CouchDB v3.4.1 return 403 on GET /_session with a wrong password #5315
Description
Description
This morning I upgraded one node of my CouchDB cluster node to v3.4.1 while the two other nodes of the cluster are still on CouchDB v3.3.3.
Since then, I have had multiple exceptions on my backend related to users using the wrong password and CouchDB returning an HTTP status 403 instead of the usual HTTP status 401.
Usually, I catch the 401 to return a nice message to users so they can understand what's wrong. But since the update, for some users (not all users and I don't know why on these users specifically) CouchDB returns an unexpected 403 on the GET /_session. This has pushed me to create a temporary urgent release where I catch both the 401 and the 403 to return a nice error in both cases.
The CouchDB documentation for v3.4.1 is explicit: the route should only return HTTP 200 or HTTP 401, not HTTP 403.
Steps to Reproduce
I don't know for sure, I wasn't able to code a reproducer, it happens only on my production servers. There is something on the production cluster that makes the case appear:
- maybe it's the fact of having one node on v3.4.1 and the two others on v3.3.3?
- maybe it's something user-specific? But I don't know what specificities to look at.
Expected Behaviour
GET /_session should always return HTTP 200 or HTTP 401, never HTTP 403.
Your Environment
- CouchDB version used: v3.4.1 and v3.3.3. The error occurs only on
GET /_sessionmade on the v3.4.1 node. - Browser name and version: NA
- Operating system and version: NA
Additional Context
I don't know, you tell me!