How to Get Sync Channels working with Per User Access Restrictions

Hello All,

I’m like lost with couchbase lite. I have read Channels https://blog.couchbase.com/using-channels-in-sync-gateway/ and SYNC API https://developer.couchbase.com/documentation/mobile/current/guides/sync-gateway/sync-function-api-guide/index.html But nothing found relevent. Let me explain what I wanted to do specifically:

We are using Couchbase Server 4.6.2 / Sync Gateway 1.4.1 / Couchbase Lite 1.4.

My Sync Gateway Configuration is below:

{
    "log": ["*"],
    "adminInterface": ":4985",
    "databases": {
        "syncDBName": {
            "server":"http://192.168.1.188:8091",
            "bucket": "bucketname",
			"password": "bucketPass",
            "users": { 
						"GUEST": { "disabled": true, "admin_channels": ["public"] },
						"syncUser": { "disabled": false, "password": "syncPass", "admin_channels": ["*"] }
					},
			"sync":`function(doc) {channel(doc.channels);}`
			
        }
    }
}

What Exactly I’m trying to do

I’m working on a Xamarin App that’ll have say n numbers of users. So we are having user objects and then the documents that they creates. So Say User A signup and creates documents in App and those are being SYnc to server and same time User B signup the App so both creates their profile and their user document gets updated and sync. Now Another User C signs Up and creates his profile so all A, B and C users have created their profile and Sync Gateway syncronise their user documents.
Now First thing here is needed that Documents of User A should only be accessible to User A and similarly for B and C.
Secnod thing let’s Assume User C is a friend to User A. that means documents of User C should also be accible to User A and vice-versa.

As far as I was able to understand the Sync gateway we can achieve this using Channels for each user to define access and can restrict users using functions like “access”, “requireUser”, “requireAccess” etc. But for this I need to edit the Sync Gateway config file each time new users signup and Also think it like if we have 1 million users it’ll be like never ending config in SYNC Gateway file. So in Short I want to make it dynamic for Sync gateway to understand which user is requesting the Sync and who are friends of this user ( Note: here Sync gateway doesn’t know the user or his friends since they aren’t users of couchbase server or are specified in sync gateway )

Note: for Sync gateway to understand users we are using document naming conventions in the App like ( user_{uid}, and his quiz like quiz_{uid} ) and similar way for channels channel_{uid}.

So here we can attach the channel_{uid} to each document user creates on App side using “doc.channel” property. But how to make Sync gateway understand this and allow access to valid users that is where I’m stuck.

Question 1: if we can pass something to Sync gateway in URL like “http://192.168.1.188:4984/syncDBName/{uid}”??

Or Anything I’m doing wrong here?.

Question 2: If I should be using Sync Gateway Admin API to create each user and add channels for each user document?

Any help will be really appriciated

1 Like
  1. you should add user by SG Admin API;
  2. you can assign user/quiz document to channel and route channel to user by channel info(some properties that can define as channel info) within changed document in Sync Function.

for example, you should store user info into quiz document ,so that the quiz document can assign channel with user info,and then route the channel to this user, so quiz document can be accessible by this user. you should also store friendship into in document, so when this document is changed, you can change channel info for users who are friends. that depend on your requirement.

1 Like

So in Short I want to make it dynamic for Sync gateway to understand which user is requesting the Sync and who are friends of this user

That’s an extremely common need, and that’s why the sync function is allowed to grant users access to channels based on the contents of documents. So in this case someone would create a document whose properties indicate that user A grants access to use B, and the sync function would first check that this document was created/edited by user A, and then call the access function to grant B access to one or more channels associated with user A. (And yes, if that document is deleted or modified, that access goes away because it’s tied to that version of the document.)

1 Like

Hello @jens

First thanks for your reply. Now when you said:

the sync function would first check that this document was created/edited by user A, and then call the access function to grant B access to one or more channels associated with user A.

How sync function will know that B is an associated user to A. In my view Sync function renders all documents one by one. That means while rendering documents from “channel_A” how it’ll know for each document that user "B’ can access all documents of “channel_A”

Hello @atom_yang ,

Thanks for replying.

You meant I should add some channel info ( User related ) to the channel in Sync Function? How sync function will know about my app user? or do you meant create every user in couchbase server only using the Admin API Port?

It’s the other way around. The sync function creates the association based on the document. For example:

  1. User A decides to allow user B to view their data.
  2. A’s client creates a document that (in your schema) says A grants B access. For example it might have properties “type”:”access”, “owner”:”A”, target:”B”.
  3. On the server your sync function sees this document, verifies it’s being created by the same user granting access (“owner”), and calls access() to give the target user access to the owner’s channel.
1 Like

Hello @jens
Thanks for reply I’ll check it with Admin API. will post update here