1

I am planning to build an office extension application ( more or less a HTML5 application). The most valuable part of the application is the content provided by the application, so content information must be securely kept in a database. anyone trying to access the content must prove their identities by showing their usernames and passwords.

I have a Cloudant database named "_users" which stores all the users login information such as usernames and passwords, and another Cloudant database named "_contents" which stores all the content information.

When the users trying to access the "_content" database with their web browsers, the application will ask users to login. After successful matching this user's credentials with data in "_users" database, this user then have access to "_content" database.

the Ideal case for me is, the login and authorization process can be done using only web browser and Cloudant databases. I don't want to have any "middle person"(a web server running nodejs for instance) in between. How can I do this.

OK,here are some problems I can not solve.

  1. When a user trying to establish connection with Cloudant databases, an API key must be provided. Ok, I can generate a API key which is permitted to read "_users" database, and give this API key to a user.a user may connect to "_users" with this key, but does this mean with this API key, any user can read all the data in "_users" database? This would be a disaster.
  2. if the above problem can be solved, how to perform authorization? Should I kept generating APIs for every users and delete them later? At what moment should I do the delete action?
JasonSmith
  • 72,674
  • 22
  • 123
  • 149
D.Yang
  • 41
  • 6
  • I this is possible. Can you please clarify a few things, so that we can help answer your question? The office extension application is HTML5, however does it use a web server? Or is it some kind of embedded application running inside Office or something? – JasonSmith Jan 20 '16 at 10:00
  • Also, can you please clarify: Are you using the `_users` database for your own application? Have you been using this with Apache CouchDB? Normally, Cloudant does not use the `_users` database, so I want to know if you are transitioning from CouchDB to Cloudant, or if you have been reading CouchDB documentation, or anything like that. Thanks again! – JasonSmith Jan 20 '16 at 10:11
  • @JasonSmith, office extension application is essentially HTML5 webpages opened by Microsoft Office Word embedded browser, and the webpages are served on servers ( i chose nodejs on bluemix), all the normal browser-->server stuff can also be done here. – D.Yang Jan 21 '16 at 02:10
  • @JasonSmith, I am still new to NOSQL. I found Cloudant NoSQL from Bluemix, so I am considering migrating from mysql to Cloudant. I've never tried CouchDB, but I noticed Cloudant is quite similar to CouchDB and I am reading the CouchDB documentation because of the absence of a detailed Cloudant documentation. From the security section, I did see the "special" usage of "_user" database, and I am trying to find more about it. I hope to have more control of users authorization : a user can only access the database for 1 month when he/she choose to pay for 1 month. still trying to find how to do – D.Yang Jan 21 '16 at 02:20
  • Thanks for your feedback! For the most part, Cloudant is very similar to CouchDB; with most differences being additional features that CouchDB does not yet have. Anyway, I recommend the Cloudant guide https://docs.cloudant.com/index.html which includes a full API reference: https://docs.cloudant.com/api.html – JasonSmith Jan 21 '16 at 07:32

1 Answers1

1

Normally, Cloudant does not support custom usernames and passwords, the _users database features. Instead, Cloudant allows you to create API keys, which are random strings.

I think, given your requirements, the above system will not work. But there is good news! Cloudant also supports the open source Apache CouchDB _users database too. I think this will work for you; however, you will need a bit of work to set it up. This solution requires your web server to do some Cloudant preparation; however when the users use the application, they can authenticate directly to Cloudant, and they can read and update documents directly, with no middle server needed.

Enable name authentication

See the last question of the Cloudant developer FAQ, "Can I use CouchDB security features..."

Basically, for each DB, you want to PUT to /the_db/_security

{ "couchdb_auth_only": true,
  "members": {
    "names": ["user_name_1", "user_name_2", "etc."],
    "roles": []
  }
}

Set up user accounts

This works according to the Apache CouchDB documentation. Basically, you need to create a document in _users with the username and hashed password. Note, Cloudant does not yet have the newer CouchDB feature where the server will automatically hash the password for you: Cloudant auth: lacks _users database

So as the answer says, see the CouchDB Wiki security page about hashing passwords. You will need to find a JavaScript SHA1 implementation, such as CryptoJS

CORS

You will likely need to enable CORS, which is also described in the Cloudant documentation, the CORS chapter

With all of the above things in place, you can create users (or change their passwords by updating /_users/* documents; and those users can log in with basic or cookie authentication, to access their databases.

Community
  • 1
  • 1
JasonSmith
  • 72,674
  • 22
  • 123
  • 149
  • "Cloudant does not yet have the newer CouchDB feature where the server will automatically hash the password for you" => That feature is in V1.2 from 2013, how is that "newer" ? – Ilya Feb 10 '16 at 22:53