3.6. Authentication and Authorization

3.6.1. Server Administrators

[admins]

Changed in version 3.0.0: CouchDB requires an admin account to start. If an admin account has not been created, CouchDB will print an error message and terminate.

CouchDB server administrators and passwords are not stored in the _users database, but in the last [admins] section that CouchDB finds when loading its ini files. See :config:intro for details on config file order and behaviour. This file (which could be something like etc/local.ini or etc/local.d/10-admins.ini on a Debian/Ubuntu system installed from packages) should be appropriately secured and readable only by system administrators:

  1. [admins]
  2. ;admin = mysecretpassword
  3. admin = -hashed-6d3c30241ba0aaa4e16c6ea99224f915687ed8cd,7f4a3e05e0cbc6f48a0035e3508eef90
  4. architect = -pbkdf2-43ecbd256a70a3a2f7de40d2374b6c3002918834,921a12f74df0c1052b3e562a23cd227f,10000

Administrators can be added directly to the [admins] section, and when CouchDB is restarted, the passwords will be salted and encrypted. You may also use the HTTP interface to create administrator accounts; this way, you don’t need to restart CouchDB, and there’s no need to temporarily store or transmit passwords in plaintext. The HTTP /_node/{node-name}/_config/admins endpoint supports querying, deleting or creating new admin accounts:

  1. GET /_node/nonode@nohost/_config/admins HTTP/1.1
  2. Accept: application/json
  3. Host: localhost:5984
  1. HTTP/1.1 200 OK
  2. Cache-Control: must-revalidate
  3. Content-Length: 196
  4. Content-Type: application/json
  5. Date: Fri, 30 Nov 2012 11:37:18 GMT
  6. Server: CouchDB (Erlang/OTP)
  1. {
  2.     "admin": "-hashed-6d3c30241ba0aaa4e16c6ea99224f915687ed8cd,7f4a3e05e0cbc6f48a0035e3508eef90",
  3.     "architect": "-pbkdf2-43ecbd256a70a3a2f7de40d2374b6c3002918834,921a12f74df0c1052b3e562a23cd227f,10000"
  4. }

If you already have a salted, encrypted password string (for example, from an old ini file, or from a different CouchDB server), then you can store the “raw” encrypted string, without having CouchDB doubly encrypt it.

  1. PUT /_node/nonode@nohost/_config/admins/architect?raw=true HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json
  4. Content-Length: 89
  5. Host: localhost:5984
  7. "-pbkdf2-43ecbd256a70a3a2f7de40d2374b6c3002918834,921a12f74df0c1052b3e562a23cd227f,10000"
  1. HTTP/1.1 200 OK
  2. Cache-Control: must-revalidate
  3. Content-Length: 89
  4. Content-Type: application/json
  5. Date: Fri, 30 Nov 2012 11:39:18 GMT
  6. Server: CouchDB (Erlang/OTP)
  8. "-pbkdf2-43ecbd256a70a3a2f7de40d2374b6c3002918834,921a12f74df0c1052b3e562a23cd227f,10000"

Further details are available in security, including configuring the work factor for PBKDF2, and the algorithm itself at PBKDF2 (RFC-2898).

Changed in version 1.4: PBKDF2 server-side hashed salted password support added, now as a synchronous call for the _config/admins API.

3.6.2. Authentication Configuration

[chttpd]

  • require_valid_user

    When this option is set to true, no requests are allowed from anonymous users. Everyone must be authenticated.

    1. [chttpd]
    2. require_valid_user = false

  • require_valid_user_except_for_up

    When this option is set to true, no requests are allowed from anonymous users, except for the /_up endpoint. Everyone else must be authenticated.

    1. [chttpd]
    2. require_valid_user_except_for_up = false

[couch_httpd_auth]

  • allow_persistent_cookies

    When set to true, CouchDB will set the Max-Age and Expires attributes on the cookie, which causes user agents (like browsers) to preserve the cookie over restarts.

    1. [couch_httpd_auth]
    2. allow_persistent_cookies = true

  • cookie_domain

    New in version 2.1.1.

