How can I securely connect to Cloudant using PouchDB?

Question

I am creating a mobile app for Android and iOS using Cordova/PhoneGap and am using IBM's Cloudant database for storage. I am using the PouchDB javascript library to access the Cloudant database. Currently I have this code to access it...

db = new PouchDB('https://[myaccount].cloudant.com/[mydb]', {
    auth: {
      username: 'myusername',
      password: 'mypassword'
    }
});

I am aware that this is extremely insecure, and am wondering if there is a more secure way to connect to my database from within the app?

Answer 1

One option you may like to consider is implementing a service (e.g. running in the cloud) for registering new users of your app. Registration logic could look something like this:

1. The handset code communicates with your application service requesting registration of the user
2. The service makes a call to Cloudant to create an API key which would is returned to the handset code
3. The handset code saves the API key 'username' and 'password' on the device. These credentials are then use in the auth: { username: 'myusername', password: 'mypassword' } object.

Answer 2

You are right that Cloudant credentials should never be hard-coded into your client-side app.

One design pattern is to use a "one database per user" approach:

• the user authenticates with a web-app of yours that has Cloudant admin credentials
• the app creates a database for the authenticated user and creates a Cloudant API Key with _reader & _writer access (https://docs.cloudant.com/api.html#authorization)
• the app communicates this credentials with the client (where they could be stored in a 'local' PouchDB document, or just stored in memory if you want your users to authenticate every time)