[Pkg-erlang-devel] Bug#600169: couchdb has example in config, desktopcouch needs to follow

[Jason Woofenden]

reassign 600169 desktopcouch
retitle 600169 futon authentication incompatible with major browsers
thanks

With the default config file for desktopcouch, major browsers (I've
tested chromium and firefox) are unable to authenticate with
desktopcouch's futon.

This is because this config file:

	/etc/xdg/desktop-couch/compulsory-auth.ini

contains:

	[couch_httpd_auth]
	require_valid_user = true

which make http authentication required, but lacks this option:

	[httpd]
	WWW-Authenticate = Basic realm="administrator"

which tells the user agent what type of authenticacion to send
(only basic works, but FireFox, Chromium, curl and wget (and
presumably most others) default to something more secure like
digest.)

When that option is added, futon works perfectly (including the
~/.data/desktop-couch/couchdb.html redirect.) And you can access
desktopcouch from curl and wget without obscure flags/headers.


Thank you,   - Jason


P.S. couchdb has the WWW-Authenticate setting in it's default
local.ini, but it's commented out. I asked why it's commented out
on #couchdb about this, and if you're curious, here's what I've
learned:

By default, couchdb does not have any user accounts, and supports a
number of authentication methods, so it has (in its default config
file) examples and instructions on how to get authentication set
up, including a config option to send www-authentication headers
(which is commented out.)

While I feel there must be a better solution, I can understand why
they have the default config that way. By default couchdb allows
read and write access to records, and turning off http auth, allows
you to fiddle around with futon (out of the box) without mucking
with config files or getting authentication dialogs. (Auth dialogs
would be particularly annoying at this stage, since there's no
accounts set up, so they'd always fail.)