2

I'm new in Couchbase and I couldn't find any source regarding my question.

I've intended to develop a mobile application using Cordova(Phonegap). And I've thought Couchbase as a database is a good solution. But I have a question regarding security.

If I use Couchbase Lite PhoneGap plugin, my server IP appears in my "Sync-Gateway-config.json" file. So, people can use REST API to reach all data that were served by their channels. Can't they?

For example a user gets own data by these codes ViewQuery.from('users', 'by_name').key("aUserName"); . If someone reads these codes and gets server address, desing and bucket name then he/she can get all user records.

How can I prevent this case?

efkan
  • 12,991
  • 6
  • 73
  • 106
  • To be clear are you asking about the security of the Sync Gateway REST endpoint that Couchbase Lite uses? OR the security of Couchbase Server to a application server using Node.JS SDK? – Paddy Nov 04 '14 at 23:15

1 Answers1

1

Buckets in Couchbase can be protected by the password. You can define secure bucket by requiring access password. Then at runtime you can inject that password (so no clear text password is stored in your configuration)

read about Couchbase data storage "Buckets provide a secure mechanism for organizing, managing, and analyzing data storage resources...SASL authenticating Couchbase buckets may only be placed on port 11211 and each bucket is differentiated by its name and password...Couchbase Server allows you to configure different ports to access different buckets, and gives you the option to access isolated buckets using either the binary protocol with SASL authentication"

user1697575
  • 2,830
  • 1
  • 24
  • 37
  • 1
    I do not think this is the correct answer. I believe the question is targeted at sync-gateway security. – Paddy Nov 04 '14 at 23:11
  • I don't think so, to protect data in Couchbase one needs to secure bucket that data resides in. Bucket protection mechanism comes out of the box with Couchbase server. – user1697575 Nov 05 '14 at 14:20
  • It is clear the questioner is using sync-gate, Couchbase Server, Couchbase Node SDK and Couchbase lite. SASL is one part of the security in that model. However this quote: _"So, people can use REST API to reach all data that were served by their channels. Can't they?"_ Makes me believe they are asking about the security between sync gateway and couchbase lite. – Paddy Nov 05 '14 at 23:09