CODEWITHSUNDEEP
mongodb
donald
donald

Reputation: 23737

REST API MongoDB Authentication

I am thinking in using MongoDB as my main database. However, my app is fully in JavaScript and I wanted to use the REST API, client side.

I still can't understand what security mechanisms can I use in order to make a JS call to the database without revealing all the data to all the users.

Please advice on this matter.

Regards, Donald

Upvotes: 8

Views: 4969

Answers (4)

Andrea Di Cesare
Andrea Di Cesare

Reputation: 1253

RESTHeart is a Web API for MongoDB.

It provides application level authorization and authentication.

Check the security documentation section.

Also some example applications are available on github:

Upvotes: 0

Tom Gaulton
Tom Gaulton

Reputation: 393

MongoLab has MongoDB database hosting with a REST API that can be accessed client side, they even through in some jQuery based examples in their support documentation. That said, Remon is right that you sacrifice any security by doing so because you're making your API key public.

Upvotes: 1

Chris Fulstow
Chris Fulstow

Reputation: 41882

Check out Sleepy.Mongoose, it's a REST API interface for MongoDB. I haven't tried it, but it appears to support standard MongoDB authentication.

Upvotes: 2

Remon van Vliet
Remon van Vliet

Reputation: 18595

First of all, you can enable database auth which will make the REST interface require authentication if connected to from a remote machine.

That said, it's a very bad idea to expose your database like you suggest. Build a persistence abstraction layer in a server technology you're comfortable with (node.js for example) and put all security constraints and authentication there. The advantages are numerous :

  • You can keep your API stable even if the MongoDB one changes. You can even replace it with another persistence solution if the need arises in most cases.
  • You can limit the load a single client can put on your database. If you expose the database directly there's very little you can do to avoid people doing expensive queries or even potentially corrupting writes.
  • You can often do smart app-side caching and optimization that is not possible if every client directly accesses the database (this depends a bit on the app in question though).

Upvotes: 5

Related Questions