Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

REST API MongoDB Authentication

Tags:

mongodb

I am thinking in using MongoDB as my main database. However, my app is fully in JavaScript and I wanted to use the REST API, client side.

I still can't understand what security mechanisms can I use in order to make a JS call to the database without revealing all the data to all the users.

Please advice on this matter.

Regards, Donald

like image 674
donald Avatar asked Sep 07 '11 06:09

donald

People also ask

Does MongoDB support REST API?

MongoDB REST API is simple to set up and allows you to store and retrieve documents, making it great for Unstructured Data. Using Express JS as the backend web server with MongoDB as the document store is a common way of implementing the MongoDB REST API strategy.

How do I authenticate in MongoDB?

To authenticate as a user, you must provide a username, password, and the authentication database associated with that user. To authenticate using the mongo shell, either: Connect first to the MongoDB or mongos instance. Run the authenticate command or the db.

What is JWT in MongoDB?

Overview. The Custom JWT authentication provider allows users to authenticate with an authentication system that is independent from Atlas App Services. The external system must return a signed JSON Web Token that contains a unique ID value for the authenticated user.

Does MongoDB have authentication?

MongoDB supports x. 509 certificate authentication for client authentication and internal authentication of the members of replica sets and sharded clusters.

1 Answers

First of all, you can enable database auth which will make the REST interface require authentication if connected to from a remote machine.

That said, it's a very bad idea to expose your database like you suggest. Build a persistence abstraction layer in a server technology you're comfortable with (node.js for example) and put all security constraints and authentication there. The advantages are numerous :

  • You can keep your API stable even if the MongoDB one changes. You can even replace it with another persistence solution if the need arises in most cases.
  • You can limit the load a single client can put on your database. If you expose the database directly there's very little you can do to avoid people doing expensive queries or even potentially corrupting writes.
  • You can often do smart app-side caching and optimization that is not possible if every client directly accesses the database (this depends a bit on the app in question though).
like image 178
Remon van Vliet Avatar answered Oct 16 '22 16:10

Remon van Vliet
Sign in to Comment

Related questions

Mongo schema: Todo-list with groups
Size of a string type in MongoDB
Meteor: How should I update the Users collection to include a new attribute in the object / dictionary?
New alternative for old .net Driver MongoCollection.Save?
MongoDB C# 2.0 Driver Multiple Unwinds
Loop through Mongoose objects
MongoDB 3.0 write lock on oplog collection in replica mode
MongoDB to DynamoDB
MongoDB - Project only the matching element in an array
group by day/month and take average of rating on that day/month in mongo
MongoDB adding and removing fields in array
docker-compose create mongo container with username and password
Do bulk inserts/update in MongoDB with PyMongo
Mongoose model required and with default
pymongo.errors.CursorNotFound: cursor id '…' not found at server
MongoDB $regex query and potential exploits
Tunneling mongodb using ngrok
How to resolve featureCompatibilityVersion issue between MongoDB 3.6 and 4.2?
How to directly access MongoDB API from Mongoid?
Using Mongodb ObjectID as a document ID?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!