Hi,all
I am using Couchbase Sync Gateway 1.0.1, and I send a POST request to my local sync Gateway with wrong password of user, but get 200 resbonse like follows:
Request:
curl -i -X POST -H “Content-Type:application/json” -d ‘{“name”:“testuser”,“password”:“111111”}’ http://127.0.0.1:4985/todos/_session
Response:
HTTP/1.1 200 OK
Content-Length: 140
Content-Type: application/json
Server: Couchbase Sync Gateway/1.00
Date: Mon, 20 Apr 2015 06:46:30 GMT
{“session_id”:“ded8c7494d686a9506fe3109a64b153751e7ba9b”,“expires”:“2015-04-21T14:46:30.431172986+08:00”,“cookie_name”:“SyncGatewaySession”}
I think I should get 403 error or the same error,not 200 with session_id, because I can not judge if users password is correct.
btw, I can get 404 error if user is not exists, or get 200 with session_id if user and password is correct.
I can get 200 with session_id when I only provide name arguments like this:
Hi,
I’m resurrecting an old post because my query is basically the same and I don’t feel it’s been fully answered. I can submit this as a new thread if you prefer.
have also read the google groups thread linked by atom_yang. I don’t know if I’m better posting this here or in the google thread. I think it’s bad form to post the same question in both, so I will post it here for now. However, please let me know if it would be better to post there. If I don’t get a response to this today, I’ll post on that group tomorrow.
I am trying to write an http handler using sync gateway to perform a user login. Ideally I would like to set the ttl time.
If I start a session using the admin port (4985), I can do this. However, it ignores the password, so any password works.
If I start a session using the public port (4984), it uses the password and fails if this is wrong. However, it’s not possible to set a ttl time.
What is the best method to start a session with both password authentication and a custom ttl time?
The only solution that I can think of is to create a session with port 4984. If that works, log out of that session and create a new session with 4985. Is this the recommended method?
I think it works, but not the best.
In my case, I can accept using the public port(default is 4984) that can not set ttl time.because using static password is not security enough.
I think you should custom auth service to handle the custom auth as andy said above,and then using admin port(default is 4095) to set ttl time and create a session.
Thanks atom_yang.
So just to reiterate and get it straight in my mind, the custom auth is NOT done by requesting a session from couch sync gateway. Once the custom auth service has verified the password, you then use the admin port to create a session without password (as it’s ignored). Is this correct?
Is there any info on the custom auth service? I don’t really udnerstand what this involves.