Disable a particular CouchDB user's password temporarily - authentication

Can I disable login for a particular CouchDB user while leaving their user doc in the authentication database?
This question is similar to How to temporarily disable particular user in couchdb?, but in that case the actual question was how to "temporarily disable particular user read/write access" [emphasis mine].
What I am trying to do is to completely prevent a user from login until a password is set.

The behavior isn't necessarily guaranteed by the CouchDB maintainers in the future, but inspired by the Unix password lockout feature it seems possible to do this in practice by replacing at least the derived_key field with a bogus value like "*" or "!".
For example, this user could login in by providing a certain password:
{
"_id": "org.couchdb.user:test",
"name": "test",
"roles": [],
"type": "user",
"password_scheme": "pbkdf2",
"iterations": 10,
"derived_key": "e7666ce1536488d8c0ceb2b2e9baf25d83e1d720",
"salt": "8b7ea88d05181c77553169354decb0b7"
}
By replacing the scheme-relevant fields with garbage data, the user is no longer able to log in while the CouchDB logs do not register any particular upset/crash:
{
"_id": "org.couchdb.user:test",
"name": "test",
"roles": [],
"type": "user",
"password_scheme": "pbkdf2",
"iterations": 10,
"derived_key": "!",
"salt": "-some other random nonce-"
}
I have not completely confirmed, though, how this gets handled inside of CouchDB. My read of the authenticate logic and how it interacts with the its pbkdf2 implementation is that the stored derived_key is compared as a raw byte string to the re-calculated one and thus there would be no way to generate a collision. So this should always disable the account. (As opposed to a situation where, say, the stored "!" is optimistically expected to be hex of a certainly length and gets quietly "coerced" to a buffer of all zeroes in any case where parsing fails or something…then it might be possible to find an input password such that the result looks correct. Leaving the salt set to a new random-but-valid nonce value would presumably keep a bypass like that prohibitive in practice.)

Related

FusionAuth Lambdas

I want to use the lambda feature of FusionAuth to populate the JWT depending on which app the user logins, because a same user can log into different apps and have several roles or groups in it. I don't want the JWT being populating of every role, being a role action that the user can make into the app(following the NIST RBAC model it will be permissions like 'read:attentions' or 'delete:tests') because it could be dozens of them (syze reasons), instead of that i want the JWT to be populated with the Groups the user has it that specific app. I tried assigning the roles property with empty array but not succeed. I know that the tool by default dont allow you to change the roles property, but there is a way to delete it?.
function populate(jwt, user, registration) {
jwt.group = registration.data.group;
jwt.roles = [];
}
Anyway the token keeps having the roles, how can i remove them?
{
"aud": "xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx",
"exp": xxxxxxx,
"iat": xxxxxxx,
"iss": "acme.com",
"sub": "xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx",
"authenticationType": "PASSWORD",
"email": "xxxxxxx#mail.com",
"email_verified": true,
"applicationId": "xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx-xxxxxxx",
"roles": [
"read:attentions",
"write:attentions"
],
"group": "financer"
}
The roles claim is reserved by FusionAuth and cannot be modified by a Lambda. There is an open feature that is scheduled to be complete in the upcoming release to loosen this restriction.
Once this feature is delivered you will have the option to remove or modify the roles claim.
The current reserved claims are outlined in the JWT Populate Lambda documentation.

Zapier basic auth pass blank data

I have been trying to create an app in Zapier for one of my project. On the very first step, I am doing Authentication where I choose "Basic Auth" method. I have set API URL along with details, however cannot see the expected result and seeing error in my API return value. After debugging, I found that API doesn't get the value I pass thru the Zapier. I have checked the same API in postman and it works, however it only doesn't work thru the Zapier.
Below is even more detail how I proceed, what is expected result and what I am getting:
Process we're following
We have created an App
We went to Authentication step, there we have selected “Basic Auth” option
Under the Basic Auth, we have configure with setting end point and method is “Post”
We have set our field names as Key and as value we have set “{{bundle.authData.password}” and “{{bundle.authData.username}}” in order to field mapping
Then came to Step 2 to test the authentication
Under the “Test Setup”, we have connected the current Zapier account and clicked on “Test Authentication”
This process doesn’t post any value in parameters. Hope I could explain the issue, please help us to find where we’re going wrong.
Expected Result
{
"data": {
"first_name": "Dhaval",
"last_name": "Parekh",
"email_address": "dhaval.php#gmail.com",
"phone_no": "1234567890",
"user_id": "7oiA****",
"token_id": "zNkzT***"
},
"resend_verification_link": false,
"status": true,
"message": "You have successfully Logged in!!"
}
Actual Result
{
"resend_verification_link": false,
"status": false,
"message": "The password must contain a minimum of one lower case character. one upper case character, one digit"
}
What I understand after spending too much time, is it doesn't send the data with post method and hence I'm getting this issue. While it works fine with the Get Method. So, should I consider that Basic Auth will only with work with "Get" method in Zapier? Or I'm missing any piece to include here?
Please let me know what is missing? Or even I'm going thru the wrong root. I want to create an app in Zapier to allow other apps to connect.

