"skipSetup: true" with "require_valid_user = true" shows browser modal

[nylki]

Hey there,
I set require_valid_user = true in my CouchDB's local.ini,
to only allow actual users, but no anonymous users.

Also skipSetup: true is set when initalizing the DB.

However, each time I db.login('test', 'test'), I get the browser modal requiring to enter credentials,
although test:test exists, and normally works without require_valid_user = true

tested in Firefox 42 and Chrome 47.

the relevant code:

    var db, local
    function switchDB(dbname) {
      db = new PouchDB('http://127.0.0.1:5984/' + dbname, {skipSetup: true})
      local = new PouchDB(dbname)
      local.sync(db, {live: true, retry: true}).on('error', console.log.bind(console))
      return db.login('test', 'test')
    }

I already tried http://stackoverflow.com/questions/32670580/prevent-authentication-popup-401-with-couchdb-pouchdb, which seemed to solve the issue, but I want to use fauxton on the backend which doesn't work after that.

If it doesn't work any other way, I guess I could set roles for each db as a workaround…

[alexanderharm]

I experience the same problem. Also setting the ajax options as outlined in the readme doesn't help.

[nolanlawson]

According to the docs, you need to do db.login() with the ajax options as well. I.e. instad of

db.login('test', 'test')

you need to do

db.login('test', 'test', {ajax: {skipSetup: true}})

Did you try that?

[alexanderharm]

Hello Nolan, I did try that and it does work but only if you login with the correct credentials. If you enter the wrong credentials the modal still pops up. That is probably more a CouchDB issue than PouchDB but I am wondering if there is a possibility to intercept that. Btw I tried changing the www-authenticate header in CouchDB's local.ini but it stays fixed at "Basic realm='server'".

[alexanderharm]

I did some more research:
Setting WWW-Authenticate headers in CouchDB's local.ini does help but - at least on OS X - it is not persistent. On each CouchDB startup WWW-Authenticate is lower cased and not recognised any more. Also changing "Basic" to "Other" as outlined here (https://stackoverflow.com/questions/32670580/prevent-authentication-popup-401-with-couchdb-pouchdb) messes up your access to Futon/Fauxton.
Is there a possibility to specify a "next"-parameter that gets appended to the request to redirect a failed authentication request (see http://docs.couchdb.org/en/1.6.1/api/server/authn.html)? And would that work with a single page app?

[nylki]

I did try that and it does work but only if you login with the correct credentials.

Interesting, this does not work for me. I made a quick video capture, showing my code, the config and the behaviour.

https://vimeo.com/149261864
(excuse me for ~0:45, I had to restart the webserver -.- )

[alexanderharm]

Hello nylki, in your video your ajax options are wrong (I think Nolan made a mistake here in this thread). You put {ajax: {skipSetup: true}}
According to the docs you need to put

{
  ajax: {
    headers: {
      Authorization: 'Basic ' + window.btoa(username + ':' + userpassword)
    }
  }
}

[nylki]

@alexanderharm Ah, thanks for the hint! I had the doc open, but must have missed this part.
Also sorry @nolanlawson for the confusion, I should have rtfm more thoroughly.

However, as @alexanderharm mentioned the modal still pops up, when the credentials were wrong (which isn't a big issue on my side though).

[alexanderharm]

@nylki That is exactly the problem I'm having and I haven't found a satisfying solution yet. Maybe write your own login function and use the "next" parameter (see http://docs.couchdb.org/en/1.6.1/api/server/authn.html). Haven't tried that so far... might give it a shot tonight.

[SinanGabel]

Hi!

This works for me - hope it will work for you too - i.e. following the
guidelines at:
https://github.com/nolanlawson/pouchdb-authentication#everybody-has-to-be-logged-in-to-do-anything

var user = {

name: 'admin',
password: 'admin'
};
var pouchOpts = {
skipSetup: true
};
var ajaxOpts = {
ajax: {
headers: {
Authorization: 'Basic ' + window.btoa(user.name + ':' + user.password)
}
}
};
var db = new PouchDB('http://localhost:5984/test', pouchOpts);
db.login(user.name, user.password, ajaxOpts).then(function() {
return db.allDocs();
}).then(function(docs) {
console.log(docs);
}).catch(function(error) {
console.error(error);
});

On 17 December 2015 at 13:43, alexanderharm notifications@github.com
wrote:

@nylki https://github.com/nylki That is exactly the problem I'm having
and I haven't found a satisfying solution yet. Maybe write your own login
function and use the "next" parameter (see
http://docs.couchdb.org/en/1.6.1/api/server/authn.html). Haven't tried
that so far... might give it a shot tonight.

—
Reply to this email directly or view it on GitHub
#61 (comment)
.

[alexanderharm]

@SinanGabel that only prevents the modal if your credentials are correct. If they are wrong and you are not authorized it will show.

[alexanderharm]

I played around a bit with the next parameter but without success. While receiving now a 401 error without the modal it fails (of course) on the redirect if successfully authenticated. Worse, I don't receive the auth-cookie back. So no workaround.
The only other possibility I can think of is to modify the response headers using nginx and the headers_more module https://github.com/openresty/headers-more-nginx-module#readme

[alexanderharm]

I managed to get this work using nginx with the headers-more module. I posted my solution on SO: http://stackoverflow.com/a/34346451/5457201
The essence is to replace the WWW-Authenticate in the 401 response if you are not accessing _utils.

[Razgort]

I have the same issue i will try with your answer tomorrow alexanderharm.Thx anyway

[pablomaurer]

I used proxy_hide_header WWW-Authenticate;
But then you only have access to Futon/Fauxton if you are on your server through localhost.

If you need Futon/Fauxton access from remote i recommend @alexanderharm solution