CouchDB v3.4.1 return 403 on GET /_session with a wrong password

[H--o-l]

Description

This morning I upgraded one node of my CouchDB cluster node to v3.4.1 while the two other nodes of the cluster are still on CouchDB v3.3.3.

Since then, I have had multiple exceptions on my backend related to users using the wrong password and CouchDB returning an HTTP status 403 instead of the usual HTTP status 401.

Usually, I catch the 401 to return a nice message to users so they can understand what's wrong. But since the update, for some users (not all users and I don't know why on these users specifically) CouchDB returns an unexpected 403 on the GET /_session. This has pushed me to create a temporary urgent release where I catch both the 401 and the 403 to return a nice error in both cases.

The CouchDB documentation for v3.4.1 is explicit: the route should only return HTTP 200 or HTTP 401, not HTTP 403.

Steps to Reproduce

I don't know for sure, I wasn't able to code a reproducer, it happens only on my production servers. There is something on the production cluster that makes the case appear:

• maybe it's the fact of having one node on v3.4.1 and the two others on v3.3.3?
• maybe it's something user-specific? But I don't know what specificities to look at.

Expected Behaviour

GET /_session should always return HTTP 200 or HTTP 401, never HTTP 403.

Your Environment

• CouchDB version used: v3.4.1 and v3.3.3. The error occurs only on GET /_session made on the v3.4.1 node.
• Browser name and version: NA
• Operating system and version: NA

Additional Context

I don't know, you tell me!

[iilyak]

This is a feature added recently https://github.com/apache/couchdb/blob/main/rel/overlay/etc/default.ini#L1074. Probably the API docs need to be updated.

\cc @rnewson

[rnewson]

agree, the docs need updating. what a chore :(

[H--o-l]

OK, understood, thanks. What about the changelog, did the change appear inside it? Because I read it carefully before doing the update and I haven't noticed that change. It would have avoided inconvenience for my users if I had been able to notice it before the update.

[rnewson]

The new lockout support was documented in the changelog (https://docs.couchdb.org/en/stable/whatsnew/3.4.html), but we (I) didn't update the api docs to list 403 as a possibility for all endpoints, we'll sort that out.

[H--o-l]

OK, my bad, thanks for the answer. I let you see then, and you can close the issue when you want :+1: