Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Obscure username and password in PouchDB

Tags:

javascript

couchdb

pouchdb

I'm experimenting with PouchDB and client-side Javascript. The example on the PouchDB site works great for me: http://pouchdb.com/getting-started.html. My question is, is there any way to obscure the username and password when I connect to the remote server? The code in question: 

var remoteCouch = 'http://user:[email protected]/todos';

This is all client-side JS and publicly viewable. I'm stumped on figuring out a way around it.

like image 279
fredrover Avatar asked Oct 02 '22 01:10

fredrover

2 Answers

When you're communicating between servers you can use SSL to remain secure. The client and server establish a secure connection before sending any data about the request (i.e. the file name, the basic authentication creds, etc.).

As far as what lives on the client side, it's more of a question of how secure do you want to be. Since everything is JavaScript, especially so with PouchDB, you have to settle for one of two things

  1. Having a fancy switch that shows you menus or hides menus

    In this scenario you have a main screen with all the important menus. The user either supplies the right password, which takes them to that screen, or the program says "Error incorrect username or password". But since it's all in JavaScript, anyone with enough knowledge of your system could say something like MyApp.User.isLoggedIn = function() { return true; };.

  2. Encrypt what you need

    If there is sensitive data on the client side, you can ask them to supply their password and encrypt the sensitive data using that password. Depending on the payload, it may or may not be too performance intensive. You might have to implement your own sessions in this case so you don't end up keeping that password or sensitive data around in memory. Then all Eve would have to do is go to the JS console and hit console.log(MyApp.User.password);. Even though the password is hashed and salted (or should be), Eve likely still has access to the hash function and salt.

Good luck! Would love to hear what you come up with.

like image 156
fet Avatar answered Oct 18 '22 13:10

fet

If the username and password are to be provided by the user, you can present them with a login prompt and use a secure CouchDB session cookie. The cookie is tamper-proof and will be deleted when the browser session ends or you explicitly delete it.

like image 22
Will Holley Avatar answered Oct 18 '22 12:10

Will Holley
Sign in to Comment

Related questions

RequireJS Uncaught Error: Mismatched anonymous define() module
Web SQL transaction does not execute properly in javascript function
d3js: zooming when there are two y axes
Assigning colors to vertices in a geometry in Three.js
WebSocket Server isn't firing the handshake
Dropzone.js retry if ajax failed
Requirejs can't compile my dojo-dependent module
Google Translate BUTTON producing odd results on some pages
What is the correct prototype affectation in javascript inheritance?
A better way to set up observableArray of computed objects in Knockoutjs
KendoUI: How do I get the index of the clicked chart element's item inside an event
Node.js / Expess.js. Static router not recognized if used with wildcard router
How to optimize MarkerWithLabel on google maps when having too many markers
Amcharts shows data only on resize event
Why use void(0)? [duplicate]
Is this a simple debounce function in javascript?
Chrome loading script over http on https page
Ajax call inside each loop
Rotation of CSS arrow and javascript toggling
Angular Material Table filterPredicate

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!