search

hoodiehq / hoodie-server

:dog: Hapi plugin for Hoodie’s server core module
Apache License 2.0
243 stars 47 forks source link

Doc Update Being Performed by Server Admin instead of Logged In User #545

Closed 509dave16 closed 6 years ago

509dave16 commented 6 years ago

Goal

Perform appropriate validation of operation on Document in a CouchDB validate_doc_update function handler

Summary

  1. In Postman, I can directly PUT a document and have the validate_doc_update handler return a response that indicates the name and roles of the User that attempted the update. This shows exactly what I expect
  2. In the Hoodie Tracker App in the Browser however, adding a document results in a response that indicates that the Server Admin attempted to update the document.
  3. Why is this happening? And can it be fixed?? I have seen this also happen in the superlogin package that handles creating per user databases when someone signs up.

Expected

  1. Logged in as davidfall@rocketmail.com in Hoodie Tracker App
  2. I add an item
  3. Error response from CouchDB validate_doc_update function handler should list the name and roles of the logged in user couchdb_postman_request_and_response.png

Actual

  1. Logged in as davidfall@rocketmail.com in Hoodie Tracker App
  2. I add an item
  3. Error response from CouchDB validate_doc_update function handler lists the name and roles of the Server Admin

    Settings

    hoodie_db_settings.png

    Request Body

    couchdb_browser_request.png

    Response Body

    couchdb_browser_error_response.png

gr2m commented 6 years ago

Hey @509dave16 thanks for the very detailed bug report. Just a heads that I won’t be able to help myself any time soon, but I hope that one of the other contributors will be able to help out

509dave16 commented 6 years ago

@gr2m No problem. I think I found what the cause of the issue is since this happened across Hoodie, SuperLogin, and just a plain PouchDB client. PouchDB is somehow using the AuthSession Cookie of the localhost. So if you're logged into the Fouton portal for CouchDB then that AuthSession Cookie gets used. Made an issue in PouchDB repo: https://github.com/pouchdb/pouchdb/issues/7252. Hopefully this doesn't affect remote CouchDB instances. Haven't tested it though.

509dave16 commented 6 years ago

Closing this issue, since the problem was not with any particular library but with how I was accessing the CouchDB admin with the same hostname as what I was using in the CouchDB client.