User Authentication using CouchDB Android

Question

I am developing an app which uses couchDB. When the user opens the app, it will prompt him to enter username and password.

Now my problem is how will I check user authentication in couchDB, I mean how to check if the user is existing user or new user from couch server.

Is there is any secure way for user authentication in CouchDB?

Answer 1

I have to disagree with DHK's answer: the CouchDB _users database is a fine way to do user authentication. You're not managing users in code (which is indeed a bad practice); CouchDB handles all the password salting/hashing/etc. automatically for you. The only thing you need to add is SSL (HTTPS) so that the password isn't sent in the clear. This is a feature, not a bug, since that's what HTTPS was designed for.

I wrote a blog post about CouchDB which talks a lot about authentication, and if you just want to quickly get up and running, this rough draft of a PouchDB plugin shows you how to do simple signup/login/logout operations with CouchDB (look at the code; it's super easy).

The only difference between how that plugin works and how you'll do it on Android is that you can't use cookies. You'll use basic HTTP authentication (https://user:password@mycouch.com:5984), which again is fine as long as you're using SSL. CouchDB has docs on SSL, or you can just put an Nginx proxy in front of it (my preferred solution).

Answer 2

You really should not use the couchDB users as users in your app.

It's also bad practice to store login and database server details in code in your application.

I would setup an API to your couchdb, that shields any passwords from the user but other than that is a pretty transparent API just passing through the views/etc to the actual couchDB instance.

Users would have to authenticate against this API which may in turn use some "api user" data stored in your couchdb to validate that they are genuine, and if not reject the requests.