Sync Gateway - How to prevent document editing via REST interface?

[Chris Fuentes]

If a user were to become aware of their credentials and the sync gateway url, what could prevent them from modifying any document to which their account had access (via sync function)?

Is there a way to privatize the interface to only be accessible via CBL SDK replications? 

[Jens Alfke]

On Jan 22, 2015, at 11:46 AM, Chris Fuentes <ch...@crowdcomfort.com> wrote:

If a user were to become aware of their credentials and the sync gateway url, what could prevent them from modifying any document to which their account had access (via sync function)?

Nothing. That's what the credentials give them access to.

Is there a way to privatize the interface to only be accessible via CBL SDK replications? 

Keep the credentials secret somehow, maybe by encrypting them in the client app?

This question doesn't really make sense to me. The server needs to perform the necessary authorization and data validation; it can't rely on a client app to do it. So if you're trying to use the client as your source of security and data integrity, it's not going to work.

A determined user can always go around the app to talk to the service directly. With my OAuth token I can use 'curl' to talk to Twitter or Facebook or Gmail or whatever.

—Jens

[Chris Fuentes]

Some of our documents contain 'account information' which should not be manipulated by clients outside of our backend's app logic. It sounds like the only way to prevent this is to ensure that users are never aware of their own CBL REST credentials, correct? We have already taken steps to obscure them, but I thought 'security through obscurity' was never considered a best practice?

I suppose if it was an SSL connection, they could never learn the creds, no?

[Jens Alfke]

On Jan 22, 2015, at 1:08 PM, Chris Fuentes <ch...@crowdcomfort.com> wrote:

Some of our documents contain 'account information' which should not be manipulated by clients outside of our backend's app logic. 

Sounds like user accounts shouldn't be allowed to modify those docs, then.  Have the sync function reject changes unless they're made by a privileged account, and have your back-end authenticate its changes with that privileged account.

—Jens

[Chris Fuentes]

I didn't realize the sync function could reject changes - I thought it was only for determining which documents to sync to which accounts. 

I haven't found any documentation regarding the full scope of what the `sync` function can do - just sample code. Is there a full API/reference somewhere for sync functions, particularly for this type action (change control)?

[Jens Alfke]

On Jan 23, 2015, at 10:18 AM, Chris Fuentes <ch...@crowdcomfort.com> wrote:

I haven't found any documentation regarding the full scope of what the `sync` function can do - just sample code. Is there a full API/reference somewhere for sync functions, particularly for this type action (change control)?

The Sync Gateway docs are here. The introduction to the Sync Function API is a click away here. Make sure to read the Validation & Authorization and Routing pages too.

—Jens

[Chris Fuentes]

Wow I totally missed that - thanks!