CouchDB/PouchDB User Authentication/Authorization - ios

I have been working on an Angular/Ionic application and am using the OAuth.io plugin to handle a facebook login to gain a user's information. From that I derive a simple database name based on the user's firstname and their Facebook ID number.
What I am wanting to do would be to sync this local pouchDB instance to an online CouchDB instance (currently using http://iriscouch.com) for replication to a desktop app, or something similar. The piece I am missing is how to handle user authentication/authorization to be able to only read and write to their own database and no one else's as all of the code currently lives on the client side with no app server to handle any login aside from the OAuth.io plugin.
Is this possible to handle without adding an app server layer, and without manual intervention to create a user on the CouchDB instance?

Currently you can only do per-user read-write permissions in CouchDB by having an additional process on the server side (details), which would be troublesome for you since you're using IrisCouch, so you'd need a separate server somewhere to host this process.
A few alternative options are available to you right now:
Couchbase, which has per-user databases
Janus, which works using Mozilla Persona rather than Facebook ID, and isn't ready yet, but should be unveiled shortly

Related

Accessing Dataverse/Power App Data on external Public Website via API

I am stumped trying to find a similar idea on how we can achieve this.
We are currently using a model-driven power app/Dataverse to house school applications. Once an application is submitted, our representatives will begin updating the application record "Application Status" custom field as they are going through the various steps.
Our partner wants to create a external website (just simple HTML/CSS/JavaScript) to display an application lookup where applicants can type in their application ID or send applicants direct-links to view the status of their application. (example: domain.com/application-status/?appid=1234)
This external, public website would have to connect to our dataverse/power app via the web api to make the request and display it to the applicant searching/viewing the website.
How can this be achieved? All I have read is that the user looking up data will need to have a Microsoft account and authenticated in our environment to view the data.
Can someone point me in the right direct on how to get this done (article or existing thread). Your help is highly appreciated.
This is normally being handled by the use of a PowerPlatform Portal.
Portals are designed to allow interactions with B2B/B2C.
This is, however, a hefty price tag.
Another way is to make your website use Rest API calls to your Dataverse tables.
To enable these, you need to create a client application registration in Azure and add this application user in your environment as an application user. Once registered, assign the appropriate rights(Sysadmin, Syscustomizer, whatever you want) and you can access your environment in two steps:
Generate an access token based on the scope of your environment, client id, and client secret.
Use the access token your application user has given to do your CRUD operations.

Design a new cloud based application with multiple login mechanism

I recently switched to a new company where my manager wants me to develop entirely new cloud based project in MVC. I have never worked on a project from the start and I think this is a good opportunity for me to lead.
However, I think the requirements of the clients are bit confusing.
Here is what he wants:
Client should be able to access the cloud hosted application from his network with single sign on. He wants to use his active directory for that.
There are different users in active directory, they will have different roles (I think we can handle this on database side. Create different roles and assign roles to users).
Client has to add vendor info in the application. But for this, system should send an email to vendor with the url of the cloud application. He wants user to login to the application using 2 Factor Authentication. So, send dummy password with url, and send OTP to his mobile number. Just like registering to any system.
Now my questions are:
Is it possible to have 2 different types of login mechanisms in the same application? SSO for client and 2FA for outside vendors?
If yes, could you please guide me in the right direction?
what things I need? Which framework, design pattern should I prefer?
How do I proceed ?

How to create a server accessible by an iphone app

I a thinking of creating an iPhone/iOS app that would include a feature where one user could create a list of words and then save them to their account on a server. Also (and this is very important), the user could share their list with other users by giving them permission.
So my question is, how can I go about creating such a server? For right now, I have a home computer (running Windows XP that just stores data for my music system) which I can use to host the server. I am also open to the use of other online storage services like Google Drive or Dropbox (I can't remember if Amazon does anything like that). However (and I know this may complicate things a bit), but at least for now, I want/need to stick with free services/options.
Just to recap, the key features that I am looking for are:
create users/accounts (on the server)
eventually I may [try] to incorporate the use of other services to log users in like with their email account, OpenId, etc.
the ability to access (log in to) the server (with credentials) from my app
the ability to send/receive data between the server and my app
the ability to share data between users
I know this is a lot to ask for, but if anyone has any suggestions or can get me going in the right direction, it would be much appreciated.
The basic setup would be as follows:
Backend: Database (MySQL), Web server (Apache), with server side scripting (PHP).
Client: iOS device with developed app.
Communication: use HTTP client/server model, communicating with something like JSON.
This is much the same setup as a web server, but instead of serving html/css/javascript etc the results will be JSON.
As far as implementing specifics such as login in, and sharing data between users, this is purely dependent on your implementation. This is not trivial, and not something that can be easily stated in a single post.
Hope this helps.
You could build your own webservice in PHP, Ruby or Python. If you do so I would recommend building a RESTful webservice (http://en.wikipedia.org/wiki/Representational_state_transfer) and then use RestKit (http://restkit.org/) to handle the data in the iOS app. Especially RestKit's CoreData integration is nice in my opinion.
Another solution would be using a service like Parse (https://parse.com/products/data). The first million or so requests per month are free but after that it could get pricy. I personally have not tried it so I couldn't tell you if it is any good.

