Users log into Couch with basic auth (or via other channels) which aren't necessarily available to in-browser JavaScript. In Sofa's validation function I worked around the problem with an ugly hack.
http://github.com/jchris/sofa/blob/cf322d647b507c36dc4f6936b5f8767ac59c9f68/validate_doc_update.js#L20 The clean way to do this would be with an API endpoint like GET /_user_info to let client apps know which user they are logged in as. I think this is OK to do, from a security standpoint, but I'm not sure if there's an idiomatic way to do it. There is some old discussion about similar problems here: http://groups.google.com/group/oauth-extensions I also put out a call on Twitter: http://twitter.com/jchris/status/1217372588 "anyone know of a standardy way of letting JSONP clients know which user they are logged in as?" Maybe someone here has been down this road before. I know I've seen prior art on JSON user info formats but I can't seem to find with Google. -- Chris Anderson http://jchris.mfdz.com
