search

perfood / couch-auth

Powerful authentication for APIs and apps using CouchDB (or Cloudant) with Node >= 14
MIT License
66 stars 19 forks source link

requireAuth middleware deletes genuine couchdb users from _users when their username is in an Authorization: Bearer header #69

Closed mugwhump closed 1 year ago

mugwhump commented 1 year ago

Background

I have a few special users in my _users db that weren't created through couch-auth. For example, special-purpose administrative users and a "public" user that can make simple requests to couch via Basic authentication without creating a session. I'd like them to stick around. But any endpoint protected by the requireAuth middleware can be used to delete these users. A basic example:

//endpoint expecting an Authorization: Bearer header validating a couch-auth user
router.get('/protected', couchAuth.requireAuth, function(req, res, next) {
  res.send('This endpoint is protected!');
})

Actual Behavior

A request of the form curl -X GET http://localhost:3000/api/protected -H 'Authorization: Bearer public:madeUpPassword' will delete the user named 'public' from _users.

Expected Behavior

The requireAuth middleware checks that the document in _users identified by the first part of the Bearer credentials is actually a session for a couch-auth user instead of a "normal" couchdb user, and only removes the former. Possibly through the presence of fields like 'user_uid', 'user_id', 'expires', etc.

fynnlyte commented 1 year ago

Yeah this shouldn't be happening. I'll adjust it s.t. only entries in _users are cleared which have expired and local.