couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Wedekind <>
Subject Re: to CouchApp or not to CouchApp
Date Wed, 03 Aug 2011 13:27:00 GMT
Hi Sam,

On Tue, Aug 2, 2011 at 03:36, Sam Bisbee <> wrote:

> All of that being said, there should be a checklist of steps to lock
> CouchDB down. If no one has seen one floating around the Web yet, then
> I'll start putting one together.

That would be really helpful, at least I can't find anything comprehensive
on the whole topic and the more I read, the more confused I get.

On Wed, Aug 3, 2011 at 02:03, Sam Bisbee <> wrote:

> You can set an ACL for the _users database. This is called the
> security object, which you can update in Futon with the security
> button. Just set an admin and reader, and only that user (or group of
> users) will be able to access the database.

But with Couch alone, I still need to submit username:password in cleartext
- at least once if I do cookie authentication. Or am I missing something?

> Or Max's suggestion of proxying through a web server.

I cannot find anything on that. Do you know of any post/link where that is
explained in more detail? Sorry for stupid questions :(

Doesn't this defeat the purpose/niceness of couchapps being

standalone? Why not just set the readers on the "_users" db's ACL?

That I can do. But then only users on the admin list can register new users
with that role (= post new docs to _user db). What if I want to register
users by themselves? Concretely, we want users that hit our CouchDB for the
first time to get registered automatically. We use the based device ID as
the password. This way, user == that particular device. So far so good. But
that doesn't work of course when I lock down _users, since the device can't
write. I can make a special user just for that registering, but then I need
to transmit this user's credentials in the clear when the device is
registered. But I guess for the latter alone I need to get some web server
in between to handle SSL...

Any help/pointers?

Many thanks,

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message