Storing remote database credentials safely in iPhone app

I'm developing a simple iPhone app where users register, and sign in with their email/password. These values are stored in a remote database.
I'm using Cloudant to store this information (CouchDB is great), and have granted read-only privileges to a new user (created API key/pass). In order to communicate with Cloudant, you obviously need a URL to access it (eg https://user:pass#db.cloudant.com), which is stored in the app as a string.
Now, while I know this is pretty unsafe, I can't think of any other alternatives in order to keep the db URL safe (specifically the username/password for it). I've seen people talk about using another server to proxy through to obtain the credentials, but it seems a little awkward.
Any help or thoughts would be really appreciated!
Are you trying to make a connection from your iPhone app directly to the database? You shouldn't give your app read access to the whole remote user table / database. Sooner or later someone would find out and would have read access to your data. No matter how you try to obfuscate it, the user/password combination would need to be stored somehow in your app.
What you should do is build a web service that connects to your DB and verifies your users. The database password stays on a server. This proxy-approach is not awkward, it is the only way to keep your database logins away from your users.
One option is to create your own service in the cloud that abstracts away your storage. That also has the benefit of allowing you to change your storage without updating all your devices.
In that model, the service stores the credentials to access the storage and you implement user security in your application layer. I also wouldn't think of it as a proxy layer - that implies that it's a thin pass through. If you develop a service, you should define a web interface (rest, soap) that's agnostic to the storage. In that case, it's a service, not a proxy.
EDIT:
Typically the web service authenticates the user (don't write your own). Basic Auth with SSL is typical. Then, in that services context API, you get access to the username. From there, you do you what you need. Your storage is accessed with the one storage account that has full access to all content.
Another auth option is OAuth which allows them to authenticate with someone like google - you never get the password - just a token from google letting you know they authenticated and they are who they claim to be. For example, that's how stack overflow works.

How to get multi-user chat room access control list from external auth on ejabberd

I have ejabberd set up using external_auth to authenticate against the user database of my web application. What I would like is to be able to create a MUC (chat room) for site moderators, and automatically add those users to the chat, to the exclusion of all other users.
Eventually I would also like to be able to map my site's groups functionality to MUC's in ejabberd also.
The external authentication API for ejabberd doesn't seem to provide for fine-grained access control, basically only allowing you to query whether a user is registered and whether a username / password combination successfully authenticates a user.
The only reference I've seen to acl's for MUC's is here:
http://www.ejabberd.im/aclpopulate
But that seems to require setting privileges through the webadmin interface.
Is there no way to do this automatically from external auth?
To answer my own question, it doesn't seem possible to do what I need by using external auth.
I ended up integrating ejabberd commands into the user / group lifecycle of my web app, which was quicker than I had anticipated, and has the added bonus of being a zillion times faster than using external auth (I use ejabberd's internal user database, using ejabberdctl to create users, update passwords, add and remove from shared rosters and create muc's).
To help with that process I created a PHP wrapper for ejabberdctl which is freely available on github:
https://github.com/tomlancaster/Ejabberd-Wrapper-PHP
Please feel free to use and abuse it as you wish.
If you have your own authentication module, in that case you can redirect the authentication process of ejabberd. In ejabberd_auth.erl file redirect authentication by modifying check_password_with_authmodule/3 and check_password_with_authmodule/5 two function. From your authentication module return back the term as these two functions return.
If you authentication module is in deferent machine, make a socket connection to communicate with your authentication module and get the result and give the result back to check_password_with_authmodul function.
After this changes rebuild ejabberd and start.

Resources