UNPKG

pouchdb-auth

Version:

A PouchDB plug-in that simulates CouchDB's authentication daemon. Includes a users db that functions like CouchDB's.

github.com/pouchdb/pouchdb-server

pouchdb/pouchdb-server

290 lines (221 loc) 8.92 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
pouchdb-auth ============= A PouchDB plug-in that simulates CouchDB's authentication daemon. Includes a users db that functions like CouchDB's. Also works in the browser. API --- **NodeJS package name:** `pouchdb-auth` **Browser object name:** `window.Auth` ``` # npm install --save pouchdb-auth var PouchDB = require('pouchdb') var Auth = require('pouchdb-auth') PouchDB.plugin(Auth) var db = new PouchDB('_users') ``` `pouchdb-auth` adds 3 methods to the PouchDB API 1. `db.hashAdminPasswords(admins)` 2. `db.generateSecret()` 3. `db.useAsAuthenticationDB()` 4. `db.stopUsingAsAuthenticationDB` ### db.hashAdminPasswords(admins[, options[, callback]]) `admins` is an object in the form of `'username': 'password'`. Returns a promise, unless `callback` is passed. Resolves with object with all values being hashed. ```js db.hashAdminPasswords({ 'admin': 'secret' } .then(function (hashed) { // hashed.admin now looks like '-pbkdf2-243ba92f8f575c70d3d607b408…21731411301c11cb1d81481f51d1108,10' }) ``` - `options.iterations`: The number of pbkdf2 iterations to use when hashing the passwords. Defaults to CouchDB's 10. See below ("How it works") for more background information ### db.generateSecret() Generates a secret that you can use for useAsAuthenticationDB(). This is a synchronous method. ### db.useAsAuthenticationDB([options[, callback]]) This function transforms the database on which it is called into an authentication database. It does that by installing strict validation rules, making sure passwords are hashed in user documents before they're written into the db, and by adding the following methods to the db (documented below): - `db.signUp(username, password[, options[, callback]])` - `db.logIn(username, password[, options[, callback]])` - `db.logOut([options[, callback]])` - `db.session([options[, callback]])` - `db.multiUserLogIn([callback])` - `db.multiUserSession([sessionID[, callback]])` - `options.isOnlineAuthDB`: If `true`, password hashing, keeping track of the session and doc validation is all handled by the CouchDB on the other end. Defaults to `true` if called on an http database, otherwise `false`. An online db currently doesn't provide the `db.multiUser*` methods. - `options.timeout`: By default, a session is valid for 600 seconds. If you want to renew the session, call ``db.session()`` within this time window, or set the expiration time higher (or to 0, which sets it to infinite), by changing this value. - `options.secret`: To calculate the session keys, a secret is necessary. You can pass in your own using this parameter. Otherwise, a random one is generated for the authentication db. - `options.admins` (optional): Allows to pass in an admins object that looks like the one defined in CouchDB's `_config`. - `options.iterations`: The number of pbkdf2 iterations to use when hashing the passwords. Defaults to CouchDB's 10. Returns a promise, unless `callback` is passed. Resolves with nothing. ```js db.useAsAuthenticationDB() .then(function () { // db is now ready to be used as users database, with all behavior // of CouchDB's `_users` database applied }) ``` ### db.stopUsingAsAuthenticationDB() Removes custom behavior and methods applied by `db.useAsAuthenticationDB()`. Returns nothing. This is a synchronous method. ```js db.stopUsingAsAuthenticationDB(); ``` ### db.signUp(username, password[, options[, callback]]) A small helper function: pretty much equivalent to saving a CouchDB user document with the passed in values in the database using PouchDB. `username` and `password` are both strings and required. `options.roles` (optional) is an array of strings with roles names, used for authorizing access to databases, see "How it works" below. Returns a promise, unless `callback` is passed. Resolves with [put](http://pouchdb.com/api.html#create_document) response. ```js db.signUp('john', 'secret') .then(function (response) { // { // ok: true, // id: 'org.couchdb.user:john', // rev: '1-A6157A5EA545C99B00FF904EEF05FD9F' // } }) ``` ### db.logIn(username, password[, callback]) Tries to get the user specified by `username` from the database, if its `password` (after hashing) matches, the user is considered to be logged