Couchbase Lite local URL wrong?

[Eno]

We are trying to use Couchbase Lite with Cordova (i.e. PhoneGap). On the Android side we're using the REST API to talk to Couchbase without any problems, however we cannot get this to work on the iOS side at all. Looking at the console logs we see:

Couchbase Lite url = http://lite.couchbase./

which comes from CBLite.m and doesn't look like real URL we can connect to via HTTP (on the Android side we can talk HTTP to http://localhost:5984 so the above URL is confusing). Any ideas on what we're doing wrong? Im not an iOS developer so if Im misunderstanding how this is supposed to work can someone explain?

[Jens Alfke]

> On Dec 15, 2014, at 1:36 PM, Eno <sym...@gmail.com> wrote:
>
> Couchbase Lite url = http://lite.couchbase./
>
> which comes from CBLite.m and doesn't look like real URL we can connect to via HTTP (on the Android side we can talk HTTP to http://localhost:5984 so the above URL is confusing). Any ideas on what we're doing wrong? Im not an iOS developer so if Im misunderstanding how this is supposed to work can someone explain?

That's the correct URL. CBL on iOS doesn't open a real TCP port, instead it registers a handler that watches HTTP requests and intercepts ones to that hostname. This is cheaper and safer than using TCP (but not an option on Android, alas.)

—Jens

[Andrew]

That's interesting...I didn't know about that since we were exploring iOS side first. And yes, it is a correct URL for iOS...

So can anyone connect to this port on Android if they know your IP ?? That creates a bit of a security issue if you ask me...

[Jens Alfke]

On Dec 17, 2014, at 4:31 AM, Andrew <andrzej....@gmail.com> wrote:

So can anyone connect to this port on Android if they know your IP ?? That creates a bit of a security issue if you ask me...

Traun or JChris can give a definitive answer since one of them wrote the code. My understanding is that the listener socket is bound only to the loopback interface (127.0.0.1) so it's not reachable from another host. It might still be reachable from another process running on the same device, though, if it decided to run a port-scan on localhost (but again, don't take my word for that.)

—Jens

[J. Chris Anderson]

Additionally on Android there is a random basic-auth token that must be passed with REST requests, to keep other apps from snooping on localhost. See allowedCredentials here.

Chris

 

—Jens

[Andrew]

I checked it out ...it still looks like credentials are on the wire in clear text...can't this be traced quite easily with some network monitoring tools ? Perhaps using https would be more appropriate or at least a baseline approach?

Or am I not understanding this correctly?

[Jens Alfke]

On Dec 17, 2014, at 2:35 PM, Andrew <andrzej....@gmail.com> wrote:

I checked it out ...it still looks like credentials are on the wire in clear text…

There's no wire (or even WiFi.) The loopback interface just routes data between processes on the same device; no data ever goes onto any network. It's impossible to intercept the data unless you have root privileges on that device.

—Jens