问题
I am creating a mobile app for Android and iOS using Cordova/PhoneGap and am using IBM's Cloudant database for storage. I am using the PouchDB javascript library to access the Cloudant database. Currently I have this code to access it...
db = new PouchDB('https://[myaccount].cloudant.com/[mydb]', {
auth: {
username: 'myusername',
password: 'mypassword'
}
});
I am aware that this is extremely insecure, and am wondering if there is a more secure way to connect to my database from within the app?
回答1:
One option you may like to consider is implementing a service (e.g. running in the cloud) for registering new users of your app. Registration logic could look something like this:
- The handset code communicates with your application service requesting registration of the user
- The service makes a call to Cloudant to create an API key which would is returned to the handset code
- The handset code saves the API key 'username' and 'password' on the device. These credentials are then use in the
auth: { username: 'myusername', password: 'mypassword' }object.
回答2:
You are right that Cloudant credentials should never be hard-coded into your client-side app.
One design pattern is to use a "one database per user" approach:
- the user authenticates with a web-app of yours that has Cloudant admin credentials
- the app creates a database for the authenticated user and creates a Cloudant API Key with
_reader&_writeraccess (https://docs.cloudant.com/api.html#authorization) - the app communicates this credentials with the client (where they could be stored in a 'local' PouchDB document, or just stored in memory if you want your users to authenticate every time)
来源:https://stackoverflow.com/questions/30416068/how-can-i-securely-connect-to-cloudant-using-pouchdb