[api] Make GET /_all_dbs require an admin users

[gr2m]

Is that possible at all? We definitely have to find a solution, it's a big security vulnerability

[janl]

You mean _all_dbs? I think we made this admin-only in 1.3.x, for the time being we can close this in the proxy.

[gr2m]

yeah. And good idea with the proxy workaround! Only problem I see is when we'd need to load _all_dbs in pocket as admin, as requests go through our proxy as well. But that's not the case yet, and I don't see a use case for that neither, just for the record

[janl]

so far the pocket admin is also the CouchDB admin, so all is well :)

[gr2m]

I mean the requests for pocket go trough our proxy as well. If we'd disable the _all_dbs request entirely at proxy level, we couldn't used from pocket as well, not even as admin.

But that's all irrelevant when CouchDB 1.3 brings the expected update.

[janl]

we can inspect the headers and try the request with credentials if the username is "admin", but yes, eventually this is couchdb-land.

[svnlto]

I'm I right by saying this can be closed now? /cc @janl @gr2m

[janl]

hadn’t had time to look, leave open for me pls. :)

[gr2m]

I still can access /_api/_all_dbs without any authentication, with CouchDB version 1.4.0-1

[janl]

yeah I don’t think we added the require config setting to CouchDB yet

[janl]

and we should block access in the _api proxy for older CouchDB versions

[caolan]

_all_dbs is currently blocked, see: f450125