fix(auth): front CouchDB with nginx to mark AuthSession cookie Secure
CouchDB 3.5 derives the Set-Cookie Secure flag from the raw mochiweb socket scheme and ignores X-Forwarded-Proto/Ssl for cookie attribution. Behind a TLS-terminating proxy the cookie was emitted without Secure, so browsers dropped the SameSite=None AuthSession cookie on cross-origin requests — POST /_session returned 200 but the next GET /_session showed userCtx.name: null and PouchDB stayed unauthenticated. Add an nginx sidecar that adds Secure via proxy_cookie_flags, route the public domain through it, and make couchdb internal. Also persist same_site=none in couchdb-init so the setting survives container recreation (local.d/ is not in the data volume).
This commit is contained in:
29
README.md
29
README.md
@@ -1,6 +1,14 @@
|
||||
# coolcouch
|
||||
|
||||
CouchDB 3 on Coolify. The `couchdb-init` sidecar waits for the server to come up, creates the three system databases, and enables CORS via the config API — no file mounts required.
|
||||
CouchDB 3 on Coolify, fronted by an nginx sidecar. The `couchdb-init` sidecar waits for the server to come up, creates the three system databases, and applies CORS + cookie config via the config API — no file mounts on CouchDB itself.
|
||||
|
||||
## Architecture
|
||||
|
||||
```
|
||||
client ──https──> Traefik ──http──> nginx ──http──> couchdb (internal)
|
||||
```
|
||||
|
||||
nginx exists for one reason: to add `Secure` to the `AuthSession` cookie that CouchDB emits. CouchDB only marks cookies `Secure` when its embedded mochiweb sees a true HTTPS socket; behind a TLS-terminating proxy it never does, and it ignores `X-Forwarded-Proto`/`X-Forwarded-Ssl` for cookie attribution. Without `Secure`, browsers reject `SameSite=None` cookies, and cross-origin PouchDB logins silently fail (login returns 200, the next `_session` shows `userCtx.name: null`). The fix is `proxy_cookie_flags AuthSession secure;` in `nginx/default.conf`.
|
||||
|
||||
## Deploy
|
||||
|
||||
@@ -8,7 +16,8 @@ CouchDB 3 on Coolify. The `couchdb-init` sidecar waits for the server to come up
|
||||
2. In the resource's **Environment Variables** tab, set:
|
||||
- `COUCHDB_PASSWORD` — required
|
||||
- `COUCHDB_USER` — optional, defaults to `admin`
|
||||
3. In the resource's **Domains** tab, assign a domain to the `couchdb` service on port `5984`. Coolify fills `SERVICE_FQDN_COUCHDB_5984` from this.
|
||||
- `INVITE_CODE` — required for the signup service
|
||||
3. In the resource's **Domains** tab, assign your CouchDB domain to the **`nginx`** service on port `5984` (not `couchdb` directly — that's now internal). Coolify fills `SERVICE_FQDN_NGINX_5984` from this. Assign the signup domain to the `signup` service on port `8080`.
|
||||
4. **Deploy.** `couchdb-init` runs once, exits, and won't restart.
|
||||
|
||||
## Verify
|
||||
@@ -26,6 +35,21 @@ curl -fsS -I -X OPTIONS https://$DOMAIN/ \
|
||||
|
||||
Expected: `_up` returns `{"status":"ok",...}`; `/` returns the CouchDB welcome JSON; `_all_dbs` returns `["_global_changes","_replicator","_users"]`; the preflight returns 2xx with an `Access-Control-Allow-Origin` header.
|
||||
|
||||
Verify the cookie has both `SameSite=None` and `Secure`:
|
||||
|
||||
```bash
|
||||
curl -i -X POST https://$DOMAIN/_session \
|
||||
-H 'Content-Type: application/x-www-form-urlencoded' \
|
||||
-d "name=admin&password=$PASS" | grep -i set-cookie
|
||||
```
|
||||
|
||||
Expected:
|
||||
```
|
||||
set-cookie: AuthSession=...; Version=1; Expires=...; Max-Age=600; Path=/; HttpOnly; SameSite=None; Secure
|
||||
```
|
||||
|
||||
If `Secure` is missing, the nginx sidecar isn't fronting the request — check that the Coolify domain is assigned to `nginx:5984` and not to `couchdb` directly.
|
||||
|
||||
If the init logs show CORS errors, you can re-trigger only that step by redeploying — the PUTs against `/_node/_local/_config/...` are idempotent.
|
||||
|
||||
## CORS
|
||||
@@ -87,4 +111,5 @@ The frontend should then `POST https://couch.apoena.dev/_session` with the same
|
||||
## Files
|
||||
|
||||
- `docker-compose.yml` — services, volume, Traefik labels, init sidecar
|
||||
- `nginx/default.conf` — reverse-proxy config that adds `Secure` to AuthSession cookies
|
||||
- `signup/` — Gleam signup service (Dockerfile, gleam.toml, src/)
|
||||
|
||||
Reference in New Issue
Block a user