Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Update docs on private DB security

See original GitHub issue

Issue Description


From the current documentation in the readme, and looking into the code, I think the privateDBs are not restricted to just the user_ids they are based on. E.g. If I am logged in as A so long as I know B’s user_id (and private DB URL), I can read/write to it.

Considering the above assumption is right, how can I add a design doc with validate_doc_update function to disallow users whose id won’t match with the DB name? If I can do that, then even if the userID is leaked, a different user won’t be able to read/write into this user’s DB even after guessing the DBURL. Although CouchDB is new to me, I don’t think I can get DB Name within the validate_doc_update function. As an alternative, is there a way in which I can match the logged in user’s ID with the DBUrl on the server (although I take it that once the client has the DB URL, all requests would directly hit the remote CouchDB, not go through the express app)?

My intention is to prevent any user other than the privateDB user from having any access to it.

Thanks in advance!

Issue Analytics

  • State:open
  • Created 7 years ago
  • Comments:5 (5 by maintainers)

github_iconTop GitHub Comments

colinskowcommented, Apr 30, 2016

I agree the README needs some clarity. I am going to leave this issue open to remind me.

SukantGujarcommented, Apr 30, 2016

Great, so looks like Superlogin already takes care of some of the steps to ensure privateDBs remain accessible only to their owners. IMHO, it may help adopters if the readme has some more clarity on the concept of privateDBs like how they are initialized and what default security features are already added. And what responsibilities should be handled by the adopters.

Thanks for all your help Colin, I am closing this issue.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Controlling access with security groups - AWS Documentation
VPC security groups control the access that traffic has in and out of a DB instance. By default, network access is turned off...
Read more >
Understand Firebase Realtime Database Security Rules
Every read and write request will only be completed if your rules allow it. By default, your rules do not allow anyone access...
Read more >
Using Oracle Virtual Private Database to Control Data Access
Oracle Virtual Private Database (VPD) enables you to filter users who access data. ... Virtual Private Database policies to SELECT , INSERT ,...
Read more >
Enabling secure database access | Looker - Google Cloud
Enabling secure database access · Option 1: IP address allowlist · Option 2: SSL encryption · Option 3: SSH tunnel.
Read more >
Overview of database security in Azure Cosmos DB
All data in the regions listed in What's new? is now encrypted at rest. Personal data and other confidential data can be isolated...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found