incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivier Scherrer <pode...@gmail.com>
Subject Security: exposing the database access to the browser
Date Tue, 08 May 2012 14:46:37 GMT
Hi All,

I've imagined a way to give the browser a complete access to CouchDB, with a node.js server
proxying the requests, and would have liked to know the implications in terms of security.


Here's how it works:

The browser sends the request data to a node.js server (like {method:"GET", "path:"_all_dbs}),
which in turns uses its http client to issue the request through something I called a "request
handler".
The request handler is configured with CouchDB's url, and it also adds the credentials to
the request, so the request looks like: http://user:password@ipaddress/_all_dbs.
When the results are returned to node.js, it pushes the data back to the browser.

My question is, how secure is this approach? From the browser I could potentially do anything
(POST, DELETE...), the only security being the credentials added up by the request handler
on the node.js server. Is that enough or should I add more treatments (like filtering) before
doing the request?

I've written a blog post that pictures the whole solution: http://podefr.tumblr.com/post/22553968711/an-innovative-way-to-replace-ajax-and-jsonp-using
The security concern was brought up by Richard on socket.io's Google Group: https://groups.google.com/forum/?fromgroups#!topic/socket_io/2_Yovcrc1e0

Thanks!
Olivier


Mime
View raw message