Clever Geek Handbook

How can I securely connect to Cloudant using PouchDB?

I am building a mobile app for Android and iOS using Cordova / PhoneGap and use an IBM Cloudant database for storage. I am using PouchDB javascript library to access Cloudant database. I currently have this code to access it ...

db = new PouchDB('https://[myaccount].cloudant.com/[mydb]', {
    auth: {
      username: 'myusername',
      password: 'mypassword'
    }
});

I know this is extremely insecure and I am wondering if there is a safer way to connect to my database from an application?

+3


source to share


2 answers


One option you might consider is implementing a service (for example, running in the cloud) to register new users for your application. The registration logic might look something like this:



  • The phone code contacts your app service requesting user registration
  • The service contacts Cloudant to generate an API key that will be returned to the phone code
  • The phone code stores the API key "username" and "password" on the device. These credentials are then used in the object auth: { username: 'myusername', password: 'mypassword' }

    .
+1


source


You are correct that Cloudant credentials should never be hardcoded in your client application.

One design pattern is to use a "one database per user" approach:



  • the user is authenticated with your web app having Cloudant admin credentials
  • the application creates a database for the authenticated user and provides API-interface Cloudant key with access _reader

    and _writer

    ( https://docs.cloudant.com/api.html#authorization )
  • the application binds these credentials to the client (where they can be stored in a "local" PouchDB document or simply stored in memory if you want your users to authenticate each time)
+1


source






More articles:


All Articles