HTTP auth failure with P2P replication

[snej]

Issue reported on the forum by user vlad.popko. Everything below is from his post:

---

I am trying to configure basic login / password authentication for p2p replication.
Replication works fine with no authentication. So I pretty sure my issue relates to authentication configuration.

CBListener configuration:

login = "my_login"
password = "my_password"

listener = CBLListener(manager: CBLManager.sharedInstance(), port: 55555)
listener.setBonjourName(netServiceName, type: netServiceType)
listener.readOnly = true
listener.setPasswords([login : password])
try! listener.start()

CBLReplication configuration:

let netService: NetService = ... // Got from NetServiceBrowserDelegate and NetServiceDelegate

let components = NSURLComponents()
components.scheme = "http"
components.host = netService.hostName
components.port = NSNumber(value: 55555)
components.path = "/" + database.name
components.user = login
components.password = password    

let newReplication = database.createPullReplication(components.url!)
newReplication.continuous = true
newReplication.start()

Here is what I am getting in Xcode console:

CBLRestPuller[http:??my_login:*****@Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net]: Going online

CBLRestPuller[http:??my_login:*****@Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net]: No local checkpoint; not getting remote one

CBLRestPuller[http:??my_login:*****@Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net] Progress: set active = 1

CBLReplication[from http:??my_login:*****@Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net]: active, progress = 0 / 0, err: (null)
nil

CBLRestPuller[http:??my_login:*****@Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net]: Reachability state = <Uladzimir-Papkos-iPad.local.>:reachable (20002), suspended=0

<BLIPHTTPLogic: 0x127f3f440>: HTTP auth failed; sent Authorization: Basic bXlfbG9naW46bXlfcGFzc3dvcmQ= ; got WWW-Authenticate: Digest realm="CouchbaseLite", qop="auth", nonce="69773230-683C-4DCC-AB40-A21527A1F911"

CBLSocketChangeTracker[0x127d63810 sg_to_firstfoundry_net]: Can't connect, giving up: CBLHTTP[401, http:??my_login:*****@Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net/_changes?feed=normal&heartbeat=300000&style=all_docs]<--NSURLError[-1013, http://my_login:*****@Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net/_changes?feed=normal&heartbeat=300000&style=all_docs]

CBLRestPuller[http:??my_login:*****@Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net]: ChangeTracker stopped; error=CBLHTTP[401, http:??my_login:*****@Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net/_changes?feed=normal&heartbeat=300000&style=all_docs]<--NSURLError[-1013, http:??my_login:*****@Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net/_changes?feed=normal&heartbeat=300000&style=all_docs]

I think the most important log here is this line:

<BLIPHTTPLogic: 0x127f3f440>: HTTP auth failed; sent Authorization:
Basic bXlfbG9naW46bXlfcGFzc3dvcmQ= ; got WWW-Authenticate: Digest
realm="CouchbaseLite", qop="auth",
nonce="69773230-683C-4DCC-AB40-A21527A1F911"

Alternatively I tried to use CBLAuthenticator instead of injecting login/password into url. Still doesn't work, however I am getting different error messages in log:
What is changed:

// Added:
newReplication.authenticator = CBLAuthenticator.basicAuthenticator(withName: login, password: password)

// Removed:
components.user = login 
components.password = password

Here is what I am getting in Xcode console after updating the code:

CBLRestPuller[http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net]: Going online

CBLRestPuller[http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net] Progress: set active = 1

CBLRestPuller[http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net]: Successfully logged in!

RemoteRequest: Added Authorization header for CBLPasswordAuthorizer[my_login/****]

CBLRemoteJSONRequest[GET http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net/_local/b3f625c9bddabfb59ee49d78f3bb484a5876b486]: Starting...

DEALLOC CBLRemoteLogin[http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net]
2017-02-20 16:51:28.335 Union Dev[1922:1702832] RemoteRequest: CBLRemoteSession starting CBLRemoteJSONRequest[GET http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net/_local/b3f625c9bddabfb59ee49d78f3bb484a5876b486]

Sync: CBLReplication[from http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net]: active, progress = 0 / 0, err: (null)
nil

CBLRestPuller[http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net]: Reachability state = <Uladzimir-Papkos-iPad.local.>:reachable (20002), suspended=0

RemoteRequest: Got challenge for CBLRemoteJSONRequest[GET http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net/_local/b3f625c9bddabfb59ee49d78f3bb484a5876b486]: method=NSURLAuthenticationMethodHTTPDigest, err=(null)

RemoteRequest: challenge: (phase 3) continueWithoutCredential

Sync: CBLRestPuller[http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net]: Server is (null)

RemoteRequest: CBLRemoteJSONRequest[GET http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net/_local/b3f625c9bddabfb59ee49d78f3bb484a5876b486]: Got response, status 401

CBLRemoteJSONRequest[GET http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net/_local/b3f625c9bddabfb59ee49d78f3bb484a5876b486]: Got error CBLHTTP[401, "unauthorized", http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net/_local/b3f625c9bddabfb59ee49d78f3bb484a5876b486]

Sync: CBLRestPuller[http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net]: Error fetching last sequence: CBLHTTP[401, "unauthorized", http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net/_local/b3f625c9bddabfb59ee49d78f3bb484a5876b486]

Sync: CBLRestPuller[http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net] Progress: set error = CBLHTTP[401, "unauthorized", http:??Uladzimir-Papkos-iPad.local.:55555/sg_to_firstfoundry_net/_local/b3f625c9bddabfb59ee49d78f3bb484a5876b486]

Could anybody point me to place where I am doing something wrong?

PS. I replaced // with ?? in urls because system doesn't allow to post more than two links in post by new users.

[Visput]

I am a person who originally reported this issue on forum.
Please let me know if you have any questions or you need additional logs.

[pasin]

I'm sure that it's used to work by putting credentials in the URL (not with Basic Authenticator). Need to debug what is causing the issue.

[Visput]

Yeah, I seen a lot of similar code with putting credentials in the URL on forums and people confirmed it works. That posts were 1-2 years old. It seems bug was introduced in one of last versions.

[borrrden]

FYI @Visput I think if you make an HTTPS listener (instead of HTTP) then this will work. The issue here is that for security reasons basic auth is not allowed over regular http since it basically sends the username and password in the clear. Instead it uses the more secure digest auth format, but the authorizer is still trying to send basic auth credentials.

[Visput]

@borrrden, thanks for quick response.
Do you have a link or probably you can quickly describe the steps for proper https setup in CBListener?
Do you need to use some self-signed cert and somehow inject it into listener?

Obviously simple change from http to https isn't enough.
Here is console log:

Sync: CBLRestPuller[https://my_login:*****@Uladzimir-Papkos-iPad-2.local.:55555/sg_to_firstfoundry_net]: Reachability state = <Uladzimir-Papkos-iPad-2.local.>:reachable (20002), suspended=0

CFNetwork SSLHandshake failed (-9806)

CBLSocketChangeTracker[0x1701b8e20 sg_to_firstfoundry_net]: Connection error #1, retrying in 2.0 sec: NSOSStatusError[-9806]

[borrrden]

https://github.com/couchbase/couchbase-lite-ios/wiki/SSL This page describes it. You are correct, you need to set it up with a certificate but it can generate its own.

[Visput]

Thanks @borrrden. Very useful page.

try listener.setAnonymousSSLIdentityWithLabel("my_cert") made the trick.
Now replication works just fine.
However I understand it's better to use SSL pinning.