How can I securely connect to Cloudant using PouchDB?
I am building a mobile app for Android and iOS using Cordova / PhoneGap and use an IBM Cloudant database for storage. I am using PouchDB javascript library to access Cloudant database. I currently have this code to access it ...
db = new PouchDB('https://[myaccount].cloudant.com/[mydb]', {
auth: {
username: 'myusername',
password: 'mypassword'
}
});
I know this is extremely insecure and I am wondering if there is a safer way to connect to my database from an application?
+3
source to share
2 answers
One option you might consider is implementing a service (for example, running in the cloud) to register new users for your application. The registration logic might look something like this:
- The phone code contacts your app service requesting user registration
- The service contacts Cloudant to generate an API key that will be returned to the phone code
- The phone code stores the API key "username" and "password" on the device. These credentials are then used in the object
auth: { username: 'myusername', password: 'mypassword' }
.
+1
source to share
You are correct that Cloudant credentials should never be hardcoded in your client application.
One design pattern is to use a "one database per user" approach:
- the user is authenticated with your web app having Cloudant admin credentials
- the application creates a database for the authenticated user and provides API-interface Cloudant key with access
_reader
and_writer
( https://docs.cloudant.com/api.html#authorization ) - the application binds these credentials to the client (where they can be stored in a "local" PouchDB document or simply stored in memory if you want your users to authenticate each time)
+1
source to share