in. This fact is then stored in memory, allowing the other methods (`db.logOut` & `db.session`) to use it later on. Returns a promise, unless `callback` is passed. Resolves with `name` and `roles`. If username and/or password is incorrect, rejects with `unauthorized` error. ```js db.logIn('john', 'secret') .then(function (response) { // { // ok: true, // name: 'john', // roles: ['roles', 'here'] // } }); db.logIn('john', 'wrongsecret') .catch(function (error) { // error.name === `unauthorized` // error.status === 401 // error.message === 'Name or password is incorrect.' }); ``` ### db.logOut(callback) Removes the current session. Returns a promise that resolves to `{ok: true}`, to match a CouchDB logout. This method never fails, it works even if there is no session. ```js db.logOut() .then(function (resp) { // { ok: true } }); ``` ### db.session([callback]) Reads the current session from the db. Returns a promise, unless `callback` is passed. Note that `db.session()` does not return an error if the current user has no valid session, just like CouchDB returns a `200` status to a `GET /_session` request. To determine whether the current user has a valid session or not, check if `response.userCtx.name` is set. ```js db.session() .then(function (response) { // { // "ok": true, // "userCtx": { // "name": null, // "roles": [], // }, // "info": { // "authentication_handlers": ["api"] // } // } }) ``` ### db.multiUserLogIn(username, password[, callback]) This works the same as ``db.logIn()``, but returns an extra property (``sessionID``), so multiple sessions can be managed at the same time. You pass in this property to the ``db.multiUserSession`` function as a reminder which session you are talking about. As a matter of fact, the normal functions are just a small wrapper over the ``db.multiUser*`` functions. They just store and re-use the last sessionID internally. ```js db.multiUserLogIn('john', 'secret') .then(response) { // { // ok: true, // name: 'username', // roles: ['roles', 'here'], // sessionID: 'amFuOjU2Njg4MkI5OkEK3-1SRseo6yNRHfk-mmk6zOxm' // } }); ``` ### db.multiUserSession(sessionID[, callback]) The same as ``db.session()``, but supporting multiple sessions at the same time. Pass in a ``sessionID`` obtained from a ``db.multiUserLogIn()`` call. If ``sessionID`` is not given, a normal non-logged in session will be returned. A new updated ``sessionID`` is generated and included to prevent the session from expiring. ```js db.multiUserSession('amFuOjU2Njg4MkI5OkEK3-1SRseo6yNRHfk-mmk6zOxm') .then(response) { // { // "ok": true, // "userCtx": { // "name": 'john', // "roles": [], // }, // "info": { // "authentication_handlers": ["api"] // }, // sessionID: 'some-new-session-id' // } } ``` ### db.multiUserLogOut() Contrary to what you might expect, this method **does not exist**. Multi user logouts are as simple as just forgetting the ``sessionID``. That is the only thing the ``db.logOut()`` method does internally. No other state is kept. How it works ------------ First, make sure you understand how the `_users` database works in CouchDB. A good start is [the CouchDB documentation on the authentication database](http://docs.couchdb.org/en/latest/intro/security.html#authentication-database) Admin users are not stored in the `_users` database, but in the `[admins]` section of couch.ini, see http://docs.couchdb.org/en/latest/config/auth.html When setting passwords clear text, CouchDB will automatically overwrite them with hashed passwords on restart. the ``hashAdminPasswords`` function can be used to emulate that behaviour with PouchDB-Auth. The `roles` property of `_users` documents is used by CouchDB to determine access to databases, which can be set in the `_security` setting of each database. There are now default roles by CouchDB, so you are free to set your own (With the excepion of system roles starting with a `_`). The `roles` property can only be changed by CouchDB admin users. More on authorization in CouchDB: http://docs.couchdb.org/en/latest/intro/security.html#authorization Source ------ PouchDB Server and its sub-packages are distributed as a [monorepo](https://github.com/babel/babel/blob/master/doc/design/monorepo.md). For a full list of packages, see [the GitHub source](https://github.com/pouchdb/pouchdb-server/tree/master/packages/node_modules). License ------- The Apache 2 License. See [the LICENSE file](https://github.com/pouchdb/pouchdb-server/blob/master/LICENSE) for more information.