3.4 no longer hashes passwords immediately when using PUT and GET on the node's _config endpoint

[retrodaredevil]

Description

I maintain my own couchdb-java library and found after upgrading to CouchDB 3.4 this test started failing: ConfigEndpointTest.java#L52

So, on version 3.3, using PUT /_node/{node-name}/_config/{section}/{key} and then GET /_node/{node-name}/_config/{section}/{key} to set section admins, newadmin, somepass would result in a plain-text password being returned only if you were to call PUT and GET in quick succession.

On version 3.4, using PUT and then GET in quick succession will result in a plain-text password being returned. If you sleep for 1 second in between calls, the hashed version is returned.

It's worth mentioning that this documentation uses these endpoints for creating admin users: https://docs.couchdb.org/en/stable/intro/security.html#creating-a-new-admin-user

Is this an issue? Maybe? I'm a little annoyed that my tests started failing, but this probably isn't a huge deal. I made this issue to document this change in behavior more than anything else.

Steps to Reproduce

Confirm the expected behavior on 3.3.x versions of CouchDB and then use either 3.4.1 or 3.4.2 to confirm that calling PUT and GET in quick succession will result in the non-hashed password being returned. It might be worth confirming that the plain-text password is stored in memory and the plain-text password is not ever stored on disk.

docker run -d --rm --name couchdb-test -p 5984:5984 -e COUCHDB_USER=admin -e COUCHDB_PASSWORD=password couchdb:3.4

curl -X PUT http://admin:password@localhost:5984/_node/nonode@nohost/_config/admins/newadmin -d '"somepass"' && curl http://admin:password@localhost:5984/_node/nonode@nohost/_config/admins/newadmin
# Should get "somepass"

curl -X PUT http://admin:password@localhost:5984/_node/nonode@nohost/_config/admins/newadmin2 -d '"somepass"' && sleep 1 && curl http://admin:password@localhost:5984/_node/nonode@nohost/_config/admins/newadmin2
# Should get hashed password

Expected Behaviour

I expect CouchDB 3.4 to behave as CouchDB 3.3 did: Calling PUT and then GET in quick succession should result in the hashed password being returned, rather than the plain text one.

Your Environment

{"couchdb":"Welcome","version":"3.4.2","git_sha":"6e5ad2a5c","uuid":"240cae2e8d238fde6ca9e7a62315a9f6","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}

Additional Context

I spent about 30 minutes writing this issue. When I actually went to test it with the curl commands above (I had them as separate commands, rather than chained commands with &&), I observed the same behavior as 3.3.

Honestly, this is probably a non-issue and can possibly be closed, but I spent a lot of time documenting this behavior change, so maybe it will be useful to someone else who comes across this change in behavior.

[retrodaredevil]

I'm going to close this as I don't really see this as an issue, just a slight change in behavior that was probably never intended to be relied upon.

If others think useful discussion could come of keeping this issue open, feel free to reopen it.

[nickva]

Thanks for reaching out @retrodaredevil.

Yeah, that's expected behavior as we changed the default password hashing function https://docs.couchdb.org/en/stable/whatsnew/3.4.html.