Comments (5)
I agree the README needs some clarity. I am going to leave this issue open to remind me.
from superlogin.
@SukantGujar you should find the answer to your question in the Database Security section of the README. SuperLogin doesn't do it for you (except on Cloudant). You need to study up on CouchDB security best practices and apply them yourself.
You can use the user-db-added
event to seed a validate_doc_update
design doc.
If you have read the README and the articles linked and are still having trouble let me know.
from superlogin.
Yes Colin, I went through the Readme and from the security best practices link as well (thanks, it was really very thoughtful of you to provide that). As pointed out by Matt in his blog, CouchDB security is not very intuitive and I am still trying to understand it 😃 . I just wanted to know if Superlogin already gives me easier means to go ahead and secure private DBs, over vanilla CouchDB.
About having authorization check within validate_doc_update
, wouldn't Superlogin already add it for me if I keep it in one of the design docs used for privateDB? Then maybe I won't need to do it myself explicitly.
After posting this question yesterday, I went through CouchDBs documentation on security. Now I am inclining towards adding the private DB owner to its members
collection which should ensure only the owner can access it for read/write/replication needs. What are your thoughts?
from superlogin.
If validate_doc_update
is inside a designDoc
under userDBs.model
then it should automatically be seeded.
SuperLogin will automatically add the private DB owner's session token to its members
collection when they login, and will remove them when they log out of the session. You don't need to do this yourself.
In addition if you look in config.example.js
under userDBs.defaultSecurityRoles
you and copy what I have there it will block anonymous rights by default. (Test it afterward to make sure. You will need to do this manually for databases that already exist.)
from superlogin.
Great, so looks like Superlogin already takes care of some of the steps to ensure privateDBs remain accessible only to their owners. IMHO, it may help adopters if the readme has some more clarity on the concept of privateDBs like how they are initialized and what default security features are already added. And what responsibilities should be handled by the adopters.
Thanks for all your help Colin, I am closing this issue.
from superlogin.
Related Issues (20)
- How can I remove confirmPassword requirement?
- Validation failed HOT 8
- Validation failed HOT 1
- Calling /auth/session with authorization header is returning unauthorized HOT 1
- Use template-literal instead of EJS
- user-db-added event doesn't get emitted HOT 1
- New release? HOT 13
- Validation Failed HOT 1
- Register vaildation failed HOT 18
- Mandatory Migration from Cloudant to BlueMix not compatible with Superlogin HOT 1
- Superlogin with CouchDB crypto.pbkdf2 "digest" argument required HOT 1
- how to add profile data with registration?
- removeUser not working
- Live demo isn't working HOT 1
- Forgot Password function
- TypeError: Cannot read property 'valid' of undefined at Function.PouchDB.parseAdapter
- Howto: use superlogin with current nodejs HOT 6
- Set a Doc create limit per user
- super login spaming console with errors
- Graphql
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from superlogin.