Lcb_make_http_request usage broken in 2.7.4

In our application we use lcb_make_http_request() to retrieve statistics for a bucket (/pools/default/buckets/<bucket_name>). This worked fine in 2.4.7 and 2.7.0.
Now I trying to move 2.7.4 (because of another issue) and notice that the statistics can no longer retrieved: libcouchbase 2.7.4 now adds an Authenticator header with empty username/password to the HTTP request. The earlier versions I mentioned didn’t do that.

A quick look at the code suggests that the only case it will not do that is when cmdflag is set to LCB_CMDHTTP_F_NOUPASS, but seems not possible to set that with lcb_make_http_request().

Is there a way to prevent libcouchbase automagically set (empty) username/password in the outgoing HTTP request for lcb_make_http_request() ?

You can switch over to using the lcb_http3() API, which will prevent it from sending the header. You can still use your legacy callbacks installed via lcb_set_http_callback).

If you look in the source code, you’ll see that lcb_make_http_request() is a simple wrapper around lcb_http3. lcb_http3 should be available in 2.4.7 as well, so I’m not sure you’ll have an issue with that.

In any event, sending an Authentication header when there’s an empty username/password seems like a bug to me. I think I just figured out why…

But why not provide username at least? Similar issue was reported here Couchbase-ruby-client broken by libcouchbase 2.7.4, and if you just pass username with empty password.

You have to specify username when creating lcb instance, in lcb_create

Thanks Mark,
If you already a patch for the empty username/password I can try that (I build the library from source anyway to use libevent2 on CentOS 6). Else I’ll change it to using the lcb_http3() call.

As the username/password are not required to connect to the server, nor to retrieve the stats, why bother with the configuration hassle of username/password?

The patch probably won’t be coming in until later today, as I need to release a new version today.

Couchbase Server 5.0 will now require a username and password for any type of operation, hence the changes in the library.

Ok, no worries. I see where the problem is, I’ll make a quick fix for now and pick up yours later.

This fixes the issue:

--- src/http/	2017-04-18 19:56:41.000000000 +0200
+++ src/http/	2017-05-17 16:40:39.283528011 +0200
@@ -473,7 +473,8 @@
 add_header("Accept", "application/json");
-    if (password && username) {
+    if (password && (password[0] != '\0') &&
+        username && (username[0] != '\0') ) {
     char auth[256];
     std::string upassbuf;