Support replication for non-admin users

[motin]

The replication plugin currently assumes that the current user has admin rights, resulting in the following errors as it attempts to create the replication filter design doc:

index.es.js:212 GET http://localhost:8080/localdev/_design/app? 404 (Object Not Found)
index.es.js:212 PUT http://localhost:8080/localdev/_design/app 401 (Unauthorized)
replication.js:164 {error: "unauthorized", reason: "You are not a db or server admin.", status: 401, name: "unauthorized", message: "You are not a db or server admin.", …}

Suggestion: Add an option (options.isAdmin = false maybe?) that prevents the plugin from attempting to create the filer.

Docs should ideally inform the developer that the design doc first has to be created in the remote database (as an admin) for the replication to succeed - something that can be achieved for instance using https://github.com/apache/couchdb-nano:

    const dbName = "localdev"
    const body = await nano.db.create(dbName);
    console.log(`Database ${dbName} created!`, body);

    const db = await nano.use(dbName);
    console.log(`Using database ${dbName}`, await db.info());
    const res = await db.insert(
      {
        version: 0,
        _id: '_design/app',
        filters: {
          by_model: function (doc, req) {
            return (
              doc._id === '_design/app' || doc.rx_model === req.query.rx_model
            );
          }
        }
      }
    );
    console.log(`RxDB replication design doc created!`, res);

[rafamel]

Hi Fredrik, again thanks for reporting. Right now I'm using a reverse proxy on top of couchdb for authorization, so I hadn't thought about couchdb's own authorization system when writing this -which I should have.

Anyhow, adopting your proposal would mean the design document would have to be created by an admin beforehand, which if possible it'd be great to avoid. Can you think of any possible implementation for this without admin intervention?

[motin]

Yes, we have a privileged hook / endpoint running upon user login (see http://www.dannguyen.io/2017/02/10/auth0-cloudant-pouchdb-ionic/) which sets up the database and relevant design documents. Thus, no human admin intervention is necessary. Effectively, this means that instead of having to maintain and monitor a reverse proxy, we only need to keep an authenticated serverless function available.

[rafamel]

Hi, @motin, thanks for the answer. Yeah, I was aware of this possibility, but I was rather wondering whether there might be a way to get couchdb to apply filters without admin permissions so there's no need for that intermediate layer, and the replication plugin can be frontend plug-and-play. I'm not that well versed in couch (which to be honest is the whole reason for the reverse proxy and managing the whole auth flow myself), so any pointers are appreciated.

If there's no way to do this otherwise your solution seems fitting ;)

[rafamel]

@motin This will be implemented in a future version via selector -which is only compatible with CouchDB 2.x. I'm holding on on the release to see if PouchDB implements selectors on the server anytime soon so it can be properly tested for without setting up a separate CouchDB instance for testing.

[motin]

Cool, but I see the inactivity in the related issue ("@stale stale bot added the wontfix label 5 days ago") so it may not be implemented anytime soon.

Meanwhile or instead of waiting, maybe it is feasible to use the docker stack and cli at https://github.com/motin/cloudant-admin-cli to test it properly against a local Cloudant instance?