CouchDB and Cloudant Security

Question

CouchDB and Cloudant Security

We used CouchDB in production mainly to build applications in controlled environments. In most cases, we use a mid-level library for direct calls to couchdb/cloudant , so we avoid direct calls (straightforward JavaScript calls directly to couchdb/cloudant ).

For security reasons, it’s obvious that for an authenticated CouchDB database:
http://{username}:{password}@IPAddress:Port/DB
OR for cloudant:
https://{username}:{password}@username.cloudant.com/DB . If the call is made directly from JavaScript, the developer tools in browsers today allow a person to implement this call and, therefore, have full access to your database.

Attachments are usually painful when handled in a facility. It is beneficial to make the cloud handle cache and supply attachments directly to the front, which means free our middle dishes from this. However, on the Internet and with a huge audience, direct calls to our cloud environment are complex.

We started, first of all, a cloud account for all attachments, so the inquisitive boy will not interfere with the actual metadata or information of our users. Thus, the only cloud account that they can access is access to attachments, as we make direct JavaScript calls to our database.

Question: How do we find the way we hide the username and password of our cloud environment, thereby allowing us to safely make direct JavaScript calls to cloudant? Our infrastructure is completely in the cloud, so we do not have proxies and applications for work. We heard about the reduction of Url services, CDNs etc, but we did not come up with a really convincing solution.

+5

javascript couchdb nosql cloudant

Muzaaya Joshua Sep 03 '14 at 7:38

source share

2 answers

Davedeldelstein · Answer 1 · 2014-09-03T13:40:01+0000

Try using the _ session endpoint. This will set cookie authentication.

Akshat Jiwan Sharma · Answer 2 · 2014-09-03T17:06:54+0000

How to find the way we hide the username and password of our cloud environment, thereby allowing us to safely make direct JavaScript calls to cloudant?

As far as I know, you cannot do this without using middleware or some kind of proxy. But this does not mean that we are completely defenseless. couchdb gives us some spears to poke inquisitive boy :)

So good of what you did to make the attachment database separate. You did not mention in your question if you use the couchdb authorization scheme, so I assume that you do not. So, the first step is to create a user in the couchdb _users _users , and then assign it as a member in the attachment database. More details here and here .

After this step, you should have a member of the attachment database. The reason we want the member, not the admin, is because the members do not have permission to write or read project documents.

This is the beginning, but this is not enough, since the member can still read through _all_docs and this is the dos attack right there. So, the problem we are facing right now is that we are doing this at the moment

https: // {username}: {password} @ username.cloudant.com / DB

A very good move is to change it to

https: // {username}: {password} @ someurl.com /

What is the difference between the two? It hides the location of your database and makes it difficult to access built-in methods. This can be done using the vhosts configuration and some rewrite rules . Some very good things on Caolan's blog too

With this in place, you have two things for you.

~~stalker~~ inquisitive boy will not understand where the challenges go.
He will not be able to get the contents of unknown documents by making direct calls. He can access your database only through the rules you set.

Still not 100% safe, but no matter how safe the reading level is. Hope this helps.

CouchDB and Cloudant Security

More articles: