Question about sync gateway User Accounts mechanism

[Souhail Marghabi]

Greetings,

I have recently been working on an iOS with sync gateway in the back. i have created channels filtered by userIds(derived from a document attribute). I used the usual "requireUser()" to filter the sync, but I have been told that i need also to configure user accounts so each has access to the channel with the corresponding name, e.g. for user “foo” add “profile-foo” to the admin_channels property.  I don't have predefined user accounts since the user is created dynamicly on the first app launch after user enters his data in a "profile" document. In ther "users" part of the config sync i had "GUEST" set to disabled and the filtering channels have a format of channel("documentID" +doc.userID). I got pretty confused on how should i configure the user accounts admin_channel property. I am probably misunderstanding something.

Can anyone help please?

[Adam Fraser]

Have you reviewed the documentation for authorizing user access?  It provides a good overview of granting users access to channels.

http://developer.couchbase.com/mobile/develop/guides/sync-gateway/channels/developing/index.html#authorizing-user-access

You can make an access() call in your sync function to grant a user access to a specific channel - it sounds like that's what you want to do in your case.

Thanks,

Adam

[Souhail Marghabi]

thanks for the link, My confusion is actually related to the scenario i am trying to simulate:

• i have channels named by userIDs  i have two documents one profile and "responseQuestionnaire". Only the "owner" of the document (recognized by an key "idclient" ) can access and sync with it, an example is below.
• How do i Enforce this rule in sync config, knowing that I don't really have "accounts with passwords etc" and i put "guest enabled" in the "users" part of the JSON sync config.
• if it's the case, do I need to create an account(admin console) for each user opening my app and updating/syncing data in it?(I don't have a predefined set of users).
• snippet from config file:
• if (doc.type == "ReponseQuestionnaire") { // give user access to his survey Answers
•  var user = doc.idClient.substring(doc.idClient.indexOf(":")+1);

            access(user, "survey-" + user);

            // add doc to user's  channel

            channel("reponseQuestionnaire- " + user);

        requireUser(user);

  
  

          }
   "users": {

                  "GUEST": {

                      "disabled": false, "admin_channels": ["*"]}

              },

  
  
  
  

[James Nocentini]

If you enable the GUEST account, the only way to give it access to documents is through the admin_channels property in the GUEST config object. The access call in the sync function won't work.

In your case, I think you should create users instead. 
Check this guide to create a user via the Admin REST API http://developer.couchbase.com/mobile/develop/guides/sync-gateway/administering-sync-gateway/authenticating-users/index.html#custom--indirect--authentication

The username could be the user id and password a random generated string stored on the device or one chosen by the user.
Then you can pass in those credentials to the replications and get filtered sync according to the sync function.

[Souhail Marghabi]

Hello,

Thanks for your reply, I think I am seeing things clearer now: So I need to have one couch sync user account per app user if i am to filter syncing and access to restricted document such as "profile Information". 

My one issue is how to dynamically create users each time a document called "profile" is created through my iOS app. I have read in the link that to create users, we would  need to do a POST Request from the Server( Couchbase Server+sync is hosted in AWS in my case) /$DB/_user/ (I am not sure how would the url look like). 

Though I don't really have a static number of app users so I am still not sure how should I dynamicly create user accounts for each user who created a "profile" object/document through my app on first usage ==>  I know from the iOS side i can construct an url for replication like http://%@:%@@192.168.3.3:4984/myBase with username and password, but my issue is still how to dynamicly create couch sync user accounts( I guess from my iOS client app??)

PS: if I remove, the admin channels attribute from GUEST, would the channel()  and access() still be executed? How should my couch sync config change(in the "users" part to work well for my scenario)?

Sorry for long post, I just didn't find any doc addressing this kind of matter(unknown number of users+ filtering access to docs by their _id)  beside using Facebook or persona Auth.

--
You received this message because you are subscribed to a topic in the Google Groups "Couchbase Mobile" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mobile-couchbase/ipsuEhgco3I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mobile-couchba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/441883d2-658a-41f0-9777-f820435b843a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[James Nocentini]

Hello,

Thanks for your reply, I think I am seeing things clearer now: So I need to have one couch sync user account per app user if i am to filter syncing and access to restricted document such as "profile Information". 

My one issue is how to dynamically create users each time a document called "profile" is created through my iOS app. I have read in the link that to create users, we would  need to do a POST Request from the Server( Couchbase Server+sync is hosted in AWS in my case) /$DB/_user/ (I am not sure how would the url look like). 

Yes you can create users by doing a POST request to <ip_address>:4985/$DB/_user/ with the user info in the JSON body  {"name": "John", "password": "letmein"}

Notice the request is made to port 4985 which is the admin port and won't be accessible to your iOS app. So you can add a small web server in the language of your choice that verifies the iOS app can create a user.

If you get a 201 status code back from the server you can store those credentials in the iOS app and pass them to the replication method every time you want to kick off a sync and authenticate with Sync Gateway. This will only replicate the documents this user has access to (from the rules defined in the sync function).

Though I don't really have a static number of app users so I am still not sure how should I dynamicly create user accounts for each user who created a "profile" object/document through my app on first usage ==>  I know from the iOS side i can construct an url for replication like http://%@:%@@192.168.3.3:4984/myBase with username and password, but my issue is still how to dynamicly create couch sync user accounts( I guess from my iOS client app??)

PS: if I remove, the admin channels attribute from GUEST, would the channel()  and access() still be executed? How should my couch sync config change(in the "users" part to work well for my scenario)?

GUEST account means that requests made to Sync Gateway without an Authorization header are processed normally.
There's just one GUEST account and the access rules are hard coded in the admin_channels key so that won't work.

In your case you can just disable the GUEST account and use the sync function with access() and channel().