IBM Domino 10 - integrating with Resource Reservations via Domino Data Services API

We're trying to integrate with IBM Domino via REST API to pull out information about reservations/events in a specific room and also be able to create new events/reservations remotely. We already integrated with other services such as Microsoft Exchange, but IBM seems to be the toughest of them all.
I studied deeply into it and read thousands of articles & stack overflow questions, and got pretty far but still can't make any real use out of it.
What I currently plan on doing is this:
Pull information about reservations from /api/data/collections/name/($Reservations) or ($Calendar)
Create events/reservations using the documents api, POSTing to /api/data/documents?form=Reservation, I already tried doing it and my reservation even showed in Domino Admin (not in Notes client though), but it had some errors (probably just some json problem on my side)
While it looks kinda clear and easy, it really isn't. I have a few questions:
How can I get reservations/calendar for a specific room? ($Calendar) returns all events in the database, not even including in which room it is, to get that information I would need to additionally query each reservation by it's unid and that would probably kill the entire app
Is there any way I could filter/search the /api/data/documents to return only documents whose form field has a value of Reservation or any other value? This way I could get all the reservation documents without querying each of the documents directly (/api/data/documents only returns the href to the document without any interesting data), I wouldn't also need to additionally enable DAS for each view I want to use.
What are the fields like $25 returned in the json, and how can I know what's their purpose if they don't have any real name? They often contain interesting data, such as the room name.
I also looked into the FreeBusy api service, and it's pretty interesting and I could easily use it to look for reservations (/busytimes) in the room I want, if it ever returned what resource/reservation is causing the busy time. It just shows the start and end time, nothing else..
I also read suggestions that one should create a 'main' user to handle the reservations and use his calendar api (/api/calendar/events), but afaik it can't be done that way.
However I tried creating events in the users calendar in specified room, and kinda got it to work by adding the following attendee in the json |(PHP syntax, actually):
'organizer' => [ 'email' => 'admin/test#test.com' ],
'attendees' => [
[
'role' => 'req-participant',
'userType' => 'room',
'status' => 'accepted',
'rsvp' => true,
'email' => 'testroom#test.com',
],
],
But it doesn't really get displayed in the room reservations, unlike normal events created in IBM Notes. It also cannot be edited or deleted in IBM Notes, and it has "Accepted: " in front of the subject, and it says "attendance is delegated for admin". To delete it, I need to delete it via API through its unid directly. x-lotus-noticetype is being set to A so I guess it's not being treated as a meeting but as an notice, no idea why though.
I'd really like some help or suggestions on how I could get this working, are there any other ways that would have any sense?
Edit:
After struggling a lot and reading Dave's reply, I think it would be a good solution to have a single user that would do the reservations via calendar api, because the direct data api probably won't work. I could just only pull the list of all reservations from Rooms database ($Calendar) or ($Reservations) view, or make some sort of my own view.
However! I cannot get the calendar method to work on my local IBM Domino server. Dave pointed to me that I need to specify a valid email (internet address) of the organizer, so I set my user's internet address to testmail#test.test (test.test is mapped to 127.0.0.1 in the hosts file). Now as soon as I try to use that address like that:
"organizer": {
"email": "testmail#test.test"
}
I cannot even create the event/reservation (through /mail/admin.nsf/api/calendar/events), it's returning 500 internal error with cserror 1026, and Domino logs
[CS API]> Error | calendarapi.c(379) : There was an error sending out notices to meeting participants. (0x8E4)
Error connecting to server test/test: The remote server is not a known TCP/IP host.
So it has a problem with sending the notice, and doesn't create the event at all. I thought it may not work with localhost, so I set my users email to an external mail service, and I even received the email, but the event was still created incorrectly (x-lotus-noticetype A is being added automatically and overrides whatever I send as the value), it's not visible in the Room Reservations database.
Here's the json object of an event created via Notes client:
"events": [
{
"href":"\/mail\/admin.nsf\/api\/calendar\/events\/2B35FABBC50EA4D0C12583BC002E26FA-Lotus_Notes_Generated",
"id":"2B35FABBC50EA4D0C12583BC002E26FA-Lotus_Notes_Generated",
"summary":"Notes client meeting",
"location":"Test room\/Test site#test",
"start": {
"date":"2019-03-13",
"time":"09:30:00",
"tzid":"Central European Standard Time"
},
"end": {
"date":"2019-03-13",
"time":"10:30:00",
"tzid":"Central European Standard Time"
},
"class":"public",
"transparency":"opaque",
"sequence":0,
"last-modified":"20190313T082436Z",
"attendees": [
{
