Interesting couchbase Authenticate issue


#1

Hi Everyone / Couchbase team.

Found an interesting bug? If I can call it that.
Seems the cluster.authenticate gives you an error, if you provide a username, which happens to be the same as the username you use to login into your CouchBase Admin console ( via http://localhost:8091 )

This is what you get:
"CouchbaseError: Authentication failed. You may have provided an invalid username/password combination"

Any other username does work, of course. You apparently can’t use the same name as your normal login, probably because its somehow stored in the Authentication as well.
Can the CouchBase team perhaps throw out a different error? Or at least put it somewhere in the documentation.

Something like:
"CouchbaseError: Authentication failed. Invalid username."

At least something that forces developers to change the username.
Perhaps this applies to other libraries as well?? ( I used Node.js btw )

PS. I actually found this bug, because I was fixing a different bug haha.
All good. Have a great day all.


#2

It’s pretty standard to not leak why an authentication failed - i.e. a system providing authentication won’t tell you if you the username was correct but password was incorrect; as that tells an attacker that a given username does (or doesn’t exist).


#3

It’s possible that you’re hitting https://issues.couchbase.com/browse/MB-29289.

Key excerpt:

If you upgraded your server from “an old version” of Couchbase (prior to SCRAM support), ns_server only had the hashed password for Administrator and couldn’t generate the “sha” entries in there. You can try to reset the Administrator password to have ns_server regenerate the entry for Administrator.


#4

Oh, its a completely new Couchbase install. Using the latest 5.1.1.
But thank you. Good to keep that one in mind as well.


#5

Definitely. I was thinking the same thing after I wrote it. But it should at least be mentioned in the docs somewhere. That was the point I was trying to make. Because I can imagine lots of new developers trying out Couchbase and this might be the first issue they bump against. ( and its not mentioned anywhere that if you use the exact same name as your login, that the authentication will fail )

See it from a newbie’s perspective.