Authenticating with CouchCocoa

347 views
Skip to first unread message

David Venable

unread,
Dec 2, 2011, 1:26:38 PM12/2/11
to Mobile Couchbase
I have tried to authenticate with CouchDB using RESTResource's
setCredential message. To clarify, I am authenticating against a
CouchDB 1.1 instance (not CouchbaseMobile).

The following is what I have tried. I have also experimented with
changing the NSURLCredentialPersistence, but nothing has worked.

CouchServer *server = [[CouchServer alloc] initWithURL:serverURL];
[server setCredential:[NSURLCredential credentialWithUser:@"admin"
password:@"secret" persistence:NSURLCredentialPersistenceNone]];

The only way I have been able to authenticate is to use the REST APIs
(e.g. RESTResource, RESTOperation) directly and add the Basic
Authorization header to the RESTOperations before starting them.

RESTOperation *getUserDocument = [userDocumentResource GET];
[getUserDocument setAuthorizationUsername:@"admin"
password@"secret"]; // This is a custom ObjC extension for adding the
Basic Authorization
[[getUserDocument start] wait];

Obviously this means I can't use the Couch APIs (e.g. CouchDocument,
CouchQuery, etc.) which are what I want to use.

Does the NSURLCredential work against CouchDB? Is there a specific way
to configure CouchDB to work with CouchCocoa?

Thanks.
David

Foosh

unread,
Jan 14, 2012, 12:16:14 PM1/14/12
to mobile-c...@googlegroups.com
Did you ever get this to work? I'm having the same issue. I want to run the following code to use a remote server while debugging. 

server = [[CouchEmbeddedServer alloc] initWithURL: [NSURL URLWithString: USE_REMOTE_SERVER_FOR_DEBUGGING]];

NSURLCredential* credentials = [NSURLCredential 

                                        credentialWithUser:@"admin" 

                                        password:@"admin" 

                                        persistence:NSURLCredentialPersistenceNone];

[server setCredential:credentials];



But I keep getting this error


Couldn't create database: Error Domain=CouchDB Code=401 "unauthorized: You are not a server admin." UserInfo=0xc633780 {NSLocalizedDescription=unauthorized: You are not a server admin., NSUnderlyingError=0xc62cb30 "401 unauthorized", NSLocalizedFailureReason=unauthorized}

Jens Alfke

unread,
Jan 14, 2012, 2:13:24 PM1/14/12
to mobile-c...@googlegroups.com

On Jan 14, 2012, at 9:16 AM, Foosh wrote:

[server setCredential:credentials];

But I keep getting this error

Couldn't create database: Error Domain=CouchDB Code=401 "unauthorized: You are not a server admin."

This is an issue with CouchDB — it’s not behaving correctly according to the HTTP spec. When it returns the 401 Unauthorized status, it’s supposed to also send a “WWW-Authenticate:” header describing what form of auth the client can use to try again. But it doesn’t. Without that header, the client (NSURLConnection in this case) treats the 401 as fatal and gives up without asking CouchCocoa for credentials.

According to CouchDB developers, this was deliberately done so that Futon and CouchApps don’t cause a browser HTTP auth panel to pop up, because “the popup dialog cannot be controlled or styled, and the browser's rendering is considered unacceptable.” So they broke compatibility and native-app access to make CouchApp UIs prettier. :-p

The workaround is to uncomment the following line in the server's ‘default.ini’ configuration file, or to make the corresponding change in the "[httpd]” section via Futon’s config UI:
; Uncomment next line to trigger basic-auth popup on unauthorized requests.
;WWW-Authenticate = Basic realm="administrator"
I’m sorry I haven’t documented this. I should at least add to the doc-comment in RESTResource, and maybe also add a wiki page.

—Jens

Foosh

unread,
Jan 14, 2012, 4:59:02 PM1/14/12
to mobile-c...@googlegroups.com
This worked great! Thanks for the help!

Bill

Pulkit Singhal

unread,
Feb 28, 2012, 7:42:38 AM2/28/12
to Mobile Couchbase
@Foosh
Were you hosting your own CouchDB or were you hosting it on IrisCouch?
I ask because I host mine on IrisCouch.com and I don't know how to set/
uncomment the WWW-Authenticate setting via mydomain.iriscouch.com/
_utils/ ... so I was hoping maybe you could tell me ... if you
knew? :)
Thanks!
- Pulkit

Jens Alfke

unread,
Feb 28, 2012, 12:59:26 PM2/28/12
to mobile-c...@googlegroups.com
On Feb 28, 2012, at 4:42 AM, Pulkit Singhal wrote:

I ask because I host mine on IrisCouch.com and I don't know how to set/
uncomment the WWW-Authenticate setting via mydomain.iriscouch.com/
_utils/ …

You can use the web config interface:

* Log into your account
* click “Configuration” in the sidebar
* click “Add a new section” [sic] at the bottom
* Fill in 
section: httpd
option: WWW-Authenticate
value: Basic realm=“administrator”

—Jens

Fritz Anderson

unread,
Feb 29, 2012, 3:05:40 PM2/29/12
to mobile-c...@googlegroups.com
On Saturday, January 14, 2012 1:13:24 PM UTC-6, Jens Alfke wrote:
The workaround is to uncomment the following line in the server's ‘default.ini’ configuration file, or to make the corresponding change in the "[httpd]” section via Futon’s config UI:
; Uncomment next line to trigger basic-auth popup on unauthorized requests.
;WWW-Authenticate = Basic realm="administrator"
I’m sorry I haven’t documented this. I should at least add to the doc-comment in RESTResource, and maybe also add a wiki page.

The need for a workaround is disgraceful, to be sure.

May I repeat Pulkit's question about iriscouch/Futon? I found the misleadingly-named "Add a new section" link at the bottom of the configuration page, and I was able to add httpd/WWW-Authenticate/Basic.

I was not able to set a realm key. When I tried, Futon told me it was read-only. I could not find the key anywhere in the page. Was I supposed to put both assignments on the one line?

    — F


Jens Alfke

unread,
Feb 29, 2012, 3:51:46 PM2/29/12
to mobile-c...@googlegroups.com

On Feb 29, 2012, at 12:05 PM, Fritz Anderson wrote:

> I was not able to set a realm key. When I tried, Futon told me it was read-only. I could not find the key anywhere in the page. Was I supposed to put both assignments on the one line?

Yes. The value of the WWW-Authenticate property is the HTTP header value to return, which is literally
Basic realm="administrator"
(well, without the leading tab)

—Jens

J. Chris Anderson

unread,
Apr 9, 2012, 6:39:27 PM4/9/12
to mobile-c...@googlegroups.com
Hi,

I've just posted a "fix" for this given that a lot of CouchDB users won't want to edit their default config.

Instead of going through the credentials challenge round trip, now, instead, thanks to my commit[1], it will send the basic auth headers anytime you are working with a URL of the form http://username:password@host/path

Please try this out and let us know if this causes any unexpected behavior.

Chris

Reply all
Reply to author
Forward
0 new messages