Menu
What's the best security practice to follow while using PouchDB on the client-side to access a remote server?
The example on https://pouchdb.com/getting-started.html syncs with the remote server with the code:
var remoteCouch = 'http://user:[email protected]/todos';
The problem is I probably don't want the user to see the plaintext password with a file they can download -- even if that file is shown to the authenticated users only.
Please advise. Thanks in advance,
303
Here's a really good article regarding all things auth for CouchDB.
I've got a production server with CouchDB configured to use HTTP over localhost but external requests require HTTPS redirected via stunnel to CouchDB.
On the client I use PouchDB to maintain a local, replicated db. As part of the handshake to establish communication with CouchDB over HTTPS, the software acquires CouchDB credentials from another server - the credentials are never stored client side.
pouchdb-authentication is a good plugin, but I've found it better to handle auth personally.
93
Every site user should have his own CouchDB user. As @onno suggests, use HTTPS and the user's login credentials to access CouchDB. Passwords should never be available in client-side JavaScript.
2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
