Greetings, Thanks for your answer.
Actually option (a) would be the best, but I do not really how to dynamically create and register user sync accounts with the server. I have seen how to create user accounts "manually" with "curl" POST request to create users on "admin" port. Would love to have more visibility on how to automate the registration/login process(from iOS app? App server?) to use for each increasing number user devices. Thank 2015-03-16 16:07 GMT+00:00 Jens Alfke <[email protected]>: > > > On Mar 13, 2015, at 12:56 PM, Souhail Marghabi < > [email protected]> wrote: > > > > Actually there is no real login in my app(username,password) app users > do not enter login credentials they are recognized by the unique > identifiers of their document > > I see. Have you thought about the security aspects of this design? What > would prevent one person from impersonating another? (Maybe they couldn’t > do this from within the app, but what about sending commands directly to > the REST API?) > > Generally the two ways to securely implement something like you describe > are > (a) The client registers an account with the server on first login, > without visible user interaction, where the userID and password are just > randomly generated and stored persistently in the app; > or, > (b) The client generates an asymmetric key-pair (i.e. RSA or elliptic) on > first launch and uses it to sign documents it creates. The server verifies > documents by validating the signature, and your identity is your public key. > > (We’re not quite set up to do (b) yet because the Sync Gateway doesn’t > have the ability to validate signatures. But it’s something I’ve been > experimenting with. I have a prototype app that uses this approach, and a > spec for signing JSON documents.) > > —Jens > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Couchbase Mobile" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/mobile-couchbase/UqelTaQDcnc/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/mobile-couchbase/C84814CF-41EF-4C0F-917B-D2CC1373D654%40couchbase.com > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Couchbase Mobile" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/CAH-sp5Ah%2BxpvO%3DxQR6QHKRD3Orct-%2BF%3DqfVxYEHTBURum0r6Jw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
