Should I be including Bearer or Basic Authorization headers in requests to couchdb? #59

mugwhump · 2022-09-11T03:38:09Z

mugwhump
Sep 11, 2022

So I'm a little confused here. If I start a session with couch-auth and use the generated token+password in a standard basic auth header in a request to couchdb like so
'Authorization': 'Basic ' + btoa(unescape(encodeURIComponent(session.token + ':' + session.password)))
everything works fine. But if I use bearer auth like so:
'Authorization': 'Bearer ' + session.token+':'+session.password
couch says I'm not authorized. The documentation says

Then include the access token and password in an Authorization Bearer header on every request to access protected endpoints. The same credentials will authenticate you on any CouchDB or Cloudant database you have been authorized to use.

The old superlogin-client code appears to do the same. But asking on couchdb's slack, it sounds like couch only uses Bearer auth when couch is configured for JWT? And this doesn't actually use JWT, right? So is Bearer auth only for requests to couch-auth's node server, and requests to the couchdb server must use Basic auth?

Appreciate the project btw, nice work :)

Answered by fynnlyte

Sep 14, 2022

So is Bearer auth only for requests to couch-auth's node server, and requests to the couchdb server must use Basic auth?

Yes:

for requests to CouchDB, you need to use basic auth as you've described
for requests to couch-auth or to your own routes that you protect via couch-auth (see here) you need to use the bearer token

couch-auth doesn't have JWT support.

View full answer

fynnlyte · 2022-09-14T08:31:49Z

fynnlyte
Sep 14, 2022
Maintainer

So is Bearer auth only for requests to couch-auth's node server, and requests to the couchdb server must use Basic auth?

Yes:

for requests to CouchDB, you need to use basic auth as you've described
for requests to couch-auth or to your own routes that you protect via couch-auth (see here) you need to use the bearer token

couch-auth doesn't have JWT support.

5 replies

mugwhump Sep 15, 2022
Author

Thanks. Guess the wording in the documentation threw me for a bit of a loop.

fynnlyte Sep 15, 2022
Maintainer

feel free to submit a PR for the README to make things clearer

mugwhump Sep 16, 2022
Author

Done!

mugwhump Sep 17, 2022
Author

Oh wait... should I also mention that those credentials can be used with couchdb's session auth? Are there any concerns with using both couch-auth's sessions and couchdb's sessions? Because being able to authenticate with cookies can be convenient (and more performant than basic auth).

fynnlyte Sep 17, 2022
Maintainer

No, it's perfectly fine to use _session since the basic auth info just corresponds to an entry in the _users db. I'd also recommend doing so when making a lot of requests. But thx, I'll merge the PR as it is.

Just be aware that in order to actually invalidate the session, you need to log out via couch-auth, see https://docs.couchdb.org/en/main/api/server/authn.html#delete--_session

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Should I be including Bearer or Basic Authorization headers in requests to couchdb? #59

{{title}}

Replies: 1 comment 5 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Should I be including Bearer or Basic Authorization headers in requests to couchdb? #59

mugwhump Sep 11, 2022

Replies: 1 comment · 5 replies

fynnlyte Sep 14, 2022 Maintainer

mugwhump Sep 15, 2022 Author

fynnlyte Sep 15, 2022 Maintainer

mugwhump Sep 16, 2022 Author

mugwhump Sep 17, 2022 Author

fynnlyte Sep 17, 2022 Maintainer

mugwhump
Sep 11, 2022

Replies: 1 comment 5 replies

fynnlyte
Sep 14, 2022
Maintainer

mugwhump Sep 15, 2022
Author

fynnlyte Sep 15, 2022
Maintainer

mugwhump Sep 16, 2022
Author

mugwhump Sep 17, 2022
Author

fynnlyte Sep 17, 2022
Maintainer