couchdb custom authentication handler

Question

I have to admit that I am fairly new to this topic, especially new to erlang. Currently, I am trying to play around with the various authentication handlers - goal is to have a working "delegated authentication" on facebook, twitter and such.

1. As far as I understood the oAuth implementation of couchdb is just the opposite of what I need. You can use that to create tokens for couch-users, but not to accept twitter accessTokens/secrets and map that to a couch user.
2. I found exactly what I need in datacouch - authentication against twitter with nodejs, and after that getting the plaintext password from a private couch and use it with _session-API to create a couch cookie.

Now I am trying to avoid storing the plaintext passwords. I heard about to use proxy_authentification_handler, but it seems I am either too unexperiences or even too stupid to use it. I made the (as far as I understood) correct entries in couch_httpd_auth

couch_httpd_auth    auth_cache_size         50
                    authentication_db       _users
                    authentication_redirect /_utils/session.html
                    require_valid_user      false
                    proxy_use_secret        false
                    secret                  xxxxxxxxxxxx
                    timeout                 43200 
                    x_auth_roles            roles
                    x_auth_token            token
                    x_auth_username         uname

and also in section httpd

httpd               allow_jsonp             true
                    authentication_handlers {couch_httpd_auth, proxy_authentification_handler},{couch_httpd_auth, cookie_authentication_handler}, {couch_httpd_auth, default_authentication_handler}
                    bind_address            127.0.0.1
                    default_handler         {couch_httpd_db, handle_request} 
                    port                    5984
                    secure_rewrites         false
                    vhost_global_handlers   _utils, _uuids, _session, _oauth, _users

As also mentioned in the comments in the docs i set proxy_use_secret to false (for the first steps) to allow authentication without access token.

When I now do a GET on http://localhost:5984/_utils/config.html?uname=user1&roles=user that seems not to affect anything...

Anybody ever got that thing running? Am I missing something? Or is there any chance to implement a custom authentication handler without coding erlang?

Thanks a lot for your help

Answer 1

The URL parameter isn't doing anything. When you look at the original bug you will see that the username and roles are passed not by the URL but HTTP headers:

• X-Auth-CouchDB-UserName : username, (x_auth_username in couch_httpd_auth section)
• X-Auth-CouchDB-Roles : user roles, list of roles separated by a comma (x_auth_roles in couch_httpd_auth section)
• X-Auth-CouchDB-Token : token to authenticate the authorization (x_auth_token in couch_httpd_auth section). This token is an hmac-sha1 created from secret key and username. The secret key should be the same in the client and couchdb node. secret key is the secret key in couch_httpd_auth section of ini. This token is optional if secret key isn't defined.

Once you provide these header information authentication actually works as advertised.