Enforcing Access Control on CouchDB

Question

I have been researching CouchDB and TouchDB for sometime now and seriously contemplating their suitability for a mobile app I have in mind. I have a few questions and I would really appreciate if anyone can point me in the right direction. The scenario is I have 2 mobile clients running on TouchDB. I want Mobile Client A to be able to replicate a specific document on to Mobile Client B. Then I want Mobile Client B to be able to make changes and sync those changes back to with Mobile Client A. From an architectural standpoint I figure that I would need a centralized couchdb database that both clients can pull/push. The problem that I am having is how do I ensure that Client B is only able to replicate documents that he is authorized replicate. I understand that I can use a replication filter to limit the documents that are replicated but how do I enforce it on Mobile Client B? Also what would be the ideal architecture for the above scenario? Any assistance will be greatly appreciated. Thanks!

Answer 1

I have a similar setup with TouchDB and BigCouch in EC2 (the centralized database). It can be quite an adventure to get the pushing and pulling working right. =)

I think you are on the right track with using a replication filter with the pulls. If you limit the pulls for Client B with a replication filter, your life will most likely be easier because Client B can modify anything on his local TouchDB and it won't hurt anything.

In other words, don't replicate down documents you don't want Client B to modify.

To do that you would have to introduce a field into the document that specifies an access level - or some array maybe that has Client B's user id in it. That way he only sees what he is authorized to see.

Two notes before I forget: a) TouchDB on Android is sketchy right now. They are working to make it better, but it's behind the iOS version. b) I strongly recommend looking into writing your replication filter in Erlang. I got a 50% speed increase from doing that.