1

How can I verify if a given password matches with password from collection _users in arangoDB?

I know it can be done with Foxx app and arangosh but I am not using them as I am using my own API in python. So I don't know how to access to the password and check if matches with the given password without using Foxx or arangosh.

Dovi
  • 833
  • 1
  • 10
  • 29

2 Answers2

2

You shouldn't rely on the system _users collection for your own user logic. The collection is strictly intended for ArangoDB's own user objects, not for application-level user management.

If you really do want to use ArangoDB's own user management, the best way to expose that when authentication is disabled is to use the org/arangodb/users module inside ArangoDB (e.g. using Foxx). The module provides an isValid method that takes a username and password and returns a boolean indicating whether the combination is valid or not:

var users = require('org/arangodb/users');
controller.post('/checkpw', function (req, res) {
  var credentials = req.params('credentials');
  res.json({
    valid: users.isValid(
      credentials.username,
      credentials.password
    )
  });
})
.bodyParam('credentials', joi.object({
  username: joi.string().required(),
  password: joi.string().required()
}).required());

The users HTTP API currently doesn't expose this method, so this is the only way to do it without relying on extremely unstable implementation details (the format of the _users collection has changed throughout 2.x and the collection may change again in the future).

EDIT: ArangoDB 3.0 will likely add an API route that returns a token (rather than cluttering up the database with session objects) when supplied with a valid username and password. This should make it easier to integrate with the built-in user management but the caveats remain the same: ArangoDB users are primarily intended for API-level authorization, not for application logic.

Alan Plum
  • 10,814
  • 4
  • 40
  • 57
  • Thank you. Then I guess that the best option will be create my own users collection – Dovi May 21 '16 at 08:54
1

The most easy way is to simply try a flat http request, and check for its result. The most simple call is _api/version; We prefix the database to find out whether the user is allowed to access a specific database. For this example we use _system; you need to replace it with the database you want to test the authentication against.

curl --dump - http://Joe:passvoid@localhost:8529/_db/_system/_api/version
GET /_db/_system/_api/version HTTP/1.1
Authorization: Basic Sm9lOnBhc3N2b2lk
User-Agent: curl/7.38.0
Host: localhost:8529
Accept: */*


HTTP/1.1 200 OK
Server: ArangoDB
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8
Content-Length: 37

{"server":"arango","version":"2.8.8"}

curl --dump - http://Joe:WRONGpassvoid@localhost:8529/_db/_system/_api/version 
GET /_db/_system/_api/version HTTP/1.1
Authorization: Basic Sm9lOldST05HcGFzc3ZvaWQ=
User-Agent: curl/7.38.0
Host: localhost:8529
Accept: */*

HTTP/1.1 401 Unauthorized
Server: ArangoDB
Content-Type: text/plain; charset=utf-8
Www-Authenticate: basic realm="arangodb/_system"
Connection: Keep-Alive
Content-Length: 0

So you need to check for the HTTP status code: 200 -> Success; 401 -> fail. See howto create authentication headers with python for details of the python specific http handling.

Community
  • 1
  • 1
dothebart
  • 5,972
  • 16
  • 40
  • The thing is that i do not have activated arangodb authentication so I can access with both wrong or correct password `You are about to log in to the site "localhost" with the username "Joe", but the website does not require authentication [...]`. I don't want to activate authentication because users do not directly access to the database but through an app so I just want to take advantage that arangodb comes with `_users` collection and use it. If its not possible getting the password from `_users` maybe I should create my own user collection? (but this is what I was trying to avoid) – Dovi May 20 '16 at 06:26