Geek Answers Handbook

Prevent 401 Authentication Pop-up Using CouchDB PouchDB

For a JavaScript web application (based on AngularJS), I use PouchDB, replicating the CouchDB database on my server. Authentication in PouchDB works great with pouchdb-authentication . I want to manage this via the html / js login screen.

However, if the user enters incorrect credentials, I get 401 Unauthorized from the CouchDB server, which brings up a browser popup asking for credentials.

How can I prevent this ugly Authentication popup from appearing and just handle everything from my javascript ?!

+5
source share
3 answers

Finally, I found a solution:

Edit the configuration of CouchDB local.ini and change the HTTP header sent in response:

 WWW-Authenticate = Other realm="app"

This is originally

 WWW-Authenticate = Basic realm="administrator"

or if it is commented, that is what is sent anyway. WWW-Authenticate = Basic , apparently, forces the browser to process (unsuccessfully) authentication, showing its modality. Changing Basic to anything else causes the browser to ignore it, and you can deal with the login yourself.

+4
source

Update 2015.12.18

After many trials, I came to the second solution outlined. All you have to do is install nginx using the module-more headers. Add the following to your nginx-config:

 location / { # forward all request headers to backend proxy_pass_request_headers on; # these settings come from the CouchDB wiki proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # your CouchDB backend proxy_pass http://127.0.0.1:5984; # replace WWW-Authenticate header in response if authorization failed more_set_headers -s 401 'WWW-Authenticate: Other realm="App"'; } # location to handle access to Futon location /_utils/ { # forward all request headers to backend proxy_pass_request_headers on; # these settings come from the CouchDB wiki proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # your CouchDB backend proxy_pass http://127.0.0.1:5984; # DO NOT replace WWW-Authenticate header in response if authorization failed # more_set_headers -s 401 'WWW-Authenticate: Other realm="App"'; # Handle redirects proxy_redirect default; }

And yours are tuned. You can continue to use pouchdb authentication or write your own login handler.

Original post

Sorry to answer, but I can not comment (yet).

I am suffering from the same problem, even worse, that in OS X the WWW-Authenticate parameter goes down with every restart of CouchDB and therefore is no longer recognized. Therefore, it must be installed after restarting EACH using Futon / Fauxton or the API.

You can try playing with the following parameter (see http://docs.couchdb.org/en/1.6.1/api/server/authn.html ). Basically, you send your auth request (example in angular2):

 // assuming you bootstrapped HTTP_PROVIDERS and injected Http // configure headers let headers: Headers = new Headers() headers.append('Content-Type', 'application/json') headers.append('Accept', 'application/json') headers.append('Authorization', 'Basic ' + window.btoa(username + ':' + password)) // using the injected Http instance this.http // post to _session specifying next and the redirect .post( 'http://localhost:5984/_session?next=/successfullyLoggedInPage' , JSON.stringify({'name': username, 'password': password}) , {headers: headers} ) .map((res: Response) => res.json()) .subscribe( (res) => { // successful auth }, (err) => { if (err.status === 401) // failed auth } )

In my setup, the web application and CouchDB are served from two different sources. I can only get this working if I disable web security in Chrome due to cross-origin restrictions. I believe that a reverse proxy could rewrite the redirect response, for example. using nginx proxy_redirect ( http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect ).

I believe the best solution is to change the response headers with reverse proxies. For nginx, there is a module called ngx_headers_more (see https://github.com/openresty/headers-more-nginx-module#readme ) that should be able to do this. You can check the response for 401, and then change the header from authentication: from Basic to Authentication: Other, so disabling the modal. Basically, Futon / Fauxton should still work then, no? I have not tried this approach yet, but in the nginx location block you need to specify

 more_set_headers -s 401 'WWW-Authenticate: Other realm="App"'

I hope someone more qualified can add their two cents.

+3
source

I had more or less the same problem. Although I use a reverse proxy with a CouchDB proxy authentication handler. When a user tries to do something that is not allowed to him (creating a database until he is an administrator), the CQDDQ response returned 401, calling HTTP basic auth. Not so nice as the reverse proxy handles authentication based on X509 client certificates. I really think CouchDB should return a 403 answer, but this is another discussion.

To fix this, I used your answers, but I don’t really want to use the external Nginx module (ngx_headers_more) and really don’t really like to change the title to a “meaningless” value. Instead, with the existing proxy module in Nginx, you can simply remove WWW-Authenticate all together:

 proxy_pass http://${COUCHDB_HOSTNAME}:${COUCHDB_PORT}; proxy_hide_header WWW-Authenticate;

It seems to be working fine. See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header for documentation.

0
source

More articles:


All Articles