Environment:
iOS - Swift
Up-To-Date sync gateway
A web api
In the current system, user authentication is performed by a custom server.
The auth flow is the following:
1- Ask the custom server for three elements
Cookie name, session id, expiration date.
2- Set the auth cookie using this command after getting it from the server:
pull.setCookieNamed(cookie_name!, withValue: sessionId!, path: “”, expirationDate: expirationDate, secure: false)
push.setCookieNamed(cookie_name!, withValue: sessionId!, path: “”, expirationDate: expirationDate, secure: false)
3- Start the continuous replicators.
The problem is the following:
If i run a DELETE request on the server (To simulate an earlier expiration of a session) on the session endpoint,
DELETE http://localhost:4985/{database}/_user/{userId}/_session
When i try to make changes on the client side, i’m getting the following warning on the console:
WARNING: CBLRestPusher[http://server:4984/database]: _bulk_docs got an error: {
error = forbidden;
id = “thisIsADocumentID”;
reason = "missing channel access";
status = 403;
} {at __40-[CBLRestPusher uploadBulkDocs:changes:]_block_invoke:402}
That means, that even if i destroyed the session for that user on the server, the sync function is getting hit by the document.
This is the sync function line that is being hit i think:
if (doc.channels !== undefined) {
requireAccess(doc.channels);
}
The problem is that this function shouldn’t even be hit.
I found this problem while trying to renew user sessions when they do expire, but the problem is that the warning
is not being stored as an error in the .lastError property of the replicator, so i can’t handle the exception to ask
the server for a new cookie.
Is there something i’m doing wrong with the authentication system i’m currently using?
I’m really worried about how could users with no valid sessions putting documents affect the system.