User authentication/document best practices

Hi Jens,

Thanks for reply. So this is what I got from your comments:

  • Pull public data with guest account on the SG.
  • Authenticate using Facebook or Persona against SG and then create one document locally per user to keep profile metadata on the CouchBase Lite on device.
  • Then SG can then synch this profile document to the server automatically.
  • Whenever user logins after the token expiration using Facebook or Persona, the local profile document can be pushed/updated on the server thru SG automatically.

But, I am not sure what you meant by locking it only for that user? Are you suggesting to use pessimistic locking before updates? Can you give an example please?

I am new to Couchbase, so appreciate your feedback. Thanks again.

Thx
CK

Sorry, I didn’t mean “locking” in that sense. I meant to restrict write access to that document so only the user it’s about can create or modify it. This is pretty easy to enforce in a sync function; something like

if (doc.type == "profile")
    requireUser(doc.username);

Thanks a lot for that.

I’m a little confused on this. I have a database where no documents are shared between device users. That means I have no Guest user. So here is my flow:

User uses restful webservice to create an account
Webservice creates a user record in a database accessible by admin
Webservice creates a user on the sync gateway

User uses restful webservice to login to account
Webservice does oauth against user’s username and password in the admin access store and says its okay
Webservice authenticates user against sync gateway and returns session information
User then starts syncing data the user creates and only that data through some sort of restriction set using the sync function?

Profit

So what limits documents to only the specific user that created/has access to it?
Does each user have their own channel and this limits the user to it? Maybe it is in the requireUser() command that you specify?
Do I have to create a doc.username in every document that I create or is there metadata of that user that can then restrict users to those documents?
How during registration do I give the user access to the document that the admin creates to store the users data?

I am not expert. But instead of crating a record on the central DB first,I am planning to register the user using Facebook-Persona through synch gateway. See this: http://developer.couchbase.com/mobile/develop/guides/sync-gateway/administering-sync-gateway/authenticating-users/index.html

Then, I will create an account document for the user on the local device and push it to the server thru synch.
For each document created for the user, I will add the “owner”:"sjjsj@djdjdj.com"

And put restriction with requireUser(doc.owner) on synch gateway.

That way I will push all docs created locally on device to the server, and when accessing user docs, there will be a need to authenticate first. and then assuming local device will pull only the documents, it has access with requireUser. (I think this is the only way this can be modeled not to define a channel for each user to push things up to each user. User has to pull using the API.)

Please someone correct me If I am wrong!

requireUser in the documentation only seems to restrict update access. How do you restrict syncing data from the server to the device that is not owned by that user?

Oops, sorry!

To restrict read access to a single user, define a channel specific to that user, give the user access to it (add it to the admin_channels property in their user record), and assign the doc to that channel.

if (doc.type == "profile") {
    requireUser(doc.username);
    channel("user-" + doc.username);
}

@jens,

Can you clarify on session expiration? Lets say if an app does a sync multiple times a day, will the session expiration be extended?

Yes, I believe the session is extended every time the client authenticates. (Originally it wasn’t, but this was requested about a year ago and I’m pretty sure I remember Andy Reslan implementing it.)

So does sync gateway respond back with a new expiration timestamp?

I don’t know … @march44, do you know?

@agillette

This is the pull request for the change, with a description of the behaviour. If the session is extended then an updated cookie is returned to the client.

Andy

Thanks @andy for the info.

@jens

Hello, we are authenticating the user through a custom service and creating a user on couchbase server through syncgateway. The password for that user is hashed and stored on the couchbase and also on couchbaselite since it syncs the record.

The app should be able to work offline and hence need to read the stored user document on CBLite. The password is hashed here and is there an easier way to validate the password the user enters against the hashed password, will bcrypt work? Or is there a way CbLite can authenticate users using locally stored credentials?

@preethi.minti Please try not to resurrect old threads to ask new questions - posting a new topic will help us and other users find the answers quickly.

Couchbase Lite doesn’t have any support for that. It’s not very secure since anyone with access to the device can read all users’ data in the database, and they could locally overwrite any users’s hashed password in the document and replace it with one they know the password to. (It’s also considered insecure to expose hashed passwords outside the security domain they’re created on.)

I don’t understand why you’re asking how to check the password against the hash. Since it’s your code that creates the hash on the server side, you should know how to verify it.

If you really want to securely store multiple users’ data on one device, give each user their own database and encrypt each database with a password chosen by that user.

The reason I ask is, we need to be able to support offline authentication. When we create a user on couchbase server, it hashes the password with bcrypt and stored as passwordhash_bcrypt. It is not application code that hashes the password.

Does this user record get pushed to CBLite?

If the device is offline, how do we validate the username and password and let the user in? please let me know if this question is clear. We need to be able to store the credentials locally. And all our devices are encrypted at the OS level. But we do not still want to store clear text password. The users of the device are employees of the organization and we do not want anyone to see the password.

Hello,

I was told not to mix topics so I thought I had to post my questions in the forums that are related to the topic

Are you suggesting that I create a new topic for all my questions? I thought related questions go to the same threads.

Please let me know where I can post my questions. Thank you all for the help!!!

Couchbase Server accounts are only used for authenticating smart-client API calls. They’re not related to Sync Gateway user accounts and they’re not exposed to Couchbase Lite.

Yes, please create a new thread if you have a new question.