    Configures the domain attribute of the AuthSession cookie. By default the domain attribute is empty, resulting in the cookie being set on CouchDB’s domain.

    1. [couch_httpd_auth]
    2. cookie_domain = example.com

  • same_site

    New in version 3.0.0.

    When this option is set to a non-empty value, a SameSite attribute is added to the AuthSession cookie. Valid values are none, lax or strict.:

    1. [couch_httpd_auth]
    2. same_site = strict

  • auth_cache_size

    Number of User Context Object to cache in memory, to reduce disk lookups.

    1. [couch_httpd_auth]
    2. auth_cache_size = 50

  • authentication_redirect

    Specifies the location for redirection on successful authentication if a text/html response is accepted by the client (via an Accept header).

    1. [couch_httpd_auth]
    2. authentication_redirect = /_utils/session.html

  • iterations

    New in version 1.3.

    The number of iterations for password hashing by the PBKDF2 algorithm. A higher number provides better hash durability, but comes at a cost in performance for each request that requires authentication.

    1. [couch_httpd_auth]
    2. iterations = 10000

  • min_iterations

    New in version 1.6.

    The minimum number of iterations allowed for passwords hashed by the PBKDF2 algorithm. Any user with fewer iterations is forbidden.

    1. [couch_httpd_auth]
    2. min_iterations = 100

  • max_iterations

    New in version 1.6.

    The maximum number of iterations allowed for passwords hashed by the PBKDF2 algorithm. Any user with greater iterations is forbidden.

    1. [couch_httpd_auth]
    2. max_iterations = 100000

  • proxy_use_secret

    When this option is set to true, the couch_httpd_auth/secret option is required for Proxy Authentication.

    1. [couch_httpd_auth]
    2. proxy_use_secret = false

  • public_fields

    New in version 1.4.

    A comma-separated list of field names in user documents (in couchdb/users_db_suffix) that can be read by any user. If unset or not specified, authenticated users can only retrieve their own document.

    1. [couch_httpd_auth]
    2. public_fields = first_name, last_name, contacts, url

  • require_valid_user

    When this option is set to true, no requests are allowed from anonymous users. Everyone must be authenticated.

    1. [couch_httpd_auth]
    2. require_valid_user = false

  • secret

    The secret token is used for Proxy Authentication and for Cookie Authentication.

    1. [couch_httpd_auth]
    2. secret = 92de07df7e7a3fe14808cef90a7cc0d91

  • timeout

    Number of seconds since the last request before sessions will be expired.

    1. [couch_httpd_auth]
    2. timeout = 600

  • users_db_public

    New in version 1.4.

    Allow all users to view user documents. By default, only admins may browse all users documents, while users may browse only their own document.

    1. [couch_httpd_auth]
    2. users_db_public = false

  • x_auth_roles

    The HTTP header name (X-Auth-CouchDB-Roles by default) that contains the list of a user’s roles, separated by a comma. Used for Proxy Authentication.

    1. [couch_httpd_auth]
    2. x_auth_roles = X-Auth-CouchDB-Roles

  • x_auth_token

    The HTTP header name (X-Auth-CouchDB-Token by default) containing the token used to authenticate the authorization. This token is an HMAC-SHA1 created from the couch_httpd_auth/secret and couch_httpd_auth/x_auth_username. The secret key should be the same on the client and the CouchDB node. This token is optional if the value of the couch_httpd_auth/proxy_use_secret option is not true. Used for Proxy Authentication.

    1. [couch_httpd_auth]
    2. x_auth_token = X-Auth-CouchDB-Token

  • x_auth_username

    The HTTP header name (X-Auth-CouchDB-UserName by default) containing the username. Used for Proxy Authentication.

    1. [couch_httpd_auth]
    2. x_auth_username = X-Auth-CouchDB-UserName

[jwt_auth]

  • required_claims

    This parameter is a comma-separated list of additional mandatory JWT claims that must be present in any presented JWT token. A :code 400:Bad Request is sent if any are missing.

    1. [jwt_auth]
    2.     required_claims = exp,iat