Authenticating a CouchDB user against an external server

2018-06-29 01:36:19

I have the following setup:

CouchDB database that stores users and handles authentication; creates one db per user

Web app that uses PouchDB to sync and authenticate via pouchdb-authentication

A REST API server that gets requests from the web app and accesses CouchDB

Now, the REST API has admin access to CouchDB, so when it receives requests, it needs to do some form of authentication to make sure the sender has permissions to the database he claims to have access to. Since I use persistent sessions, the web app does not know the user password at all times (unless I store it in localstorage - obviously a bad idea). The session cookie is HttpOnly , so I can't access it.

What would be the best way to authenticate requests to the API under this scenario?

Encrypt everything you need and add it to the cookie as a base64 session. The following would be the sequence...

 1. WebApp: Send username and password
 2. REST: Authenticate this using couch.
 3. REST: Encrypt the session along with username password and create cookie, then base64 result.
 4. REST: Send cookie to WebApp.
 5. WebApp: Alway sends cookie back to REST layer.
 6. REST layer has everything it needs to authenticate the user.

In the above the REST layer is passing state to the WebApp and it gets the state it need from the WebApp. The client cannot decrypt it so it's safe. The client then passes this token as the cookie back to the REST layer which then uses it to get the details it needs to authenticate.

You can encrypt a few hundred bytes quite easily and not run into any header or cookie size limitations. Don't compress it before or after encryption, before for security reasons and after because encryopted data doesn't compress well. If anyone is worried about performance then benchmark it but I've used this with languages orders of magnitude slower than Rust. A variation on the above is to use memcached ie...

 1. WebApp: Send username and password
 2. REST: Authenticate this using couch.
 3. REST: Store Couch session in memcahed along with username password and create cookie. The cookie is the key to memcached.
 4. REST: Send cookie to WebApp.
 5. WebApp: Alway sends cookie back to REST layer.
 6. REST: Get details from memcached.

I've used this technique using headers and cookies and it's worked like a charm. I'm assuming you're using things to protect against XSRF etc.

You can mix and match the above to suit your apps needs.

链接地址: http://www.djcxy.com/p/81150.html

上一篇: Couchdb外部认证

下一篇: 针对外部服务器验证CouchDB用户