问题
I want to connect to my remote couchdb database by using the access token given by couchdb, this can be done by sending a header with :
Cookie: AuthSession={COUCHDB_TOKEN}
I have no problem doing this with curl. However with pouchDB with the following code :
new PouchDB(url, {
ajax: { headers: {'Cookie': 'AuthSession=couchdb_token'} }
});
I got the error :
Refused to set unsafe header "Cookie"
Is there a way of putting this token into a header without having this error ?
I have done research but impossible to find a way to use pouchdb synchronization with a remote database without giving username & password, but those should not be stored client side so..
回答1:
The problem is that the browser is blocking the setting of the 'Cookie' request header as this header is directly managed by the browser. You can not set any of these headers.
You should authenticate with CouchDB using the _session endpoint. This endpoint will respond with a Set-Cookie header that established the AuthSession cookie in the browser which is sent back to CouchDB in the next calls.
What I usually do is to configure a ProxyAuthentication (Note: this was broken in CouchDB 2.0) mode in CouchDB and then use a custom auth header in my application for authentication. This approach is a bit more complex but will allow you to use your application auth token with CouchDB. --- EDIT ---
Please, check if you have the ProxyAuthentication enabled. The logic for the auth token is here. You don't required to call to _session endpoint, just build the token with the proper logic.
-- EDIT2 --
Looking into the CouchDB code the Token is generated in this way:
"X-Auth-CouchDB-Token": hex_hmac_sha1(secret, "user@test.org")
Where:
- secret is the key defined by couch_httpd_auth/secret.
- The user is the one provided in the header X-Auth-CouchDB-UserName
You should reproduce this logic in the client side.
来源:https://stackoverflow.com/questions/48197281/pouchdb-authentication-with-token-cookie-authsession-xyz-lead-to-unsafe-heade