2

This is related to Is there ReadOnly REST API key to a MongoLab database, or is it always ReadWrite and How does Mongolab REST API authenticate

I want to make it possible for unauthenticated users of my web app to create resources and share them. The created resource is an array of links ['link1', 'link2', 'link3'].

I'm looking at using MongoLabs directly from the client for this, which is possible through their REST api.

The problem though is that as far as I can see, if I do that, it would be impossible to prevent vandalists to clear out the entire collection rather easily.

Is this correct, and if so, is there a simple solution (without running a custom backend) to do something like this?

Community
  • 1
  • 1
iwein
  • 25,788
  • 10
  • 70
  • 111

1 Answers1

1

First off, you could create a "history", so if something goes wrong you can call on an easy command to restore records. Secondly you might screen connected clients for abusive behavior; eg measure the number of delete or update commands in a certain timeset. If this get triggered you can call on your restoration process.

Note; i have no experience with MongoLabs whatsoever, but this - to me - would be a suitable safeguard in creating a public api.

Luceos
  • 6,629
  • 1
  • 35
  • 65
  • You're right about the need to protect a public api your ideas are not bad either. However, I would like to use MongoLab directly from the client. It seems that if you do that you cannot safeguard against someone emptying _all_ your collections with curl... – iwein Apr 25 '13 at 05:09
  • My guess it's a drawback of using someone else's system. Perhaps you can lob the question over to mongolab's support: http://stackoverflow.com/questions/12276146/how-does-mongolab-rest-api-authenticate?rq=1 ? – Luceos Apr 25 '13 at 07:36