带有令牌的PouchDB认证（Cookie：AuthSession = xyz）导致不安全的标题“Cookie” [英] PouchDB authentication with token (Cookie: AuthSession=xyz) lead to unsafe header "Cookie"

问题描述

我想通过使用由couchdb给出的访问令牌连接到我的远程couchdb数据库，这可以通过发送一个头来完成：

  Cookie：AuthSession = {COUCHDB_TOKEN} 
  

但是，使用以下代码的pouchDB：

pre $ p $ c $ new PouchDB '：'AuthSession = couchdb_token'}}
}）;

我收到错误消息：

 拒绝设置不安全标题Cookie
  

有没有办法把这个标记放到一个标题中而不会有这个错误？

我已经做了研究，但是不可能找到一种方法来使用与远程数据库的pouchdb同步，而不用提供用户名&密码，但这些不应该存储在客户端所以..

解决方案

问题是，浏览器阻止设置'Cookie'请求标题由于这个标题直接由浏览器管理。您无法设置任何这些标题。

您应该使用_session端点对CouchDB进行身份验证。此端点将使用Set-Cookie标头进行响应，该标头在浏览器中建立AuthSession cookie，并在接下来的调用中发送回CouchDB。

我通常会在CouchDB中配置ProxyAuthentication（注意：这在CouchDB 2.0中被打破）模式，然后在我的应用程序中使用自定义auth头进行身份验证。这种方法稍微复杂一些，但可以让你在CouchDB中使用你的应用程序认证令牌。
---编辑---

请检查您是否有启用ProxyAuthentication 。
授权令牌的逻辑是此处。
您不需要调用_session端点，只需使用适当的逻辑构建标记即可。

- EDIT2 -

查看CouchDB代码，令牌以这种方式生成：
$ b $ p X-Auth-CouchDB-Token：hex_hmac_sha1（secret ，user@test.org）

其中：

• 秘诀是用户名是由头部提供的用户X-Auth-CouchDB-UserName

您应该在客户端重现此逻辑。

I want to connect to my remote couchdb database by using the access token given by couchdb, this can be done by sending a header with :

Cookie: AuthSession={COUCHDB_TOKEN}

I have no problem doing this with curl. However with pouchDB with the following code :

new PouchDB(url, {
    ajax: { headers: {'Cookie': 'AuthSession=couchdb_token'} }        
});

I got the error :

Refused to set unsafe header "Cookie"

Is there a way of putting this token into a header without having this error ?

I have done research but impossible to find a way to use pouchdb synchronization with a remote database without giving username & password, but those should not be stored client side so..

解决方案

The problem is that the browser is blocking the setting of the 'Cookie' request header as this header is directly managed by the browser. You can not set any of these headers.

You should authenticate with CouchDB using the _session endpoint. This endpoint will respond with a Set-Cookie header that established the AuthSession cookie in the browser which is sent back to CouchDB in the next calls.

What I usually do is to configure a ProxyAuthentication (Note: this was broken in CouchDB 2.0) mode in CouchDB and then use a custom auth header in my application for authentication. This approach is a bit more complex but will allow you to use your application auth token with CouchDB. --- EDIT ---

Please, check if you have the ProxyAuthentication enabled. The logic for the auth token is here. You don't required to call to _session endpoint, just build the token with the proper logic.

-- EDIT2 --

Looking into the CouchDB code the Token is generated in this way:

"X-Auth-CouchDB-Token": hex_hmac_sha1(secret, "user@test.org")

Where:

• secret is the key defined by couch_httpd_auth/secret.
• The user is the one provided in the header X-Auth-CouchDB-UserName

You should reproduce this logic in the client side.

这篇关于带有令牌的PouchDB认证（Cookie：AuthSession = xyz）导致不安全的标题“Cookie”的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！