Cookie expiration bug

[glynnbird]

When a user authenticates with a CouchDB session

await db.auth('myuser', 'mypassword')

The cookie is stored and everything works... until the cookie expires. The cookie handler (a third-party library) doesn't refresh CouchDB's repeated attempts to refresh the cookie. So after an hour (by default), the session expires and the user is forced to reauthenticate.

This may be a bug that the Cloudant folks spotted in tough-cookie: salesforce/tough-cookie#154

Expected Behavior

If I establish a valid session, and I make nano requests within the cookie expiry window and CouchDB sends a new cookie, the new cookie should be used from that point on.

Current Behavior

Today, only the first cookie is saved and the user's session expires with it.

Steps to Reproduce (for bugs)

const Nano = require('.')
const nano = Nano(process.env.COUCH_URL)

const sleep = async (ms) => {
  return new Promise((resolve, reject) => {
    setTimeout(resolve, ms)
  })
}
const main = async () => {
  await nano.auth(process.env.COUCH_USER, process.env.COUCH_PASSWORD)

  do {
    const r = await nano.db.list()
    console.log(new Date().toISOString(), r.length)
    await sleep(30000)
  } while (1)
}

main()

Wait for an hour.

Your Environment

• Nano 10.1.1, Node 16, Mac M1

[glynnbird]

Fixed in 10.1.2

[YakovL]

Hey @glynnbird , thanks for the fix! However, I've figured that for me the source of the issue is different (I've updated to 10.1.2). It looks like the auth is "forgotten" after I hybernate my laptop and then wake it up again. Sure, this is not a big issue for production as servers are not hibernated normally (I guess), but still this looks like a buggy behavior. Should I create a new issue for this?

[glynnbird]

A couchdb cookie has a lifetime of 60 mins by default. If your client app sleeps for over 60 minutes then it will no longer be authenticated so will not get a refreshed cookie. So if you're planning on being inactive for over an hour you should reauth on wake up. This isn't a bug.

…

On Tue, 31 Jan 2023, 19:25 Yakov Litvin, ***@***.***> wrote: Hey @glynnbird <https://github.com/glynnbird> , thanks for the fix! However, I've figured that for me the source of the issue is different (I've updated to 10.1.2). It looks like the auth is "forgotten" after I hybernate my laptop and then wake it up again. Sure, this is not a big issue for production as servers are not hibernated normally (I guess), but still this looks like a buggy behavior. Should I create a new issue for this? — Reply to this email directly, view it on GitHub <#324 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFKMROU6YCR3BB2MWYVJC3WVFRLPANCNFSM6AAAAAAUHRFMMU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[YakovL]

Right, I see. I'm thinking about a way to make sure we're authorized before each request

private get authedClientPromise(): Promise<nanoClient.ServerScope> {
    return (async () => {
        // TODO: check if we are authed
        // TODO: if not, do this.client.auth(...)
        return this.client
    })()
}

Could you suggested a proper way to do the "is authed" check? I understand that we can send a request, check if we got 401 and try to reauth in that case, but doing this in each method is very WET (although better in terms of performance: the "is authed" check is an additional request).

May be it's possible to check the cookie expiration without a request? I'm not finding a dedicated method for this.

[glynnbird]

@YakovL

You can call:

const doc = await nano.session()

which will tell you if you're logged in or not, and if you are, what permissions you have.

[YakovL]

Great, thanks, currently I'm using something like this

const session = await nano.session()

// 'cookie' when we're good and undefined otherwise
const isAuthed = session.info.authenticated

if(!isAuthed) await nano.auth(user, password)

and it works fine, although this doubles the number of requests to db.