couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wout Mertens <>
Subject Re: Authentication with Facebook
Date Wed, 06 Oct 2010 21:18:16 GMT

I don't know the answer to your question but I think it's interesting so here's my take on

You're trying to authorize server-side behavior based on third-party authentication. I think
this only works if you have a way of verifying that the authentication is valid and couldn't
have been forged.

I don't see a way of implementing that without custom server-side code (and probably more
information than the OAuth token gives you). You might be able to do this with

As for your other question, if you're not hiding any data or code on your server, I think
there's nothing you can do to prevent someone from copying your stuff and running a modified
version of it.

So to implement what you want, I think that the very least you'll have to do is run some server-side
code and you'll have to hide some data behind a processing function.

For the authentication, you could have something server-side that takes an OAuth token and
contacts Facebook to verify that the token is valid. Then you know which Facebook user you're
talking to.

For the data hiding, think about exactly what data users are allowed to see and provide only
access to that (using redirection to views). Other data will be hidden in the database, inaccessible.


On Oct 5, 2010, at 22:00 , Bernd Mrohs wrote:

> Hi all,
> I really like CouchDB for developing pure JS+HTML+CSS applications. It's
> especially great to be able to develop 2-tier applications, i.e. having all
> the logic in JS and accessing CouchDB directly.
> I hope you can help me with a problem on how to secure my CouchDB that I
> want to use for a Facebook project:
> - My pure JS Facebook app authenticates with Facebook using oauth, I get
> back the access token to authenticate my requests to the Facebook API.
> - Now my JS application should access my CouchDB backend, using the UID that
> I got from Facebook (logged-in user)
> Question:
> - How can I make sure that this user (=Facebook UID) can only modify his own
> data? I don't have a password to verify.
> - How can I make sure that nobody is implementing an own client by going
> through my JS code, capturing all relevant info (server address, etc.), and
> plays around with the data outside my Facebook app?
> So, I need to let CouchDB verify my Facebook token directly with Facebook,
> and issue an access token for me to send with further requests to my CouchDB
> to authenticate me. This is how you normally would do this when you would
> have a middle-tier, right? How to do this with CouchDB?
> Many thanks in advance,
> Bernd

View raw message