      3. Presenting a header of "Authorization: Basic dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=" does not work, and shows up as "null" in userCtx.

      According to the RFC 2617, the proper way to supply a Basic authorization header is:

      Authorization: Basic [basic-credentials]

      where [basic-credentials] is the base64 of userid + ":" + pass, where userid is *<TEXT except ":"> and pass is *<TEXT>.

      Thus, the proper way to construct this header is:

      echo -n "testfunkychars:12:12" | base64

      which outputs: dGVzdGZ1bmt5Y2hhcnM6MTI6MTI=.

      The only way to log in, however, is to POST the data to /_session, and then supply the cookie.

      For now, rather than add the complexity of cookie and session management to my application, I will simply not allow : characters in passwords. It would be better if couchdb handled : characters in passwords.

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Robert Newson
            Reporter:
            Isaac Z. Schlueter
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development