> On Mar 13, 2015, at 12:56 PM, Souhail Marghabi <[email protected]> > wrote: > > Actually there is no real login in my app(username,password) app users do not > enter login credentials they are recognized by the unique identifiers of > their document
I see. Have you thought about the security aspects of this design? What would prevent one person from impersonating another? (Maybe they couldn’t do this from within the app, but what about sending commands directly to the REST API?) Generally the two ways to securely implement something like you describe are (a) The client registers an account with the server on first login, without visible user interaction, where the userID and password are just randomly generated and stored persistently in the app; or, (b) The client generates an asymmetric key-pair (i.e. RSA or elliptic) on first launch and uses it to sign documents it creates. The server verifies documents by validating the signature, and your identity is your public key. (We’re not quite set up to do (b) yet because the Sync Gateway doesn’t have the ability to validate signatures. But it’s something I’ve been experimenting with. I have a prototype app that uses this approach, and a spec for signing JSON documents.) —Jens -- You received this message because you are subscribed to the Google Groups "Couchbase Mobile" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/C84814CF-41EF-4C0F-917B-D2CC1373D654%40couchbase.com. For more options, visit https://groups.google.com/d/optout.
