Open mohamadRoc opened 4 years ago
alexcorvi
commented
4 years ago This issue seems to be related to CouchDB more than Apexo. Are you logging to couchdb using admin credentials? Since CouchDB 3.0 there's no admin party, check the release notes
mohamadRoc
commented
4 years ago @alexcorvi Yes, I logged in using the admin credentials, I am not sure if it was from CouchDB side, but I noticed the Apexo didn't store any session token for DB to use it to talk to CouchDB, so it could be from Apexo side, and to prove my idea, after you login to Apexo try to refresh the page it will redirect you to login page again, I have to mention that i use my localhost to test this, does it make any difference if I use remote CouchDB.
alexcorvi
commented
4 years ago Try setting same_site to none in your couchdb configuration (should be found at: http://localhost:5984/_utils/#_config) and please tell me if that resolves the issue.
alexcorvi
commented
4 years ago One more question: do you see a red exclamation mark at the top right of your screen?
mohamadRoc
commented
4 years ago @alexcorvi after setting the same_site option to none, the "AuthSession" added to cookies but the issue still exist,
and yes I see a red exclamation mark at the top
mohamadRoc
commented
4 years ago @alexcorvi sorry I was wrong "AuthSession" was added because CouchDB was opened to change the config for "same_site", not because setting the "same_site" to "none"
alexcorvi
commented
4 years ago After investigating more with this issue, I've found out the following:
samesite attribute for CORs requests (like how this application works) to lax which prevents the application from sending/receiving cookies across site (web.apexo.app <----> localhost:5984 in your case).Source 1 / Source 2 / Source 3
This can be fixed by setting the configuration same_site to none in the couchdb configuration file
[couch_httpd_auth]
same_site = noneHowever, a cookie can only be samesite: none if it's being sent/received as a secure cookie, and for it to be secure, it must be served through SSL (HTTPS, not possible with localhost).
same_site should be enough to solve it.I think the introduction of a new authentication/authorization mechanism should be enough, however it must be with the minimum configuration at the CouchDB part.
mohamadRoc
commented
4 years ago thank you @alexcorvi, so I can't do anything right now to get it work on localhost
alexcorvi
commented
4 years ago thank you @alexcorvi, so I can't do anything right now to get it work on localhost
No, you can't
And that's just because of the new browsers policy, it needs the cookie to be samesite & secure, which can't be achieved without some trickery
Or you can use an older browser version
Also, I'm about to release a new executable application (like the one in releases) that might be able to solve this issue.
Describe the bug if you use clean and new CouchDB -3.1.0- and try to login you will see multiple errors in console says
GET http://localhost:5984/treatments/ 401 (Unauthorized)n {error: "unauthorized", reason: "You are not authorized to access this db.", status: 401, name: "unauthorized", message: "You are not authorized to access this db.", …} app.js:23 {"error":"unauthorized","reason":"You are not authorized to access this db.","status":401,"name":"unauthorized","message":"You are not authorized to access this db.","result":{"ok":false,"start_time":"2020-08-03T11:37:25.638Z","docs_read":0,"docs_written":0,"doc_write_failures":0,"errors":[],"status":"aborting","end_time":"2020-08-03T11:37:25.791Z","last_seq":0}}To Reproduce Steps to reproduce the behavior:
Expected behavior A clear and empty errors in the console
Screenshots
Desktop (please complete the following information):
Additional context there is no session persistent, after login to the app try to refresh the page it will redirect you to login page again > instead it should keep you in the same page