couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <>
Subject Re: CouchDB Authentication and Authorization
Date Thu, 25 Jun 2009 22:55:10 GMT

On 25 Jun 2009, at 20:49, Benoit Chesneau wrote:
> That sound good for me except for the anonymous stuff and user
> specific data. Why not keeping same roles as other and just specify
> writer when you want to allow write for guests ?

Can you elaborate on the "keeping same roles as other"? I'm open
for suggestions :)

> About the user specific data I'm a little afraid about security. I
> think user database should be protected for all users except admins.

Sure, the users database is a admin-only resource.

> Sure password is hashed/encrypted but this is just a question of
> time/number of cpu that some could decrypt these password. I would
> prefer them not so easyly available. So maybe user profiles & co could
> be in an optionnal  "profile" db. This for case when you expose
> database to the public. Maybe it's a little paranoid though.

User-specific data that an app needs should live in documents
separate from the docs that contain the hashes. Does that work
for you?

> Btw wil you use the current erlang oauth module to do that ?

I had a look and it provides some of the things we need, but
not everything. The license is compatible with us, so I don't see
why I shouldn't include the bits that are useful to us.


View raw message