Couchbase Lite authentication session expiration problem


#1

Environment:

iOS - Swift
Up-To-Date sync gateway
A web api

In the current system, user authentication is performed by a custom server.
The auth flow is the following:

1- Ask the custom server for three elements
Cookie name, session id, expiration date.

2- Set the auth cookie using this command after getting it from the server:
pull.setCookieNamed(cookie_name!, withValue: sessionId!, path: “”, expirationDate: expirationDate, secure: false)
push.setCookieNamed(cookie_name!, withValue: sessionId!, path: “”, expirationDate: expirationDate, secure: false)

3- Start the continuous replicators.

The problem is the following:

If i run a DELETE request on the server (To simulate an earlier expiration of a session) on the session endpoint,

DELETE http://localhost:4985/{database}/_user/{userId}/_session

When i try to make changes on the client side, i’m getting the following warning on the console:

WARNING: CBLRestPusher[http://server:4984/database]: _bulk_docs got an error: {
    error = forbidden;
    id = “thisIsADocumentID”;
    reason = "missing channel access";
    status = 403;
} {at __40-[CBLRestPusher uploadBulkDocs:changes:]_block_invoke:402}

That means, that even if i destroyed the session for that user on the server, the sync function is getting hit by the document.

This is the sync function line that is being hit i think:

if (doc.channels !== undefined) {
	requireAccess(doc.channels);
}

The problem is that this function shouldn’t even be hit.

I found this problem while trying to renew user sessions when they do expire, but the problem is that the warning
is not being stored as an error in the .lastError property of the replicator, so i can’t handle the exception to ask
the server for a new cookie.

Is there something i’m doing wrong with the authentication system i’m currently using?
I’m really worried about how could users with no valid sessions putting documents affect the system.


#2

Is guest access enabled in the SG config file?

The best way to determine whether the unauthorized request is being handled is by looking at the SG HTTP logs. On every request line it will show what user (if any) it was authenticated as.


#3

I think that could be exactly the problem, i disabled the guest user, so i ran the sync gateway again and i’m getting the following message:

(1.3.1 - Windows - Community)

2017-02-16T10:17:04.152-05:00 FATAL: Error opening database: Couldn’t create user “GUEST”: Unable to increment sequence: MCResponse status=DELTA_BADVAL, opcode=
INCREMENT, opaque=0, msg: Non-numeric server-side value for incr or decr – rest.RunServer() at config.go:677

			"users": {
			"GUEST": { "disabled": true } 
		}

And i’m unable to run the gateway again.


#4

I tired to run the Sync Gateway several times and it’s running now.
You were right, the problem was the guest user being enabled.


#5

That’s a weird error from SG. Did it just go away on its own, or did you erase the bucket?


#6

It DID just go away after some attempts of running it.