Constraint to sync gateway users

Mobile Sync Gateway
1

Howdy

Please kindly advise any constraints (length, any special characters should avoid) while creating sync gateway users.

I checked following document and couldn’t find any related information

Users | Couchbase Docs

My project need to use long sub id for sync gateway username, i.e.

myorg_john.davis~40myorganization.org@department.mysuperdomain.onemicrosoft.com

then sync gateway return error

400 Invalid name “myorg_john.davis~40myorganization.org@department.mysuperdomain.onemicrosoft.com”

P.S. Password will be using username value. Please also kindly advise constraints to password

Thanks in advance

2

What version of Sync Gateway are you using?

In v3.1.0+ (and subsequently backported to v3.0.4+) we relaxed the restrictions on names as much as possible, such that the only requirements are:

  • Valid UTF-8
  • No commas, slashes or backticks
  • At least one alphanumeric character (UTF-8 Category L or N)
  • <= 239 characters

There are no password constraints other than max length, which is 72 bytes (note: which may not be 72 characters if using non-ASCII characters)

This length is a limitation of bcrypt rather than us choosing to restrict it. In future if we switch to an alternative hashing algorithm we could conceivably allow for larger passwords or passphrases.

Given your example username, I am able to create a user on version 3.2.1:

$ curl -X PUT http://Administrator:password@localhost:4985/db1/_user/myorg_john.davis~40myorganization.org@department.mysuperdomain.onemicrosoft.com -H 'Content-Type: application/json' -d '{"password":"testpassword","admin_channels":["*"]}'

2024-11-08T11:37:04.148Z [INF] HTTP: c:#006 db:db1 PUT /db1/_user/<ud>myorg_john.davis~40myorganization.org@department.mysuperdomain.onemicrosoft.com</ud> (as <ud>Administrator</ud> as ADMIN)
2024-11-08T11:37:04.154Z [INF] Access: c:#006 db:db1 Recomputed channels for "<ud>myorg_john.davis~40myorganization.org@department.mysuperdomain.onemicrosoft.com</ud>" (_default._default): <ud>!:1</ud>
2024-11-08T11:37:04.156Z [INF] Access: c:#006 db:db1 Computed roles for "<ud>myorg_john.davis~40myorganization.org@department.mysuperdomain.onemicrosoft.com</ud>": <ud></ud>
2024-11-08T11:37:04.243Z [INF] Auth: c:#006 db:db1 Saved principal w/ name:<ud>myorg_john.davis~40myorganization.org@department.mysuperdomain.onemicrosoft.com</ud>, seq: #3
2024-11-08T11:37:04.243Z [INF] HTTP+: c:#006 db:db1 #006:     --> 201 Created  (99.0 ms)
2024-11-08T11:37:04.243Z [INF] Changes: db:db1 Received #3 ("<ud>_user/myorg_john.davis~40myorganization.org@department.mysuperdomain.onemicrosoft.com</ud>")
1 Like
3

Thank you @bbrks

Currently we still run Sync Gateway 2.8

Is there any difference in 2.8 to your earlier statement?

Also is there a way in Sync Gateway to extend the password limitation from 72 to something longer? What if we generate long password automatically

4

Yes, Sync Gateway 2.8.x had the following regex-based pattern for validation of usernames:

^[-+.@%\w]*$

Notably, this disallows the underscore and tilde in your example.

There is no way to extend the password length limit. You’ll have to adapt your generation policy for SG users to adhere.

Alternatively, you could look at integrating an external auth service using OIDC. If your provider accepts longer passwords this should work just fine since SG will only be dealing with auth tokens.

1 Like