You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have run surrealdb started with root user and password. Server running well but, i hit via rest API that not include username password still can acess query.
Output from surreal :
[2022-09-01 09:28:19] INFO surrealdb::iam Root authentication is enabled
[2022-09-01 09:28:19] INFO surrealdb::iam Root username is 'userdb'
[2022-09-01 09:28:19] INFO surrealdb::dbs Database strict mode is enabled
[2022-09-01 09:28:19] INFO surrealdb::kvs Connecting to kvs store at tikv://192.23.192.212:2079
[2022-09-01 09:28:19] INFO surrealdb::kvs Connected to kvs store at tikv://192.23.192.212:2079
[2022-09-01 09:28:19] INFO surrealdb::net Starting web server on 0.0.0.0:8000
[2022-09-01 09:28:19] INFO surrealdb::net Started web server on 0.0.0.0:8000
If i query to some table, the authentication works, for example :
curl -X POST \ 04:28:11 PM
-H "NS: myapplication" \
-H "DB: myapplication" \
-H "Content-Type: application/json" \
-d "SELECT * FROM person WHERE age > 18" \
http://192.23.192.210:8000/sql
The output is :
{"code":403,"details":"Authentication failed","description":"Your authentication details are invalid. Reauthenticate using valid authentication parameters.","information":"There was a problem with authentication"}%
Expected behaviour
Request Not Authenticated
SurrealDB version
1.0.0-beta.7
Contact Details
Is there an existing issue for this?
I have searched the existing issues
Code of Conduct
I agree to follow this project's Code of Conduct
The text was updated successfully, but these errors were encountered:
Hey @Jayuda thanks so much for this issue submission 👍. We've actually been discussing this on the SurrealDB Discord.
The database currently allows connecting and querying from unauthenticated users (albeit they won't be able to see data which has not been allowed using PERMISSIONS).
We're thinking about adding in functionality to only allow requests from AUTHENTICATED user sessions, and to deny UNAUTHENTICATED sessions. This means a developer/user of SurrealDB would. be able to completely disallow any unauthenticated session from running any query (even those that don't actually query table data, like the example you gave).
tobiemh
changed the title
Bug: Authentication Not Work
Feature: Prevent any unauthorised user/session from running any query in SurrealDB
Sep 1, 2022
tobiemh
changed the title
Feature: Prevent any unauthorised user/session from running any query in SurrealDB
Feature: Prevent any unauthorised user/session from running any query
Sep 1, 2022
It is now possible to completely deny access to anonymous and unauthenticated users with #2547, and in addition it's now possible to set the function and query capabilities of a SurrealDB instance with #2489 🚀 🎉 😃 !
Describe the bug
I have run surrealdb started with root user and password. Server running well but, i hit via rest API that not include username password still can acess query.
Output from surreal :
Steps to reproduce
Start surreal db with :
select from HTTP REST API without username and password :
Work with result :
If i query to some table, the authentication works, for example :
The output is :
Expected behaviour
Request Not Authenticated
SurrealDB version
1.0.0-beta.7
Contact Details
Is there an existing issue for this?
Code of Conduct
The text was updated successfully, but these errors were encountered: