5

I have a website set on a specific domain which is completely separated from my couchdb url through rewrites and virtual hosts, and I got to a point where I need to add some user authentication using _sessions API but I'm afraid I can't do it with rewrites:

{
  "from": "auth",
  "to": "../../../_session"
}

gives me:

{"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}

which is acceptable, but now I'm wondering how would I get the session authentication to work from my domain without exposing couchdb url, and also, the session seems to be related to the domain so if I login through couchdb.example.com it won't work when using mywebsite.com as the public interface?

Thanks

PS. I've just found this post where there's an alternative by disabling secure_rewrites on the httpd config file, which seems to work, although, I was wondering that perhaps might be not a good approach and if is there something else which is ideal for this kind of problem.

Community
  • 1
  • 1
zanona
  • 12,345
  • 25
  • 86
  • 141

2 Answers2

6

I recommend to set secure_rewrites=false and don't worry about it.

We had a great discussion about CouchDB rewrites and security in the Iris Couch forum. Also see my post later about using Audit CouchDB. These are the highlights:

  • The secure_rewrites option is not the ultimate source of security for your data. At best, it is one layer in a multi-layer solution
  • The ultimate source of security is the _security object in the database. So that is where you should focus your attention
  • The Audit CouchDB tool scans every detail about your couch and it will tell you if any red-flags are present. It is implemented in Javascript so if you have NodeJS, you can run it; or simply reading the source code gives you an idea of what it is looking for.
JasonSmith
  • 72,674
  • 22
  • 123
  • 149
  • wow, thanks a lot Jason, it feels really good to have such feedback. you're appreciated. I will definitely use it then, also, congratulations for audit_couchdb, I've just installed here and it is really useful. it will become part of my development process now. :) cheers – zanona Oct 05 '11 at 10:06
  • 1
    To set this through curl: curl -XPUT "$couch/_config/httpd/secure_rewrites" -d '"false"' – Motin Nov 20 '12 at 08:47
0

If you are using vhost, than /_session handler is available at the vhost root without any rewrite rules (by default).

See the section [httpd] of default.ini:

vhost_global_handlers = _utils, _uuids, _session, _oauth, _users
Anthony
  • 12,407
  • 12
  • 64
  • 88