Sync GateWay LiteCoreException 403 Forbidden after creating db via API

CBS 5.5
CBL 2.0 db023
SGW 2.0 beta2

Hi,

We perform a PUT with following dbSetting:

"user": {
			"server": "http://xx.xx.xx.xx:8091",
			"username": "xxxx",
			"password": "xxxxxxx",
			"bucket": "user",
			"enable_shared_bucket_access": true,
			"import_docs": "continuous",
			"import_filter": `
			function(doc) {
				if (doc.db != "user") {
					return false
				}
				return true
			}
			`,
			"users": {
				"GUEST": {
					"disabled": true
				},
				"xxx": {
					"password": "xxxxx",
					"admin_channels": ["*"],
					"allow_empty_password": false
				}

			},
			"unsupported": {
				"replicator_2": true,
				"enable_extended_attributes": true
			}

		},

This results the user in the bucket _sync:user:xxx as

{
	"name": "xxx",
	"admin_channels": {
		"*": 1
	},
	"all_channels": null,
	"sequence": 1,
	"passwordhash_bcrypt": "pwhash",
	"rolesSince": {}
}

But we get a 403 when replicating with CBL.

The main question is: why this error? I suppose it has something to do with how the user gets defined. I can see that _sync:seq is 2 and the user sequence is 1. Is that the problem? Is this user only allowed all admin_channels at sequence 1? How can I give the user all access at any time?

The other questions are:

• what does "*":1 mean? I know that * is all but the :1 puzzles me
• I’m not sure but I think I saw "!":1 elsewhere else
• Why do the sequence and all_channels get set automatically? Did I do something wrong?

update:
In the sync logs I find
WS: [92778d9] Error: Client doesn't support WS protocol BLIP_3+CBMobile_2, only BLIP_3a2

update 2:
The CBL output:

00:29:27.566359| [WS] WARNING: {N8litecore9websocket12C4SocketImplE#2}==> N8litecore9websocket12C4SocketImplE ws:xx.xx.xx.xx:xxxx/promo/_blipsync
00:29:2703-20 13:54:20.550 D/Mono    ( 9421): Probing 'FLSliceResult_Free'.

.566910| [WS] WARNING: {N8litecore9websocket12C4SocketImplE#2} Unexpected or unclean socket disconnect! (reason=WebSocket status, code=403)03-20 13:54:20.550 D/Mono    ( 9421): Found as 'FLSliceResult_Free'.

Thread started:  #18

403 is an auth error.

Could you turn on verbose logging in sync gateway with bucket information to see what user(cb key) sync gateway tries to get when you auth.
“log”:["…",“bucket”]

Hi thanks for your reply. Yes I worked that out but I don’t see where it goes wrong. I had the * log on already so here is the most significant part (I think)

2018-03-20T11:55:58.010+01:00 Feed+: Connecting to new bucket datasource.  URLs:[http://xx.xx.xx.xx:8091], pool:default, bucket:user
2018-03-20T11:55:58.035+01:00 Using metadata purge interval of 3.00 days for tombstone compaction.
2018-03-20T11:55:58.036+01:00 Using default sync function 'channel(doc.channels)' for database "user"
2018-03-20T11:55:58.037+01:00     Reset guest user to config
2018-03-20T11:55:58.037+01:00 Starting admin server on xx.xx.xx.xx:4985
2018-03-20T11:55:58.041+01:00 Starting server on xx.xx.xx.xx:4984 ...
2018-03-20T11:55:58.097+01:00 [INFO] Using plain authentication for user sam 
2018-03-20T11:55:58.300+01:00 DCP: Backfill in progress: 0% (2 / 2118)
2018-03-20T11:55:58.312+01:00 Changes+: Notifying that "search" changed (keys="{_sync:user:sam}") count=2
2018-03-20T11:55:58.429+01:00 DCP: Backfill complete
2018-03-20T11:55:58.430+01:00 DCP+: Persisting checkpoint for vbno 228
2018-03-20T11:55:58.431+01:00 DCP+: Persisting checkpoint for vbno 426
2018-03-20T11:55:58.433+01:00 DCP+: Persisting checkpoint for vbno 671
2018-03-20T11:55:58.437+01:00 DCP+: Persisting checkpoint for vbno 520
2018-03-20T11:55:58.439+01:00 DCP+: Persisting checkpoint for vbno 574
2018-03-20T11:55:58.440+01:00 DCP+: Persisting checkpoint for vbno 36
2018-03-20T11:55:58.508+01:00 Changes+: Notifying that "user" changed (keys="{_sync:user:sam}") count=2
2018-03-20T11:55:58.564+01:00 DCP: Backfill complete
2018-03-20T11:55:58.566+01:00 DCP+: Persisting checkpoint for vbno 228
2018-03-20T11:56:20.555+01:00 HTTP:  #001: GET /label/_blipsync (as GUEST)
2018-03-20T11:56:20.555+01:00 HTTP: #001:     --> 401 Login required  (1.0 ms)
2018-03-20T11:56:20.842+01:00 HTTP:  #002: GET /label/_blipsync (as sam)
2018-03-20T11:56:20.842+01:00 WS: [92778d9] Error: Client doesn't support WS protocol BLIP_3+CBMobile_2, only BLIP_3a2
2018-03-20T11:56:20.842+01:00 HTTP+: #002:     --> 200   (99.0 ms)

