Is it possible to use CouchDB's filtered replication to replicate only the subset of data ACLed to a user?

Question

In particular, can filtered replication be done with PouchDB? I want to make sure that the client can't omit the filter and thus sync against the whole database.

Answer 1

There is no CouchDB replication "protocol." The replication process is simply a client connecting to two CouchDB endpoints, reading documents from one, and writing them into the other. Of course, CouchDB comes with such a client ("the replicator") built-in; but conceptually it is a third-party application.

What that means is, you can remove replication from your security analysis of your application. First consider normal web clients reading and writing to your server. Lock that down. You might assume a hypothetical adversary with a hacked web browser, or using a custom HTTP client (which does not respect cross-origin policies for example).

With that problem solved, replication will, by necessity, follow your security policy.

In other words, replicating between PouchDB and CouchDB:

• If you are pushing to the remote server, your security tool is the remote validate_doc_update function.
• If you are pulling from the remote server, your security tool is the database _security object--specifically the "members" arrays. A client can either read a database entirely, or not at all. Of course, you can make filtered replications into special-use databases on the server side.