Photo by ZSun Fu on Unsplash

I’ve recently stumbled upon a discussion about it again and thought I should write something short on the topic, so here it is — let’s talk about “AuthSession”.

Preparations

First some prep work. Let’s start a single node docker instance of the latest CouchDB.

$ docker run --rm --name wismut --hostname asgard.dev -it -d -p 5984:5984 -e COUCHDB_USER=root -e COUCHDB_PASSWORD=god -e COUCHDB_SECRET=hemmelighet -e NODENAME=asgard.dev couchdb:3
Unable to find image 'couchdb:3' locally
3: Pulling from library/couchdb
...
Status: Downloaded newer image for couchdb:3
659134ae663d9cdf198e42b03b0776e94c041b7d3e8599728ef86c44e2e6c51b
$ cat ~/.curlrc
-s
-H Accept:application/json
-H Content-Type:application/json
$ export db=http://127.0.0.1:5984$ curl $db | jq . {…

Photo by Carl Raw on Unsplash

An attentive reader of my previous article might have noticed that when I was talking about securing a database I’ve updated its security object with a document that contained a role “_admin” and probably thought that this is some kind of a special “magical” attribute. Well, this is not the case! A role in a security object can be anything you want. No, really.

Preparations

Let’s start with a fresh docker instance of CouchDB. (There are a new version went out since my last article.)

$ docker run --rm --name wismut -it -d -p 5984:5984 couchdb:2.2.0 Unable to find image 'couchdb:2.2.0'…


Photo by Christian Wiediger on Unsplash

Preparations

Let’s start with a fresh instance of CouchDB.


$ docker run --rm -name wismut -it -d -p 5984:5984 couchdb:2.1.1
d51418b1b9de0903ac6ab0b526ee76e51da6d7c183a5dee227c91f843390019d
$ export db=http://127.0.0.1:5984$ cat ~/.curlrc
-s
-H Accept:application/json
-H Content-Type:application/json
$ curl $db | jq .
{
“couchdb”: “Welcome”,
“version”: “2.1.1”,
“features”: [
“scheduler”
],
“vendor”: {
“name”: “The Apache Software Foundation”
}
}

All right, we good to go.

Party mode

Initially we have neither admin or regular users.

$ curl $db/_node/nonode@nohost/_config/admins
{}
$ curl $db/_users
{“error”:”not_found”,”reason”:”Database does not exist.”}

CouchDB in so-called “party mode” — anyone can access any end-point and execute any action. For example:

# check health…

Eric Avdey

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store