incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chang Luo <ch...@pokerchang.com>
Subject Re: to CouchApp or not to CouchApp
Date Mon, 01 Aug 2011 20:19:07 GMT
Hi Max,
I have been always enjoyed your videos and posts.  In the past few months, I
have been trying hard to learn couchapp and not use a middle tier for one of
my projects.

Now I ran into a security issue that seems to be a blocker for me to use
CouchApp. The issue is how to set up security for _users database.  By
default, it's worldwide readable.  This means everyone can access all user
email and password hash.  This is definitely not acceptable for users
privacy.  But if I make it only readable to admin, it will break the
couchapp login model.

E.g. I can get all maxogden.com user email and password hash with one http
call.  I won't post the URL here but anyone with basic couch knowledge can
do it in 5 seconds.

Any solution to this problem?  Or do I have to give up CouchApp?

Thanks!

Chang

On Mon, Aug 1, 2011 at 11:14 AM, Max Ogden <max@maxogden.com> wrote:

> couch has a pretty full featured security model actually:
> http://blog.couchbase.com/whats-new-in-couchdb-1-0-part-4-securityn-stuff
>
> and you can proxy couchapps behind a vhost (thus making the rest of the
> couch api inaccessible): http://vimeo.com/20773112
>
> and heres a couple 'pure' couchapps i've built lately to help you get a
> feel
> for the stuff possible:
> http://open211.org
> http://monocl.es
> http://open211.org:5984/social_services/_design/removalist/_rewrite
>
> cheers!
>
> max
>
> On Mon, Aug 1, 2011 at 2:10 PM, Gregor Martynus <gregor@martynus.net>
> wrote:
>
> > I had some discussions on the CouchConf last Friday about the pros & cons
> > of
> > a CouchApp vs. a traditional 3 tier architecture. I'm new to CouchDB
> > myself,
> > I don't have strong opinions yet. My thoughts so far
> >
> > PRO
> >
> >   1. portability:
> >   a CouchApp has both application logic and data in the same module.
> >   Together with its replication features one could very easily take the
> > same
> >   app used for a web app and put it into a mobile phone or an enterprise
> >   intranet/extranet.
> >   2. simplicity / reach:
> >   It empowers a lot of UI Designers/Developers to build Database backed
> >   applications. That's pretty impressive, you know jQuery? You can build
> >   couchApps.
> >
> > CONTRA
> >
> >   1. security:
> >   CouchApp comes with build in signup/signin, but what keeps users to
> >   access pages like »/db/_all_docs?include_docs=true« ? There is now way
> to
> >   hide documents created by User A from User B with CouchDB's build in
> >   features as far as I understand it.
> >   2. scaleability:
> >   there are more possibilities to scale with a 3 tier architecture than
> >   there are for CouchApps
> >
> > What do you think? Do you have a CouchApp running today in Production?
> > What's your experience so far?
> >
> > I'd be happy to summarize the opinions and put them up on the couchDB
> wiki
> > so that everybody can benefit from it.
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message