Sync Gateway POST _session, password is not checked

[Andrew Tokarev]

Hi Guys,

Is it correct that password is not checked by Sync Gateway on custom session creation? Documentation here says that we have to provide name and password, but

curl -X POST http://localhost:4985/gw/_session -H "Content-Type:application/json" -d '{"name":"andrew"}'

gives me valid session, w/o any password, works with wrong password too:

{"session_id":"b09b4992ea0dcf648c3126bafda837d1506fd716","expires":"2015-01-22T17:46:54.112484407+01:00","cookie_name":"SyncGatewaySession"}

the user was created like this:

curl -X POST localhost:4985/gw/_user/ -H "Content-Type:application/json" -d '{"name":"andrew", "password":"secret"}'

and this complains if I try to create user w/o password at all.  

--

P.S. I have the latest build from source code, master branch. Pretty standard configuration w/o guest users. 

[ajres]

You're making the call on that ADMIN port (4985), so the password is ignored.

If you make the call on the standard user port (4984) then you should be required to supply a password.

Andy

[Andrew Tokarev]

I checked, it works. Thanks.

I probably was confused that _session API is only described for Admin Rest API:

• http://developer.couchbase.com/mobile/develop/references/sync-gateway/admin-rest-api/index.html
  
• http://developer.couchbase.com/mobile/develop/references/sync-gateway/rest-api/index.html
  

Thanks

[Jens Alfke]

On Jan 21, 2015, at 8:56 PM, Andrew Tokarev <andy.t...@gmail.com> wrote:

I probably was confused that _session API is only described for Admin Rest API:

I'm sorry, the REST API docs aren't in very good shape. :(

There is a brief mention of _session in the non-admin API, but it's in the wrong place. We need to fix that.

—Jens

[atom992]

Hi,can I auth user by 4984 with specified expires time as message body?

I try to set expires time by add ttl in message body but not works.

I want to auth user and set expires time to specified values.

[ajres]

@atom992

You can only provide a custom ttl via the ADIM API on port 4985

[atom992]

How can I change the default expires time when I use 4984 port?

[Jens Alfke]

On Apr 20, 2015, at 3:07 AM, atom992 <yangzi...@gmail.com> wrote:

How can I change the default expires time when I use 4984 port?

You can’t do admin-type stuff on that port, because it’s public. Can you explain why you need to use that port and not the admin port?

—Jens

[atom992]

I want to auth user by 4984 with custom auth, not Facebook or persona auth. and I want to set expires time to 3 month, because I want user needn't relogin in 3 month.

btw, I wann't to add extra auth server, because If so, I need to sync account info between auth server with sync Gateway.

[Jens Alfke]

On Apr 20, 2015, at 6:51 PM, atom992 <yangzi...@gmail.com> wrote:

I want to auth user by 4984 with custom auth, not Facebook or persona auth. and I want to set expires time to 3 month, because I want user needn't relogin in 3 month.

You can’t do that on port 4984, as we already said.

btw, I wann't to add extra auth server, because If so, I need to sync account info between auth server with sync Gateway.

No, you don’t need to sync account info. You just need to implement an HTTP handler that takes username/password from the request, then uses them with HTTP Basic auth to make some sort of test request on port 4984 (like GET /dbname). If the test request succeeds, it can create a session using /dbname/_session on port 4985 (with your own custom expiration time), and pass the cookie back to the client in a Set-Cookie header.

Alternatively you could build your own copy of Sync Gateway after modifying the value of kDefaultSessionTTL in session_api.go. Or you could file an issue on Github and request that the session TTL be made configurable.

—Jens