Looking at the “most significant” part of your logs

• The WS Protocol issue - This error message is indicative of a mismatch between between CBL version and SGW version , so please double check that they are aligned.
  I know you mentioned that you are using SGW Beta2 but can you double check that this in fact the case and that your client is CBL Beta 2…

{"couchdb":"Welcome","vendor":{"name":"Couchbase Sync Gateway","version":"2.0"},"version":"Couchbase Sync Gateway/2.0.0(827;5b66afb)"}

Hi @priya.rajagopal
I considered that option. I have reinstalled SGW through the normal channels (downloading page). That didn’t resolve the situation. But you’re right, I have another build installed: 823 (vs 827)… . I was searching for the build number of beta2 but didn’t find it anywhere. But how do I get the right SGW version?

{
    "couchdb": "Welcome",
    "vendor": {
        "name": "Couchbase Sync Gateway",
        "version": "2.0"
    },
    "version": "Couchbase Sync Gateway/2.0.0(823;5b66afb)"
}

Interesting. Did you get yours from the Downloads page ? Then that should work. It may be possible that I have a slightly more recent version (from our internal builds). If you have docker, you can get the build 827 from docker hub

Hi Priya,

I downloaded it again from here:
https://packages.couchbase.com/releases/couchbase-sync-gateway/2.0.0-beta2/couchbase-sync-gateway-community_2.0.0-beta2_x86_64.msi
but unfortunately the same: 823

I don’t have docker no… .

Build 823 should also work. I just downloaded the version from Pre-release page and it works fine. And you are sure that the client is on DB23 right ?

