Photo by ZSun Fu on Unsplash

I’ve recently stumbled upon a discussion about it again and thought I should write something short on the topic, so here it is — let’s talk about “AuthSession”.


First some prep work. Let’s start a single node docker instance of the latest CouchDB.

$ docker run --rm --name wismut --hostname -it -d -p 5984:5984 -e COUCHDB_USER=root -e COUCHDB_PASSWORD=god -e COUCHDB_SECRET=hemmelighet -e couchdb:3
Unable to find image 'couchdb:3' locally
3: Pulling from library/couchdb
Status: Downloaded newer image for couchdb:3
$ cat ~/.curlrc
-H Accept:application/json
-H Content-Type:application/json
$ export db=$ curl $db | jq . {…

Photo by Carl Raw on Unsplash

An attentive reader of my previous article might have noticed that when I was talking about securing a database I’ve updated its security object with a document that contained a role “_admin” and probably thought that this is some kind of a special “magical” attribute. Well, this is not the case! A role in a security object can be anything you want. No, really.


Let’s start with a fresh docker instance of CouchDB. (There are a new version went out since my last article.)

$ docker run --rm --name wismut -it -d -p 5984:5984 couchdb:2.2.0 Unable to find image 'couchdb:2.2.0'…

Photo by Christian Wiediger on Unsplash


Let’s start with a fresh instance of CouchDB.

$ docker run --rm -name wismut -it -d -p 5984:5984 couchdb:2.1.1
$ export db=$ cat ~/.curlrc
-H Accept:application/json
-H Content-Type:application/json
$ curl $db | jq .
“couchdb”: “Welcome”,
“version”: “2.1.1”,
“features”: [
“vendor”: {
“name”: “The Apache Software Foundation”

All right, we good to go.

Party mode

Initially we have neither admin or regular users.

$ curl $db/_node/nonode@nohost/_config/admins
$ curl $db/_users
{“error”:”not_found”,”reason”:”Database does not exist.”}

CouchDB in so-called “party mode” — anyone can access any end-point and execute any action. For example:

# check health…

Eric Avdey

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store