couchdb public interface authentication through rewrites

Question

I have a website set on a specific domain which is completely separated from my couchdb url through rewrites and virtual hosts, and I got to a point where I need to add some user authentication using _sessions API but I'm afraid I can't do it with rewrites:

{
  "from": "auth",
  "to": "../../../_session"
}

gives me:

{"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}

which is acceptable, but now I'm wondering how would I get the session authentication to work from my domain without exposing couchdb url, and also, the session seems to be related to the domain so if I login through couchdb.example.com it won't work when using mywebsite.com as the public interface?

Thanks

PS. I've just found this post where there's an alternative by disabling secure_rewrites on the httpd config file, which seems to work, although, I was wondering that perhaps might be not a good approach and if is there something else which is ideal for this kind of problem.

Answer 1

If you are using vhost, than /_session handler is available at the vhost root without any rewrite rules (by default).

See the section [httpd] of default.ini:

vhost_global_handlers = _utils, _uuids, _session, _oauth, _users

Answer 2

I recommend to set secure_rewrites=false and don't worry about it.

We had a great discussion about CouchDB rewrites and security in the Iris Couch forum. Also see my post later about using Audit CouchDB. These are the highlights:

• The secure_rewrites option is not the ultimate source of security for your data. At best, it is one layer in a multi-layer solution
• The ultimate source of security is the _security object in the database. So that is where you should focus your attention
• The Audit CouchDB tool scans every detail about your couch and it will tell you if any red-flags are present. It is implemented in Javascript so if you have NodeJS, you can run it; or simply reading the source code gives you an idea of what it is looking for.