CouchDB as platform API provider

[SaschaAdler]

I'm thinking of rewriting upholstery to use http-proxy-middleware or something like it, instead of how it currently works with a new request being crafted and only accepting JSON. This proxy layer can be used in addition to or instead of upholstery's Apache ProxyPass config.

When we're ready to serve content presumably originating from Couch as a JSON API, we could do a couple of things with this

• require tokens for write operations (i.e. anything that isn't HEAD or GET)
• require tokens for non-public databases (e.g. whatever internalmeta becomes)

I'm sure much of this is possible with Apache (although I don't know how to go about the actual token verification) but I'm more conversant in JavaScript.

Curious what @RussellMcOrmond thinks.

[RussellMcOrmond]

We have been using Apache only because it is something I'm more conversant in, not because it is a requirement. As long as we follow the security updates for Node, having public API requests go directly against it will be great.

We'll want to be restrictive even for GET -- deny non-staff except what we have thought about and believe is appropriate to allow.

[SaschaAdler]

We're moving forward in this direction, and upholstery is becoming more complex. I think I might want to add Express as a layer on top of the node http library calls, just to clean things up.

[RussellMcOrmond]

https://github.com/crkn-rcdr/lapin is @SaschaAdler 's answer to this question.