"role":"chair",
"status":"accepted",
"rsvp":false,
"displayName":"admin\/test",
"email":"testmail#test.test"
},
{
"role":"req-participant",
"userType":"room",
"status":"needs-action",
"rsvp":true,
"displayName":"Test room\/Test site",
"email":"room#test.test"
}
],
"organizer": {
"displayName":"admin\/test",
"email":"testmail#test.test"
},
"x-lotus-broadcast": {
"data":"FALSE"
},
"x-lotus-notesversion": {
"data":"2"
},
"x-lotus-appttype": {
"data":"3"
}
}
]
As you can see, Notes is able to create the event with testmail#test.test successfully.
Now here's an event created with my API, but with admin/test#test.test as the organizer's email (because normal email doesn't let me create the event):
"events": [
{
"href":"\/mail\/admin.nsf\/api\/calendar\/events\/E1D1F752203FC2DFC12583BC002FCB12-Lotus_Auto_Generated",
"id":"E1D1F752203FC2DFC12583BC002FCB12-Lotus_Auto_Generated",
"summary":"Api reservation test",
"location":"Test room\/Test site#test\r\nCN=Test room\/O=Test site",
"description":"API Generated event\r\n",
"start": {
"date":"2019-03-20",
"time":"11:00:00",
"utc":true
},
"end": {
"date":"2019-03-20",
"time":"15:00:00",
"utc":true
},
"class":"public",
"transparency":"opaque",
"sequence":0,
"last-modified":"20190313T084201Z",
"attendees": [
{
"role":"chair",
"status":"accepted",
"rsvp":false,
"displayName":"admin\/test",
"email":"testmail#test.test"
},
{
"role":"req-participant",
"userType":"room",
"status":"needs-action",
"rsvp":true,
"displayName":"Test room\/Test site",
"email":"room#test.test"
}
],
"organizer": {
"displayName":"admin\/test",
"email":"testmail#test.test"
},
"x-lotus-broadcast": {
"data":"FALSE"
},
"x-lotus-notesversion": {
"data":"2"
},
"x-lotus-noticetype": {
"data":"A"
},
"x-lotus-appttype": {
"data":"3"
}
}
]
As you can see, the organizer's & chair emails were automatically updated by Lotus to testmail#test.test, and theorethically everything should work but it doesnt. In Notes, I see the event as 'Accepted: Api reservation test' and I cannot modify things like the room, or don't have the option to delete it from right click menu (I can delete it with Del keyboard button though)
The only difference is that x-lotus-noticetype get's added, and I don't even know why
Edit 2:
I got it to work! Dave pointed that I may have some configuration issue, so I re-installed the server & setup everything again (including the mail services), I used admin#test.test and the meeting was succesfully created & added to the room reservations. Server console only showed that the message was delivered.
HOWEVER! I was able to create as many identical meetings as I wanted, they weren't added to the reservations database but they were succesfully created in my calendar (with the room assigned to them) without any errors (not even in the sever console), this is obviously bad. Is there any way to check (externally, through API) if the reservation was created succesfully, and prevent it's creation if the room is busy at that moment? Notes client prompts an error when the room is busy. I could probably use FreeBusy api, however that would require another HTTP request before each reservation attempt, but if that's the only way then I'll just take it. I see that the status field of the attendeed room is set to declined, but the response from POST still contains needs-action so I'd need to do some delayed request once again to check if the status has changed to declined or not.
Also, while it works, I still don't know how I could obtain a list of reservations in a selected room? The already existing views in Reservations database don't give many details, and they need to be exclusively enabled DAS services in order to work. Is there any other way that could work properly?
Another thing is, is there any way I could get current user's email address to use for the reservations, or can I only 'hardcode' it manually? Same goes for room's email. Currently, I need to have:
User name
User password
User mail database (/mail/admin.nsf/)
User email
Room email
and if I'd want to read some data from the Reservations database directly, then I'd also need to have the path to that database. This isn't really user-friendly, I'd like to automate some things if possible. Otherwise the integration may be impossible to make.
The reservation database was designed to manage reservations either (1) directly through it's own UI, or (2) indirectly by auto-processing notifications from calendar users. By using the DAS data API, you are asserting you can manage reservations (3) programmatically -- by manipulating the low-level document items. You might get this to work, but I don't think the reservation database was designed with that in mind.
That's why I think this answer is the best option. It leverages auto-processing (#2 above) and saves you from dealing with the internal design of reservation documents. If you use this approach, you should give the DAS calendar API a list of attendees like this:
"attendees":[
{
"role":"req-participant",
"userType":"room",
"status":"needs-action",
"rsvp":true,
"email":"room#mycorp.com"
}
]
In other words, status must be "needs-action" -- not "accepted" as shown in your original post. Also, make sure you are using the correct email address for both the organizer and the target room. The above example shows an Internet-style address for the room, but administrators don't always give a room an Internet address.

