We use couchbase recommended custom authentication to authentication with sync gateway. First, we send username and password to our auth server which authenticates with sync gateway and give us back session cookie details. So, client will use this session cookie to set up replication. Now problem is, we have no way to know if this cookie is valid or expired from change replication listener. We can see logs, “missing_channel access error”. But, because couchbase android consumes 403 errors and does not give callback, we have no way to detect invalid and expired cookie cases. Can someone help us in this usecase please?
@hideki It will be really helpful if you could let me know the way to detect invalid/expired session cookie when replication is running.
I was given the following solution to tackle this problem,
Fork the library and pass all the errors to listener.
Before doing this, I wanted to make sure if CB 2.0 has any ways for it. Then, I can use CB 2.0 Developer builds instead of forking 1.x library.
Hi @bharath,
SyncGateway should return 401 (Unauthorized) if SyncGatewaySessionID is expired. If SG returns 403 (Forbidden), it seems an account you are using does not have access rights to the channel. Can you review access right?
Thanks!
We use SyncGateway version 1.4 and as you mentioned, it is indeed failing in requrieAccess method and detects invalid cookie and returns missing channel access error. I’ve been looking through couchbase sg documentation and could not find a right way to return 401 for invalid/expired cookie. Can you please point me to the right documentation for configuring sg to return 401 for unauthorized users with wrong session cookie?
As indicated by @hideki, if you do not have access rights to the channel, you will get a 403 Forbidden error. You should not change the SG to return 401 when there is a access issue.
FYI : Ref code available here
Are you suggesting that your cookie has infact expired but the SG is still returning 403 channel access error instead of 401 unauthorized - because if that’s the case, that seems like a bug to me…
Hi @priya.rajagopal Thanks for your response. Yes, for the invalid cookie and expired cookie cases, SG is returning 403 channel access error. I was under the impression that document update won’t even go through our sync function if a cookie is invalid. But this does not seem to be the case.
Please note we use synctos to generate our sync function which does not handle cookie validation. In the reference code you shared, in the try-catch block,
try {
v(newDoc, oldDoc);
} catch(x) {
if (x.forbidden)
reject(403, x.forbidden);
else if (x.unauthorized)
reject(401, x.unauthorized);
else
throw(x);
}
Looks like, unauthorized exceptions are getting caught from sync function.
So should we validate cookie details inside sync function and throw this unauthorized exception if a cookie is expired or invalid?
Is the cookie validation not handled by sync gateway itself before passing the document through our sync function?
It will be really helpful if you could answer these doubts. Thanks a lot!
We found out the cause of 403 errors for unauthorized users. It was due to GUEST access enabled in our config file. I apologise for overlooking this config and causing you trouble.
Thanks a lot for being active in this forum and answering my doubts.
I look forward to move to CB 2.0 soon. I will close this topic.