FYI …my DB23 app connecting to the Beta -2 SGW from Downloads …

2018-03-20T11:32:34.347-04:00 Enabling logging: [*]
2018-03-20T11:32:34.347-04:00 ==== Couchbase Sync Gateway/2.0.0(823;5b66afb) ====
2018-03-20T11:32:34.347-04:00 Configured process to allow 5000 open file descriptors
2018-03-20T11:32:34.347-04:00 Opening db /travel-sample as bucket "travel-sample", pool "default", server <http://localhost:8091>
2018-03-20T11:32:34.348-04:00 Import+: Creating new ImportFilterFunction
2018-03-20T11:32:34.348-04:00 GoCBCustomSGTranscoder Opening Couchbase database travel-sample on <http://localhost:8091> as user "admin"
2018-03-20T11:32:34.365-04:00 Design docs for current SG view version (2.0) found.
2018-03-20T11:32:34.365-04:00 Verifying view availability for bucket travel-sample...
2018-03-20T11:32:34.525-04:00 Views ready for bucket travel-sample.
2018-03-20T11:32:34.526-04:00 Cache: Initializing changes cache with options {ChannelCacheOptions:{ChannelCacheMinLength:0 ChannelCacheMaxLength:0 ChannelCacheAge:0s} CachePendingSeqMaxWait:5s CachePendingSeqMaxNum:10000 CacheSkippedSeqMaxWait:1h0m0s}
2018-03-20T11:32:34.526-04:00 Initializing changes cache for database travel-sample with sequence: 4
2018-03-20T11:32:34.526-04:00 Feed: Starting mutation feed on bucket travel-sample due to either channel cache mode or doc tracking (auto-import/bucketshadow)
2018-03-20T11:32:34.526-04:00 Feed: Using DCP feed for bucket: "travel-sample" (based on feed_type specified in config file)
2018-03-20T11:32:34.543-04:00 Feed+: Initializing DCP feed based on persisted checkpoints
2018-03-20T11:32:34.561-04:00 Feed+: Initializing DCP feed based on persisted checkpoints
2018-03-20T11:32:34.561-04:00 Feed+: Connecting to new bucket datasource.  URLs:[http://localhost:8091], pool:default, bucket:travel-sample
2018-03-20T11:32:34.575-04:00 Using metadata purge interval of 3.00 days for tombstone compaction.
2018-03-20T11:32:34.582-04:00 Starting admin server on 127.0.0.1:4985
2018-03-20T11:32:34.584-04:00 Starting server on :4984 ...
2018-03-20T11:32:46.078-04:00 HTTP:  #001: GET /travel-sample/_blipsync (as GUEST)
2018-03-20T11:32:46.079-04:00 HTTP: #001:     --> 401 Login required  (0.9 ms)
2018-03-20T11:32:46.163-04:00 HTTP:  #002: GET /travel-sample/_blipsync (as demo)
2018-03-20T11:32:46.163-04:00 HTTP+: #002:     --> 101 [4e80f8d2] Upgraded to BLIP+WebSocket protocol. User:demo.  (0.0 ms)
2018-03-20T11:32:46.163-04:00 WS: [4e80f8d2] Start BLIP/Websocket handler
2018

Absolutely sure. I will further assess the problem Today. I’ll keep you posted

@priya.rajagopal

I keep hitting the 403.

Every time SGW logs
WS: [105d2fe6] Error: Client doesn't support WS protocol BLIP_3+CBMobile_2, only BLIP_3a2
when checking after getting the 403 in cbl

update:

Built CBL from the master branch but still the same issue:
03-21 12:02:46.778 D/Mono    (15596): Searching for 'FLSliceResult_Free'.
.798249| [WS03-21 12:02:46.778 D/Mono    (15596): Probing 'FLSliceResult_Free'.] WARNING: {N8litecore9websocket12C4SocketImplE#
03-21 12:02:46.778 D/Mono    (15596): Found as 'FLSliceResult_Free'.2}==> N8litecore9websocket12C4SocketImplE ws:xx.xx.xx.xx:4984/label/_blipsync
01:09:23.800886| [WS] WARNING: {N8litecore9websocket12C4SocketImplE#2} Unexpected or unclean socket disconnect! (reason=WebSocket status, code=403)
01:09:23.801620| [WS]: {N8litecore9websocket12C4SocketImplE#2} sent 0 bytes, rcvd 0, in 

0.000 sec (nan/sec, nan/sec)
Thread started:  #20
01:09:23
Thread finished:  #18.818186| 

[
BLIP]: {N8litecore4blip10ConnectionE#1} Closed with WebSocket status 403: Forbidden
01:09:23.822918| 
[
Sync]: {Repl#3}==> N8litecore4repl10ReplicatorE /data/data/com.xxx.xxx/files/label.cblite2/ ->ws:xx.xx.xx.xx:4984/label/_blipsync
01:09:23.825399| [Sync]: {Repl#3} Connection closed with WebSocket status 403: "Forbidden"
01:09:23.825967| [
Sync
] ERROR: 
{Repl#3} Got LiteCore error: 
Forbidden
 (7/403)
01:09:23
.829482| 
[Sync]: {Repl#3} now stopped
01:09:23
.831764| 
[
DB
]: 
Thread started:  #21
Closing DataFile

Double checked everything, the username and pass is correct in the replicator authenticator.

Ok, this was strange. We had updated to 023. This was indicated by the nuget packages. Both Couchbase.Lite and Couchbase.Lite.Support.Android were version 023. When I inspected the build window it seemed that CBLA was version 022. I guess it’s the trade-off with developing with versioning. We use Git and do daily merges… .