Creating a user session is not assigning any channel

Mobile Sync Gateway
1

Hi, I’m creating a multi tenant app using sync gateway. The sync configuration function its like this:

"sync": `
        function sync(doc, oldDoc) {
          if (!doc.tenant_id) {
            throw({ forbidden: "Document missing tenant_id" });
          }
          
          // Channel per tenant
          channel("tenant_" + doc.tenant_id);
          
          // Access control
          requireAccess("role_tenant_" + doc.tenant_id);
        }
      `

I’ve created a role that will work as a tenant:

PUT http://x:4985/my_db/_role/role_tenant_IKkguk

The GET return this:


{
    "name": "role_tenant_UEyFlb",
    "admin_channels": [
        "tenant_UEyFlb"
    ],
    "all_channels": [
        "!",
        "tenant_UEyFlb"
    ]
}

Then I create a user called “test” for that tenant:

POST: http://x:4985/my_db/_user/tenant_IKkguk_test

The GET return this:

{
    "username": "tenant_IKkguk_test",
    "channels": [
        "!",
        "tenant_IKkguk"
    ],
    "admin_roles": [
        "role_tenant_IKkguk"
    ],
    "effective_roles": [
        "role_tenant_IKkguk"
    ]
}

But then when I login with that user:

POST http://x:4984/my_deb/_session

this is the response:

{
  "authentication_handlers": [
    "default",
    "cookie"
  ],
  "ok": true,
  "userCtx": {
    "channels": {
      "!": 1
    },
    "name": "tenant_IKkguk_test"
  }
}

The channels are not assigned to the user. When I use the session cookie with:

“SyncGatewaySession=xxxx; Path=/my_db; Expires=Wed, 28 May 2025 23:33:35 GMT”

to create any document I get the following response:

2025-05-27T23:35:58.064Z [INF] c:#063 db:my_db Sync fn rejected doc "<ud>customer_u0AlDS</ud>" / "<ud></ud>" --> 403 sg missing channel access
2025-05-27T23:35:58.064Z [DBG] c:#063 db:my_db     rejected doc "<ud>customer_u0AlDS</ud>" / "<ud></ud>" : new=<ud>map[_id:customer_u0AlDS _rev:1-baf15d33176831ff7bf72fa2a854723e name:test tenant_id:IKkguk type:customer]</ud>  old=<ud></ud>
2025-05-27T23:35:58.064Z [DBG] CRUD+: c:#063 db:my_db Did not update document "<ud>customer_u0AlDS</ud>" w/ xattr: 403 sg missing channel access
2025-05-27T23:35:58.064Z [INF] HTTP: c:#063 db:my_db #063:     --> 403 sg missing channel access  (2.9 ms)

This is the result I get when doing the GET _session:

{
    "authentication_handlers": [
        "default",
        "cookie"
    ],
    "ok": true,
    "userCtx": {
        "channels": {
            "!": 1
        },
        "name": "tenant_IKkguk_test"
    }
}

I dont understand why the channel is not assigned to the session after I logging. I’ve restarted SyncGateway without any result.

2

Hi,

The session response and userCtx.channels field is only showing channel grants for the user directly, and not channels inherited through an assigned role. Notably, it is also only showing the default collection access - if you were to use any named collections they would not be represented in this response either.

This role one specifically it does turn out to be a bug, but a very longstanding one that in reality doesn’t actually break anything. It’s just confusing to see. I’ve filed an issue and we’ll likely get a fix for this into an upcoming release.

Actual document/changes feed requests do evaluate channels with role inheritance so although it looks like the session isn’t valid for those additional role channels, in practice they will be.