couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Hirst <>
Subject RE: Authentication Question
Date Wed, 19 Oct 2011 13:52:35 GMT
>>> You could enable the proxy authentication handler;

>> 1. The roles don't appear to be included in the Token so how are they
>> validated? It sounds like the client could send whatever it liked? Only
>> the username is included in the token calculation.

> Why would youneed to validate roles? your app pass roles to couch, if
> they exists in db acls or validate functionserfect, if not who care?

I was going to use roles in a validate function to check who was allowed
to write to the database. This would mean I could tie it into the roles
which exist on the existing system. However it seems I can't do that
since they aren't validated. For example, a user could get told
about the following headers from the authentication server. Eg:

Username: bob
Roles: user
Token: <some opaque string>

It could then talk to the couchdb server using

Username: bob
Roles: _admin
Token: <same opaque string>

The couch server would validate the Username against the Token and
believe everything is fine but the user has gained admin rights they
shouldn't have.

I think for my purposes I can distil all real users down to the same couch
username and use that in validation functions and ignore roles entirely
but it seems a bit of a shame.

Thanks for the suggestions. At least I think I can press on now with
what I was trying to achieve.

Sophos Limited, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 991 2418 08.

View raw message