Couchdb external authentication

Question

I am developing a family of utility apps where each app could be available on desktop, mobile and the web. After some research I decided to go with pouchdb on the client and couchdb on the server to provide offline sync.

A user would be able to create an account on the web (A Laravel Spark app) to manage their app subscriptions/payments and also access the web versions of the apps. On mobile and desktop the user would sign into each app using their credentials to unlock functionality.

I am planning on taking a database per user approach in couchdb with filtered replication (based on the app the files belong to). The basic requirement is for the user can sign in once in the apps and then securely replicate to couchdb forevermore (until sign out).

What would be the best approach to take for authentication with couchdb given the use case outlined below?

• Proxy all requests via Laravel for authentication
• On account creation in the Laravel app create a couchdb user with a randomly generated password and when the user signs in on the app return this password authenticate future requests (are there limits on the number of users created)?
• Use the Laravel app as an oauth server and make requests to couchdb direct using an oauth token.
• Something else?

Answer 1

In the end I found the best approach to proxy all requests to CouchDB through Laravel, utilising the Passport package for API authentication.

To do this I hooked into the Spark::createUsersWith() function in the SparkServiceProvider to set up a CouchDB database on user registration via the following steps:

1. Generate a couchdb specific username and save it in the user record.
2. Create a couchdb database with the same name as that generated in step 1.
3. Add a design document to the database with a filter for app specific syncing.
4. Add a security document to only allow read/writes from the database owner (created in subsequent step).
5. Create a CouchDB user with the username generated in step 1.

The user can then log into the app using their username and password to receive an OAuth2 password grant token.

All syncing requests are then made with the auth token to my sync proxy controller detailed in this gist.

To save a search PouchDB can be set up to send the OAuth token automatically as follows:

this._remoteDB = new PouchDB(url, {
    ajax : {
        headers : {
            "Authorization" : "Bearer " + localStorage.getItem("token")
        }
    }
});