retrodaredevil opened a new issue, #5358: URL: https://github.com/apache/couchdb/issues/5358
## Description I maintain my own [couchdb-java](https://github.com/retrodaredevil/couchdb-java) library and found after upgrading to CouchDB 3.4 this test started failing: [ConfigEndpointTeset.java#L52](https://github.com/retrodaredevil/couchdb-java/blob/70fd123983b34281148f38e818905de10937692b/couchdb/src/test/java/me/retrodaredevil/couchdbjava/integration/test/ConfigEndpointTest.java#L52) So, on version 3.3, using [PUT /_node/{node-name}/_config/{section}/{key}](https://docs.couchdb.org/en/stable/api/server/configuration.html#put--_node-node-name-_config-section-key) and then [GET /_node/{node-name}/_config/{section}/{key}](https://docs.couchdb.org/en/stable/api/server/configuration.html#get--_node-node-name-_config-section-key) to set section `admins`, `newadmin`, `somepass` would result in a plain-text password being returned **only if** you were to call PUT and GET in quick succession. On version 3.4, using PUT and then GET in quick succession will result in a plain-text password being returned. If you sleep for 1 second in between calls, the hashed version is returned. It's worth mentioning that this documentation uses these endpoints for creating admin users: https://docs.couchdb.org/en/stable/intro/security.html#creating-a-new-admin-user Is this an issue? Maybe? I'm a little annoyed that my tests started failing, but this probably isn't a huge deal. I made this issue to document this change in behavior more than anything else. ## Steps to Reproduce Confirm the expected behavior on 3.3.x versions of CouchDB and then use either 3.4.1 or 3.4.2 to confirm that calling PUT and GET in quick succession will result in the non-hashed password being returned. It might be worth confirming that the plain-text password is stored in memory and the plain-text password is not ever stored on disk. ```shell docker run -d --rm --name couchdb-test -p 5984:5984 -e COUCHDB_USER=admin -e COUCHDB_PASSWORD=password couchdb:3.4 curl -X PUT http://admin:password@localhost:5984/_node/nonode@nohost/_config/admins/newadmin -d '"somepass"' && curl http://admin:password@localhost:5984/_node/nonode@nohost/_config/admins/newadmin # Should get "somepass" curl -X PUT http://admin:password@localhost:5984/_node/nonode@nohost/_config/admins/newadmin2 -d '"somepass"' && sleep 1 && curl http://admin:password@localhost:5984/_node/nonode@nohost/_config/admins/newadmin2 # Should get hashed password ``` ## Expected Behaviour I expect CouchDB 3.4 to behave as CouchDB 3.3 did: Calling PUT and then GET in quick succession should result in the hashed password being returned, rather than the plain text one. ## Your Environment ```json {"couchdb":"Welcome","version":"3.4.2","git_sha":"6e5ad2a5c","uuid":"240cae2e8d238fde6ca9e7a62315a9f6","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}} ``` ## Additional Context I spent about 30 minutes writing this issue. When I actually went to test it with the curl commands above (I had them as separate commands, rather than chained commands with `&&`), I observed the same behavior as 3.3. Honestly, this is probably a non-issue and can possibly be closed, but I spent a lot of time documenting this behavior change, so maybe it will be useful to someone else who comes across this change in behavior. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
