4

I am creating a mobile app for Android and iOS using Cordova/PhoneGap and am using IBM's Cloudant database for storage. I am using the PouchDB javascript library to access the Cloudant database. Currently I have this code to access it...

db = new PouchDB('https://[myaccount].cloudant.com/[mydb]', {
    auth: {
      username: 'myusername',
      password: 'mypassword'
    }
});

I am aware that this is extremely insecure, and am wondering if there is a more secure way to connect to my database from within the app?

ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
David
  • 57
  • 6
  • What is your concern? Are you worried about sharing your Cloudant username and password with the users of your application? – Chris Snow May 23 '15 at 20:05
  • Not necessarily sharing it with them, because they obviously will need to have access to the data.. but more so just concerned with that fact that my credentials are hard coded into the program. I know it would be tough, but if someone wanted to, they could decompile my app and have access to my source code... and also my account information. – David May 23 '15 at 20:22

2 Answers2

5

One option you may like to consider is implementing a service (e.g. running in the cloud) for registering new users of your app. Registration logic could look something like this:

  1. The handset code communicates with your application service requesting registration of the user
  2. The service makes a call to Cloudant to create an API key which would is returned to the handset code
  3. The handset code saves the API key 'username' and 'password' on the device. These credentials are then use in the auth: { username: 'myusername', password: 'mypassword' } object.
Chris Snow
  • 23,813
  • 35
  • 144
  • 309
  • You two seem to be talking, generally, about the same solution. That is an excellent idea! Thank you both so much! – David May 23 '15 at 21:34
4

You are right that Cloudant credentials should never be hard-coded into your client-side app.

One design pattern is to use a "one database per user" approach:

  • the user authenticates with a web-app of yours that has Cloudant admin credentials
  • the app creates a database for the authenticated user and creates a Cloudant API Key with _reader & _writer access (https://docs.cloudant.com/api.html#authorization)
  • the app communicates this credentials with the client (where they could be stored in a 'local' PouchDB document, or just stored in memory if you want your users to authenticate every time)
Glynn Bird
  • 5,507
  • 2
  • 12
  • 21
  • Voting up your answer for the additional info about '_reader' and '_writer' permissions and database per user pattern :) – Chris Snow May 24 '15 at 07:15