slashDB accessing a database via POST request and using APIkey yields 403 error

Question about security for POST method of HTTP:
I made a user called "MyAPP":
{
"userdef": [
"view",
"create"
],
"api_key": "dzn8k7hj2sdgddlvymfmefh1k2ddjl05",
"user_id": "MyAPP",
"name": "MyAPP",
"creator": "admin",
"edit": [],
"dbdef": [
"view",
"create"
],
"querydef": [
"view",
"create"
],
"databases": {
"Gaming": {
"dbuser": "mydbuser_here",
"dbpass": "mypass_here"
}
},
"password":
"$6$rounds=665736$x/Xp0k6Nj.5qzuM5$G.3w6Py1s.xZ83RHDU55qonNMpJe4Le8nD8PqjYKoOtgbab7T22knJPqwHspoT6BQxp.5gieLFuD0SdD9dyvi/",
"email": "",
"view": []
}
Then I wanted to issue a POST in order to execute a SQL Pass-thru
such as this:
http:///query/InsertBestScore/Score/99/ScreenName/GollyGolly.xml?apikey=dzn8k7hj2sdgddlvymfmefh1k2ddjl05
Where I built a query and named it "InsertBestScore":
insert into Gaming.Leaderboard
(ScreenName, Score)
values
(:ScreenName, :Score);
If I run this via POSTMAN using the POST method:
... then I get an access, 403 :
<?xml version="1.0" encoding="utf-8"?>
<SlashDB>
<http_code>403</http_code>
<description>Access was denied to this resource. Please log in with your username/password or resend your request with a valid API key.</description>
<url_template>/query/InsertBestScore/Score/{Score}/ScreenName/{ScreenName}.xml</url_template>
</SlashDB>
Also, I would be calling this POST (or PUT) request from an application, in my case a Python program running from within a AWS Lambda Function.
Now, I came across this in the documentation:
Two parameters API key
SlashDB also allows a two parameters credentials in this authentication method - app id and api key. This may come handy when integrating with API management systems like 3Scale. By default header and query string argument would be:
• appid - identifies certain application
• apikey - secret for the application
Request with API key in header - Access granted
... however in the example above, I don't see where the appid comes into play.
Can you tell me how one would call the SlashDB endpoint and pass a APIkey and assure that the userid is known as MyAPP.
So, to sum up, the Documentation mentions:
• Another application utilizes an API key to authenticate, which is sent with every request. The application is recognized as SlashDB user App2, which uses database login db_admin. Effectively this application can SELECT, UPDATE, INSERT and DELETE data.
So I want to actually, do just what is in that bullet: Identify myself as the user (instead of App2, I'm user MyAPP), and then use the dbuser and dbpass that was assigned to access that "Gaming" database.
Idea?
Make sure you've given user MyAPP permission to execute the query.
To do so:
login as admin,
go to Configure -> Queries,
open your query definition,
update field Execute. It accepts comma separated user ids.
OK, there are really two questions here:
Why was access denied?
What is the appid and how to use it.
Ad. 1: There are two authorization barriers that the request has to clear.
The first one is imposed by SlashDB in that the user executing the query must be listed in the Execute field on the query definition screen. This is done under Configure -> Queries -> "edit" button on your query.
The second barrier is imposed by the database. The SlashDB user who is executing your POST request must be mapped to a physical database user with INSERT privileges to the Gaming.Leaderboard table. It goes without saying that this database user must be associated with the database schema in which the table exists.
Ad. 2. To enable the appid the user api key must be composed out of two parts separated by colon ":". The first part will be interpreted as the appid and the second will be the apikey.
To do that, use Configuration -> Users -> 'edit' button for the user in question. Then simply add a colon at the beginning of the API key and type in your desired appid to the left of the colon. The app will have to supply both keys to execute the request. Note that the names of those keys (i.e. appid) are configurable in /etc/slashdb/slashdb.ini.
The reasoning behind this feature is to facilitate API Management platforms, which can help with key management, especially when API will be exposed to third party developers.

Cloudant auth: lacks _users database

I'm getting set up with CouchDB on Cloudant, and I'm confused because Cloudant seems to do auth differently than regular CouchDB. Specifically, Cloudant seems to lack a _users database.
I read the Cloudant auth FAQ here, and it provided the following instructions:
Can I use CouchDB security features (_users database, security
objects, validation functions) on Cloudant?
Yes you can. If you want
to use the _users database you must first turn off Cloudant's own
security for the roles you want to manage via _users. To do this you
need to PUT a JSON document like the following to the _security
endpoint of the database (for example
https://USERNAME.cloudant.com/DATABASE/_security):
{ "cloudant": {
"nobody": ["_reader", "_writer", "_admin"] }, "readers": {
"names":["demo"],"roles":[] } }
These instructions worked fine, and allowed me to update the _security object of a database.
What wasn't clear was how to set up the _users database. It didn't exist automatically, so I tried creating it using a regular:
curl -X PUT $COUCH/_users
This worked fine, but when I attempt to add a new user to _users as follows:
curl -HContent-Type:application/json \
-vXPUT $COUCH/_users/org.couchdb.user:me \
--data-binary '{"_id": "org.couchdb.user:me","name": "me","roles": [],"type": "user","password": "pwd"}'
It appears to create the document correctly:
{"ok":true,"id":"org.couchdb.user:me","rev":"3-86c3801fdb8c32331f5f2580e861a765"}
But the new user in _users on Cloudant lacks a hashed password:
{
"_id": "org.couchdb.user:me",
"_rev": "3-86c3801fdb8c32331f5f2580e861a765",
"name": "me",
"roles": [
],
"type": "user",
"password": "pwd"
}
So when I attempt to authenticate at this user, I get the following error:
{"error":"bad_request","reason":"missing password_sha property in user doc"}
On my local CouchDB installation, creating a new user in _users would automatically create the hashed password:
{
"_id": "org.couchdb.user:test",
"_rev": "1-9c1c4360eba168468a37d7f623782d23",
"password_scheme": "pbkdf2",
"iterations": 10,
"name": "test",
"roles": [
],
"type": "user",
"derived_key": "4a122a20c1a8fdddb5307c29078e2c4269abffa5",
"salt": "36c0c05cf2a3ee321eabd10c46a8aa2a"
}
I tried copying the "_design/_auth" document from my local CouchDB installation to Cloudant, but the results are the same - no hashed password.
I appear to have gone off the rails at some point, but I'm not sure where this happened. How can I set up Cloudant to use the same kind of auth as regular CouchDB?
I found the answer via #cloudant IRC:
09:59 <+kocolosk> creating _users was the right thing to do
09:59 <+kocolosk> the API matches an older version of CouchDB where the passwords needed to hashed client-side
10:00 < jbeard> oh, I see
10:00 <+kocolosk> we're addressing that lack of support for automatic hashing
10:01 < jbeard> I'm trying to find documentation on client-side hashing in Couch.
10:02 < jbeard> What version of Couch is Cloudant aiming to be compatible with for _users?
10:04 <+kocolosk> jbeard: http://wiki.apache.org/couchdb/Security_Features_Overview
10:04 <+kocolosk> see "Generating password_sha (only applicable for 1.1.x and earlier)"
10:04 <+kocolosk> jbeard: this particular feature is the last bit where we are compatible with 1.1.x but not newer version
10:05 < jbeard> Excellent
10:05 < jbeard> That's what I needed to know
In fact, cloudant does not support the hash value generation.
I found this alternative that helps to use the _users db in the cloudant service...
https://github.com/doublerebel/cloudant-user
As of 2020, Cloudant hashes the password but doesn't use the same hashing algorithm as CouchDB currently does (pbkdf2). For better security and compatibilty, it is still advisable to generate the hash yourselves, e.g. with couch-pwd.
And instead of supplying
{ "cloudant": { "nobody": ["_reader", "_writer", "_admin"] }, "readers": { "names":["demo"],"roles":[] } }
The docs now suggest the couchdb_auth_only flag:
{
"couchdb_auth_only": true,
"members": {
"names": ["demo"],"roles":[]
},
"admins": {
"names": ["admin"],"roles":[]
}
}
But mind that the _admin role is not set automatically as in CouchDB 3.