POST wrong password of user to {bucket}/_session return 200 by 4985 (Couchbase Sync Gateway 1.0.1)?


#1

Hi,all
I am using Couchbase Sync Gateway 1.0.1, and I send a POST request to my local sync Gateway with wrong password of user, but get 200 resbonse like follows:
Request:
curl -i -X POST -H “Content-Type:application/json” -d ‘{“name”:“testuser”,“password”:“111111”}’ http://127.0.0.1:4985/todos/_session
Response:
HTTP/1.1 200 OK
Content-Length: 140
Content-Type: application/json
Server: Couchbase Sync Gateway/1.00
Date: Mon, 20 Apr 2015 06:46:30 GMT

{“session_id”:“ded8c7494d686a9506fe3109a64b153751e7ba9b”,“expires”:“2015-04-21T14:46:30.431172986+08:00”,“cookie_name”:“SyncGatewaySession”}
I think I should get 403 error or the same error,not 200 with session_id, because I can not judge if users password is correct.
btw, I can get 404 error if user is not exists, or get 200 with session_id if user and password is correct.
I can get 200 with session_id when I only provide name arguments like this:

Request:
curl -i -X POST -H “Content-Type:application/json” -d ‘{“name”:“testuser”}’ http://123.57.214.218/todos/_session
Response:
HTTP/1.1 200 OK
content-length: 140
content-type: application/json
server: Couchbase Sync Gateway/1.00
date: Mon, 20 Apr 2015 06:56:23 GMT
connection: close

{“session_id”:“f82322babfda5c757d869cf6b572241bafcdcad1”,“expires”:“2015-04-21T14:56:23.608071938+08:00”,“cookie_name”:“SyncGatewaySession”}


#2

I have got the answer:
https://groups.google.com/forum/#!searchin/mobile-couchbase/Sync$20gateway$20_session/mobile-couchbase/oFXUG6rSMLA/ClkaiHC7_PEJ
Thanks.

but I want set specified expires time when auth user. How can I do?


#3

hey @march44 can you help out here please and advise ?

thanks

Laura


#4

Custom session expiration time os only available when using custom auth and creating a session via the ADMIN REST API.

You can see examples of the REST calls on this ticket: https://github.com/couchbase/sync_gateway/issues/369

Andy


#5

Hi,
I’m resurrecting an old post because my query is basically the same and I don’t feel it’s been fully answered. I can submit this as a new thread if you prefer.
have also read the google groups thread linked by atom_yang. I don’t know if I’m better posting this here or in the google thread. I think it’s bad form to post the same question in both, so I will post it here for now. However, please let me know if it would be better to post there. If I don’t get a response to this today, I’ll post on that group tomorrow.

I am trying to write an http handler using sync gateway to perform a user login. Ideally I would like to set the ttl time.

If I start a session using the admin port (4985), I can do this. However, it ignores the password, so any password works.
If I start a session using the public port (4984), it uses the password and fails if this is wrong. However, it’s not possible to set a ttl time.

What is the best method to start a session with both password authentication and a custom ttl time?

The only solution that I can think of is to create a session with port 4984. If that works, log out of that session and create a new session with 4985. Is this the recommended method?

Thanks,
Giles


#6

I think it works, but not the best.
In my case, I can accept using the public port(default is 4984) that can not set ttl time.because using static password is not security enough.
I think you should custom auth service to handle the custom auth as andy said above,and then using admin port(default is 4095) to set ttl time and create a session.


#7

Thanks atom_yang.
So just to reiterate and get it straight in my mind, the custom auth is NOT done by requesting a session from couch sync gateway. Once the custom auth service has verified the password, you then use the admin port to create a session without password (as it’s ignored). Is this correct?

Is there any info on the custom auth service? I don’t really udnerstand what this involves.

Thanks,
Giles


#8

Okay, just read the custom authentication section on here…http://developer.couchbase.com/documentation/mobile/current/develop/guides/sync-gateway/administering-sync-gateway/authenticating-users/index.html

Trying to understand the best method of authentication now (OAuth?) but I get the idea.

Thanks,
Giles