如何安全地执行授权直接从Web浏览器cloudant [英] how to securely perform authorization to cloudant directly from web browsers
问题描述
我要建一个办公室的扩展应用(更多或更少的HTML5应用程序)。应用程序的最有价值的部分是由应用程序提供的内容,所以内容信息必须牢固地保持在数据库中。任何人试图访问的内容必须通过展示他们的用户名和密码证明自己的身份。
我有一个Cloudant数据库中名为存储所有用户的登录信息,如用户名和密码,并命名为_contents另一个Cloudant数据库存储所有内容的信息。_users
在试图用他们的Web浏览器来访问_content数据库中的用户,应用程序会要求用户登录。匹配成功后,该用户的用_users数据库数据的凭据,该用户就可以访问_content数据库。
我理想的情况是,登录和授权过程只能使用Web浏览器和Cloudant数据库来完成。我不希望有任何中间的人之间(运行例如一个的NodeJS web服务器)。我怎样才能做到这一点。
OK,这里有一些问题,我解决不了。
- 当试图建立与数据库Cloudant连接的用户,必须提供一个API密钥。好吧,我可以生成它被允许阅读_users数据库中的API密钥,并给这个API关键,user.a用户可以用此键连接_users,但这并不意味着这个API密钥,任何用户可以阅读_users数据库中的所有数据?这将是一场灾难。
- 如果上述问题是可以解决的,如何执行授权?我不停地产生每一个用户的API,后来删除它们?在什么时刻,我应该做的删除操作?
通常情况下,Cloudant不支持自定义用户名和密码,在 _users 数据库功能。相反,Cloudant允许您创建API密钥,这是随机的字符串。
我想,以你的要求,上述系统将无法正常工作。不过也有好消息! Cloudant也支持开源Apache CouchDB的 _users 数据库了。我认为这会为你工作;但是,您将需要一些工作来进行设置。此解决方案需要您的Web服务器做一些Cloudant preparation;然而,当用户使用的应用程序,它们可以直接验证到Cloudant,并且它们可以直接读取和更新文件,具有不需要中间服务器
启用实名认证
查看 Cloudant开发者FAQ 的最后一个问题,我可以使用CouchDB的安全功能......
基本上,每个DB 的,要投入到 / the_db / _security
{couchdb_auth_only:真实,
成员:{
名字:USER_NAME_1,USER_NAME_2,等],
角色:[]
}
}
设置用户帐户
这根据的Apache CouchDB的文档工作。基本上,你需要创建 _users 与用户名的文件和哈希密码。 注意,Cloudant还没有更新的CouchDB的功能所在的服务器将自动为您哈希密码:的 Cloudant身份验证:缺少_users数据库
因此,作为回答说,请参阅<一个href=\"http://wiki.apache.org/couchdb/Security_Features_Overview#Generating_password_sha_.28only_applicable_for_1.1.x_and_earlier.29\"相对=nofollow> CouchDB的安全维基页面约散列密码。你需要找到一个JavaScript SHA1实现,如 CryptoJS
CORS
您可能需要启用CORS,这也是Cloudant文档中描述的那样, CORS章
通过上述所有东西的地方,你可以创建用户(或更新 / _用户/ * 文件更改他们的密码,这些用户可以通过基本的登录或者cookie认证,访问他们的数据库。
I am planning to build an office extension application ( more or less a HTML5 application). The most valuable part of the application is the content provided by the application, so content information must be securely kept in a database. anyone trying to access the content must prove their identities by showing their usernames and passwords.
I have a Cloudant database named "_users" which stores all the users login information such as usernames and passwords, and another Cloudant database named "_contents" which stores all the content information.
When the users trying to access the "_content" database with their web browsers, the application will ask users to login. After successful matching this user's credentials with data in "_users" database, this user then have access to "_content" database.
the Ideal case for me is, the login and authorization process can be done using only web browser and Cloudant databases. I don't want to have any "middle person"(a web server running nodejs for instance) in between. How can I do this.
OK,here are some problems I can not solve.
- When a user trying to establish connection with Cloudant databases, an API key must be provided. Ok, I can generate a API key which is permitted to read "_users" database, and give this API key to a user.a user may connect to "_users" with this key, but does this mean with this API key, any user can read all the data in "_users" database? This would be a disaster.
- if the above problem can be solved, how to perform authorization? Should I kept generating APIs for every users and delete them later? At what moment should I do the delete action?
Normally, Cloudant does not support custom usernames and passwords, the _users database features. Instead, Cloudant allows you to create API keys, which are random strings.
I think, given your requirements, the above system will not work. But there is good news! Cloudant also supports the open source Apache CouchDB _users database too. I think this will work for you; however, you will need a bit of work to set it up. This solution requires your web server to do some Cloudant preparation; however when the users use the application, they can authenticate directly to Cloudant, and they can read and update documents directly, with no middle server needed.
Enable name authentication
See the last question of the Cloudant developer FAQ, "Can I use CouchDB security features..."
Basically, for each DB, you want to PUT to /the_db/_security
{ "couchdb_auth_only": true,
"members": {
"names": ["user_name_1", "user_name_2", "etc."],
"roles": []
}
}
Set up user accounts
This works according to the Apache CouchDB documentation. Basically, you need to create a document in _users with the username and hashed password. Note, Cloudant does not yet have the newer CouchDB feature where the server will automatically hash the password for you: Cloudant auth: lacks _users database
So as the answer says, see the CouchDB Wiki security page about hashing passwords. You will need to find a JavaScript SHA1 implementation, such as CryptoJS
CORS
You will likely need to enable CORS, which is also described in the Cloudant documentation, the CORS chapter
With all of the above things in place, you can create users (or change their passwords by updating /_users/* documents; and those users can log in with basic or cookie authentication, to access their databases.
这篇关于如何安全地执行授权直接从Web浏览器cloudant的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
