Open mohamadRoc opened 4 years ago
This issue seems to be related to CouchDB more than Apexo. Are you logging to couchdb using admin credentials? Since CouchDB 3.0 there's no admin party, check the release notes
@alexcorvi Yes, I logged in using the admin credentials, I am not sure if it was from CouchDB side, but I noticed the Apexo didn't store any session token for DB to use it to talk to CouchDB, so it could be from Apexo side, and to prove my idea, after you login to Apexo try to refresh the page it will redirect you to login page again, I have to mention that i use my localhost to test this, does it make any difference if I use remote CouchDB.
Try setting same_site
to none
in your couchdb configuration (should be found at: http://localhost:5984/_utils/#_config) and please tell me if that resolves the issue.
One more question: do you see a red exclamation mark at the top right of your screen?
@alexcorvi after setting the same_site option to none, the "AuthSession" added to cookies but the issue still exist,
and yes I see a red exclamation mark at the top
@alexcorvi sorry I was wrong "AuthSession"
was added because CouchDB was opened to change the config for "same_site"
, not because setting the "same_site"
to "none"
After investigating more with this issue, I've found out the following:
samesite
attribute for CORs requests (like how this application works) to lax
which prevents the application from sending/receiving cookies across site (web.apexo.app <----> localhost:5984 in your case).Source 1 / Source 2 / Source 3
This can be fixed by setting the configuration same_site
to none
in the couchdb configuration file
[couch_httpd_auth]
same_site = none
However, a cookie can only be samesite: none
if it's being sent/received as a secure
cookie, and for it to be secure, it must be served through SSL (HTTPS, not possible with localhost).
same_site
should be enough to solve it.I think the introduction of a new authentication/authorization mechanism should be enough, however it must be with the minimum configuration at the CouchDB part.
thank you @alexcorvi, so I can't do anything right now to get it work on localhost
thank you @alexcorvi, so I can't do anything right now to get it work on localhost
No, you can't
And that's just because of the new browsers policy, it needs the cookie to be samesite
& secure
, which can't be achieved without some trickery
Or you can use an older browser version
Also, I'm about to release a new executable application (like the one in releases) that might be able to solve this issue.
Describe the bug if you use clean and new CouchDB -3.1.0- and try to login you will see multiple errors in console says
GET http://localhost:5984/treatments/ 401 (Unauthorized)
n {error: "unauthorized", reason: "You are not authorized to access this db.", status: 401, name: "unauthorized", message: "You are not authorized to access this db.", …} app.js:23 {"error":"unauthorized","reason":"You are not authorized to access this db.","status":401,"name":"unauthorized","message":"You are not authorized to access this db.","result":{"ok":false,"start_time":"2020-08-03T11:37:25.638Z","docs_read":0,"docs_written":0,"doc_write_failures":0,"errors":[],"status":"aborting","end_time":"2020-08-03T11:37:25.791Z","last_seq":0}}
To Reproduce Steps to reproduce the behavior:
Expected behavior A clear and empty errors in the console
Screenshots
Desktop (please complete the following information):
Additional context there is no session persistent, after login to the app try to refresh the page it will redirect you to login page again > instead it should keep you in the same page