Anyone know of a secure way to give Browser access to a specific view result set on a couchdb database

0
votes

I am using CouchDB for my Data Layer in a Rails 3 application using CouchRest::Model hosted on Heroku.

I am requesting a List of Documents and returning them as JSON to my Browser and using jQuery Templates to represent that data.

Is there a way I could build the request on the server side, and return the request that would need to be called from the browser WITHOUT opening a huge security hole i.e. giving the browser access to the whole database?

Ideally it would be a one off token access to a specific query, Where the token would be generated on the server side, and CouchDB would take the token, and make sure it matches what the query should be, and give access to the results.

One way that comes to mind would be to generate a token Document and use a show function (http://guide.couchdb.org/draft/show.html) to return the results for that token Document's view results. Though I am not sure if that is possible.

Though another is to put a token on the Document itself and use a list function (http://guide.couchdb.org/draft/transforming.html)

Save that, any other ideas?

Thanks in Advance

1
securitybrowsercouchdb

1 Answers

1
votes

Is there a way I could build the request on the server side, and return the request that would need to be called from the browser WITHOUT opening a huge security hole i.e. giving the browser access to the whole database?

Yes. One method is to create a rack app and mount it inside your rails app. You can have it receive requests from users' browsers at "/couch" and forward that request to your "real" couchdb url, returning couch's JSON response as-is or modifying it however you need.

You may also be able to use Couch's rewrite and virtual host features to control what Couch URLs the general public is able to reach. This probably will necessitate the use of list or show functions. http://blog.couchone.com/post/1602827844/of-rewrites-and-virtual-hosting-an-introduction

Ideally it would be a one off token access to a specific query, Where the token would be generated on the server side, and CouchDB would take the token, and make sure it matches what the query should be, and give access to the results.

You might use cookies for this since list and show functions can set and get cookie values on requests.

But you could also include a hash value as part of each request. Heroku's add-on API has a good example of how this works. https://addons.heroku.com/provider/resources/technical/build/sso Notice that the API calls are invalid outside of a certain window of time, which may be exactly what you need.

I'm not sure I precisely understand your needs, but I hope I have been able to give you some helpful ideas.