Details
-
Bug
-
Resolution: Fixed
-
Major
-
3.0
-
Security Level: Public
-
JAK 107
-
1
Description
NOTE: This could be something that is handled on Couchbase Lite side but since that would require a network library/stack update which is potentially much more disruptive, flagging it as a Sync Gateway issue initially to explore options
Issue
Also tracked on cloud side - https://couchbasecloud.atlassian.net/browse/AV-47940
Scenario
- Anonymous Auth is enabled on App Services along with either Basic or OIDC auth,
- CBL Android app is set up to use username/password basic auth to establish a sync.
Observed
- The connection request from app fails with “403 Unauthorized” error.
{{2022-11-02T16:59:37.321Z [INF] HTTP: #83182: GET /userprofile/_blipsync (as GUEST)
2022-11-02T16:59:37.321Z [INF] HTTP: #83182: --> 403 Anonymous access is read-only (0.5 ms)}}
- Android app is able to connect successfully when turning off anonymous auth.
- Note that the issue does not occur on iOS or other platforms which are able to connect successfully
Analysis
The reason for this discrepancy is because is the network stack used by CBL Android handles basic authentication differently from other platforms
Unlike other platforms which send the username/password credentials as part of the Authorization header during connection setup, CBL Android sends in a request without the Authorization header. It then expects to receive a 401 Unauthorized error in response to which the credentials are sent.
Of course, when Android app tries to connect without the credentials, Sync Gateway assumes that this is an anonymous auth request and it fails.