Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

403 due to lockout on CouchDB v3.4.0 and above #55

Open
H--o-l opened this issue Oct 23, 2024 · 1 comment
Open

403 due to lockout on CouchDB v3.4.0 and above #55

H--o-l opened this issue Oct 23, 2024 · 1 comment

Comments

@H--o-l
Copy link
Contributor

H--o-l commented Oct 23, 2024

Hey!

Since CouchDB v3.4.0, there has been a new "Lockout" feature, i.e., a rate limit on tuples (IP, login) after multiple authentication failures.
It's highlighted in the release note: https://docs.couchdb.org/en/stable/whatsnew/3.4.html#id4 (see the second to last bullet point).

As the following upstream discussion shows, this adds a new case of HTTP 403 possible on all routes: apache/couchdb#5315 (comment)

I was going to add the case in aiocouch, in remote.py, to return clean aiocouch Python exceptions on these 403, but I noticed that there are already a few 403 caught and raise for other cases inside remote.py.

I wanted your idea on the best way to add the new HTTP 403 lockout case on all the routes before making a PR.

For info, CouchDB return looks like this:

$ http localhost:5984 --auth login:wrong_password
HTTP/1.1 403 Forbidden
Cache-Control: must-revalidate
Content-Length: 103
Content-Type: application/json
Date: Wed, 23 Oct 2024 10:19:19 GMT
Server: CouchDB
X-Couch-Request-ID: cb6518342c
X-CouchDB-Body-Time: 0

{
    "error": "forbidden",
    "reason": "Account is temporarily locked due to multiple authentication failures"
}
@bmario
Copy link
Member

bmario commented Oct 23, 2024

Given the situation, I think a good way forward is to use the decorator like this @raises(403, "Access forbidden: {reason}")
and add reason to message_input here, which should be parseable from the ClientResponseError.message.

H--o-l added a commit to H--o-l/aiocouch that referenced this issue Oct 29, 2024
@H--o-l
feat: Handle CouchDB HTTP 403 on all routes
ca063fb 
Since CouchDB v3.4.0, there has been a new "Lockout" feature, i.e., a rate limit
on tuples (IP, login) after multiple authentication failures. It's highlighted
in the release note: https://docs.couchdb.org/en/stable/whatsnew/3.4.html#id4
(see the second to last bullet point).

As the following upstream discussion shows, this CouchDB feature adds a new case
of HTTP 403 possible on all routes:
apache/couchdb#5315 (comment)

This commit catches the 403 on all routes. As some routes were already catching
403 for other reasons, the exception message on these routes is changed from
their previous message to `"Access forbidden: {reason}"` where `reason` is
either the `reason` returned by CouchDB in the JSON body of the answer, or if
it doesn't exist, by the `message` of aiohttp ClientResponseError.

I manually tested a non-stream route with `await couchdb.info()`, it returns the
following:

```
> await couchdb.info()
...
aiocouch.exception.UnauthorizedError: Invalid credentials
> await couchdb.info()  # <=== Lockout
...
aiocouch.exception.ForbiddenError: Access forbidden: Account is temporarily
locked due to multiple authentication failures
```

Closes metricq#55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bmario @H--o-l