Ad

How To Securely Perform Authorization To Cloudant Directly From Web Browsers

I am planning to build an office extension application ( more or less a HTML5 application). The most valuable part of the application is the content provided by the application, so content information must be securely kept in a database. anyone trying to access the content must prove their identities by showing their usernames and passwords.

I have a Cloudant database named "_users" which stores all the users login information such as usernames and passwords, and another Cloudant database named "_contents" which stores all the content information.

When the users trying to access the "_content" database with their web browsers, the application will ask users to login. After successful matching this user's credentials with data in "_users" database, this user then have access to "_content" database.

the Ideal case for me is, the login and authorization process can be done using only web browser and Cloudant databases. I don't want to have any "middle person"(a web server running nodejs for instance) in between. How can I do this.

OK,here are some problems I can not solve.

  1. When a user trying to establish connection with Cloudant databases, an API key must be provided. Ok, I can generate a API key which is permitted to read "_users" database, and give this API key to a user.a user may connect to "_users" with this key, but does this mean with this API key, any user can read all the data in "_users" database? This would be a disaster.
  2. if the above problem can be solved, how to perform authorization? Should I kept generating APIs for every users and delete them later? At what moment should I do the delete action?
Ad

Answer

Normally, Cloudant does not support custom usernames and passwords, the _users database features. Instead, Cloudant allows you to create API keys, which are random strings.

I think, given your requirements, the above system will not work. But there is good news! Cloudant also supports the open source Apache CouchDB _users database too. I think this will work for you; however, you will need a bit of work to set it up. This solution requires your web server to do some Cloudant preparation; however when the users use the application, they can authenticate directly to Cloudant, and they can read and update documents directly, with no middle server needed.

Enable name authentication

See the last question of the Cloudant developer FAQ, "Can I use CouchDB security features..."

Basically, for each DB, you want to PUT to /the_db/_security

{ "couchdb_auth_only": true,
  "members": {
    "names": ["user_name_1", "user_name_2", "etc."],
    "roles": []
  }
}

Set up user accounts

This works according to the Apache CouchDB documentation. Basically, you need to create a document in _users with the username and hashed password. Note, Cloudant does not yet have the newer CouchDB feature where the server will automatically hash the password for you: Cloudant auth: lacks _users database

So as the answer says, see the CouchDB Wiki security page about hashing passwords. You will need to find a JavaScript SHA1 implementation, such as CryptoJS

CORS

You will likely need to enable CORS, which is also described in the Cloudant documentation, the CORS chapter

With all of the above things in place, you can create users (or change their passwords by updating /_users/* documents; and those users can log in with basic or cookie authentication, to access their databases.

Ad
source: stackoverflow.com
Ad