Skip to first unread message
Steve
Nov 1, 2014, 8:49:31 AM11/1/14
to mobile-c...@googlegroups.com
Trying to get my head around user authentication in Couchbase Lite*. Can I simply prompt the user for their username and password and then use something like the following?
auth = [CBLAuthenticator basicAuthenticatorWithName: @"<username>"
password: @"<password>"];
(from Pro Couchbase Server by David Ostrovsky and Yaniv Rodenski. ISBN-13: 978-1430266136)
Is this secure if the remote Couchbase server URL employs http rather than https? Can a remote Couchbase server even employ https? I assume I can't encrypt the username and password in the line above.
*=Has Couchbase Lite changed its name to Couchbase Mobile?
auth = [CBLAuthenticator basicAuthenticatorWithName: @"<username>"
password: @"<password>"];
(from Pro Couchbase Server by David Ostrovsky and Yaniv Rodenski. ISBN-13: 978-1430266136)
Is this secure if the remote Couchbase server URL employs http rather than https? Can a remote Couchbase server even employ https? I assume I can't encrypt the username and password in the line above.
*=Has Couchbase Lite changed its name to Couchbase Mobile?
Message has been deleted
Steve
Nov 1, 2014, 9:08:41 AM11/1/14
to mobile-c...@googlegroups.com
Doh! I see the code from Pro Couchbase Server is remarkably similar to the code here.
Also, I see from the Couchbase Mobile documentation that the remote Couchbase server can employ https and this seems to be mandatory if wanting to use Basic Authentication in a secure manner.
Also, I see from the Couchbase Mobile documentation that the remote Couchbase server can employ https and this seems to be mandatory if wanting to use Basic Authentication in a secure manner.
Jeremy Kelley
Nov 1, 2014, 12:47:11 PM11/1/14
to mobile-c...@googlegroups.com
I went down this route a while but I will recommend against it if you are going to have any other methods of accessing the data in couch base.
Instead I have written an api that pulls the user record with stored encrypted password from couchbase, verifies identity and then using the admin port of the sync gateway creates a session and returns that to the app. The app then uses that session to sync. I found that trusting the user record in sync gateway to be the authority on user identification was onerous for users to access data from other places (web, etc)
-j
Sent from my iPhone
Sent from my iPhone
Doh! I see the code from Pro Couchbase Server is remarkably similar to the code here.
Also, I see from the Couchbase Mobile documentation that the remote Couchbase server can employ https and this seems to be mandatory if wanting to use Basic Authentication in a secure manner.
--
You received this message because you are subscribed to the Google Groups "Couchbase Mobile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mobile-couchba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/ce904de9-3636-41ec-853b-c9fc331220c8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jens Alfke
Nov 3, 2014, 2:02:34 PM11/3/14
to mobile-c...@googlegroups.com
On Nov 1, 2014, at 9:47 AM, Jeremy Kelley <nods...@gmail.com> wrote:I went down this route a while but I will recommend against it if you are going to have any other methods of accessing the data in couch base.Instead I have written an api that pulls the user record with stored encrypted password from couchbase, verifies identity and then using the admin port of the sync gateway creates a session and returns that to the app. The app then uses that session to sync.
That's one way of doing it. The basic recipe for custom authentication is discussed in the Sync Gateway documentation. You can write your own username/password store, or you can use LDAP or whatever.
I found that trusting the user record in sync gateway to be the authority on user identification was onerous for users to access data from other places (web, etc)
Can you explain? There's a REST API for accessing user accounts, and it's pretty easy to authenticate a username/password pair by e.g. making a "GET /db" request with basic auth or "POST /db/_session" to create a session cookie.
—Jens
Jeremy Kelley
Nov 3, 2014, 3:45:30 PM11/3/14
to mobile-c...@googlegroups.com
Jens - the API docs were definitely helpful in me implementing this.
I may open source portions of my api server to help others once I can
catch my breath.
The short version is that I ended up having user records in the sync
gateway but then also a user object (accompanying views) in couchbase.
If the sync gateway was going to use the same user object in the
shadow db, that'd be one thing I suppose.
It just got odd to have my API pulling a record from couchbase then
trying to auth to the sync gateway, even if my infrastructure I was
sync'ing to wasn't on the same network as the gateway.
By moving to my user object being the authoritative information about
the user, then using the admin api to create a sync session, it just
seems to have cleaned that up.
I don't feel that I'm describing my situation properly at the moment.
Crunched for time a bit right now.
I'll know in a week or two if this change makes more sense as I
complete more pieces of my infrastructure.
-j
--
The Christian ideal has not been tried and found wanting;
it has been found difficult and left untried – G. K. Chesterton
I may open source portions of my api server to help others once I can
catch my breath.
The short version is that I ended up having user records in the sync
gateway but then also a user object (accompanying views) in couchbase.
If the sync gateway was going to use the same user object in the
shadow db, that'd be one thing I suppose.
It just got odd to have my API pulling a record from couchbase then
trying to auth to the sync gateway, even if my infrastructure I was
sync'ing to wasn't on the same network as the gateway.
By moving to my user object being the authoritative information about
the user, then using the admin api to create a sync session, it just
seems to have cleaned that up.
I don't feel that I'm describing my situation properly at the moment.
Crunched for time a bit right now.
I'll know in a week or two if this change makes more sense as I
complete more pieces of my infrastructure.
-j
> --
> You received this message because you are subscribed to the Google Groups
> "Couchbase Mobile" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to mobile-couchba...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/mobile-couchbase/62BD5762-B0DE-4520-B33A-C9F9FD31AF5C%40couchbase.com.
> You received this message because you are subscribed to the Google Groups
> "Couchbase Mobile" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to mobile-couchba...@googlegroups.com.
> To view this discussion on the web visit
--
The Christian ideal has not been tried and found wanting;
it has been found difficult and left untried – G. K. Chesterton
Reply all
Reply to author
Forward
0 new messages