Thanks, I was actually the same view, otherwise that would be security problem.
Ok what I want to implement -
- my mobile application should have log in
- if user entered his credentials, and in a local DB there is no his data, then I user authenticates agains server (if device in online - if not - no login). If his data is in local database - let him start.
- if user successfully authenticates against server - save his login data locally to be able login offline.
- In any case if successful login start continues replication for particular this user record. If password changes - immediately logout user.
As workaround I would probably do:
- if user is not in local db - simply start replication with user name and password to the remote _users db with filter - only this user. If replication will be successful (replication also requires authentication) that would mean user name and password is correct. Replication will replicate me this user record into local database instance “users”.
In parallel I will store salt from replicated record, username and password in another local database “local_users”, which will be used for offline log in.
After successful login (offline or online) I will start always replication of remote _users database for this particular user, and if user record changes and SALT is also updated and not the same as in “local_users” table - log out user and assumed password is wrong (set password to null in “local_users” or remove user at all from local_users).
It is a bit complicated, but I can’t see another approach… Do you see any chance to simplify it?
PS: Yes, my Couch DB server instance is not “Admin Party”, authentication required.