>>> You could enable the proxy authentication handler; >> 1. The roles don't appear to be included in the Token so how are they >> validated? It sounds like the client could send whatever it liked? Only >> the username is included in the token calculation.
> Why would youneed to validate roles? your app pass roles to couch, if > they exists in db acls or validate functionserfect, if not who care? > I was going to use roles in a validate function to check who was allowed to write to the database. This would mean I could tie it into the roles which exist on the existing system. However it seems I can't do that since they aren't validated. For example, a user could get told about the following headers from the authentication server. Eg: Username: bob Roles: user Token: <some opaque string> It could then talk to the couchdb server using Username: bob Roles: _admin Token: <same opaque string> The couch server would validate the Username against the Token and believe everything is fine but the user has gained admin rights they shouldn't have. I think for my purposes I can distil all real users down to the same couch username and use that in validation functions and ignore roles entirely but it seems a bit of a shame. Thanks for the suggestions. At least I think I can press on now with what I was trying to achieve. Sophos Limited, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom. Company Reg No 2096520. VAT Reg No GB 991 2418 08.
