pouchdb-community / pouchdb-authentication

User authentication plugin for PouchDB and CouchDB.
Apache License 2.0
775 stars 118 forks source link

Secure creating database endpoint #246

Open harris opened 6 years ago

harris commented 6 years ago

Apology in advance if this is not the correct venue to ask this question.

I am creating a per user database and everything works perfectly but I am a little concerned about anyone can create a database on a remote server (attackers could potentially do "database squatting") . My ideal scenario is whenever a user creation (signup() is called), either I can check with a specific endpoint or signup could only be called from a specific domain. After that, everything should just work as it.

Thank you for this nifty plugin! It saved me a lot of work.

rokgfx commented 6 years ago

If I understand correctly, I faced a related issue. See my thread here if this helps: https://github.com/pouchdb-community/pouchdb-authentication/issues/248

harris commented 6 years ago

@rokgfx that's not the same issue. I create db when there is no basic auth. I turned on the couch_peruser option to true. Every user "sign up" for a db will get one and I am worried that we will have some db names collision.

tabeth commented 5 years ago

@harris

Isn't the situation you pose a non-issue? Presumably the database name is some transformation (if not just the same) of the username? In other words, the database name "squatting" would be the same as username or email "squatting".

What you could do is just (on your server level) setup a white list so all connections from anything other than your application domain(s) are blocked. Of course this quickly turns into the same problem most companies have with detecting blocks.