Hi All,
I've imagined a way to give the browser a complete access to CouchDB, with a
node.js server proxying the requests, and would have liked to know the
implications in terms of security.
Here's how it works:
The browser sends the request data to a node.js server (like {method:"GET",
"path:"_all_dbs}), which in turns uses its http client to issue the request
through something I called a "request handler".
The request handler is configured with CouchDB's url, and it also adds the
credentials to the request, so the request looks like:
http://user:password@ipaddress/_all_dbs.
When the results are returned to node.js, it pushes the data back to the
browser.
My question is, how secure is this approach? From the browser I could
potentially do anything (POST, DELETE...), the only security being the
credentials added up by the request handler on the node.js server. Is that
enough or should I add more treatments (like filtering) before doing the
request?
I've written a blog post that pictures the whole solution:
http://podefr.tumblr.com/post/22553968711/an-innovative-way-to-replace-ajax-and-jsonp-using
The security concern was brought up by Richard on socket.io's Google Group:
https://groups.google.com/forum/?fromgroups#!topic/socket_io/2_Yovcrc1e0
Thanks!
Olivier
