couchdb通过重写进行公共接口身份验证

发布于 12-08 08:09 字数 717 浏览 1 评论 0原文

我在特定域上设置了一个网站,该网站通过重写和虚拟主机与我的 couchdb url 完全分离,并且我已经到了需要使用 _sessions API 添加一些用户身份验证的地步,但恐怕我做不到它与重写:

{
  "from": "auth",
  "to": "../../../_session"
}

给我:

{"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}

这是可以接受的,但现在我想知道如何在不暴露 couchdb url 的情况下从我的域进行会话身份验证,而且,会话似乎与域相关,所以如果我登录通过couchdb.example.com 使用 mywebsite.com 作为公共接口时将无法工作?

谢谢

PS。我刚刚发现这篇文章,其中有一个替代方案,可以在 httpd 配置文件上禁​​用 secure_rewrites ,这似乎工作,不过,我想知道这可能不是一个好方法,是否还有其他方法适合此类问题。

I have a website set on a specific domain which is completely separated from my couchdb url through rewrites and virtual hosts, and I got to a point where I need to add some user authentication using _sessions API but I'm afraid I can't do it with rewrites:

{
  "from": "auth",
  "to": "../../../_session"
}

gives me:

{"error":"insecure_rewrite_rule","reason":"too many ../.. segments"}

which is acceptable, but now I'm wondering how would I get the session authentication to work from my domain without exposing couchdb url, and also, the session seems to be related to the domain so if I login through couchdb.example.com it won't work when using mywebsite.com as the public interface?

Thanks

PS. I've just found this post where there's an alternative by disabling secure_rewrites on the httpd config file, which seems to work, although, I was wondering that perhaps might be not a good approach and if is there something else which is ideal for this kind of problem.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

﹂绝世的画2024-12-15 08:09:52

我建议设置 secure_rewrites=false 并且不用担心。

我们在 Iris Couch 论坛中就 CouchDB 重写和安全性进行了精彩的讨论。另请参阅我稍后关于使用 Audit CouchDB 的文章。以下是要点:

  • secure_rewrites 选项并不是数据安全的最终来源。充其量,它只是多层解决方案中的一层。
  • 安全性的最终来源是数据库中的_security 对象。因此,这就是您应该集中注意力的地方
  • 审核 CouchDB 工具会扫描有关沙发的每个细节,它会告诉您是否有任何红-存在标志。它是用 Javascript 实现的,所以如果你有 NodeJS,你就可以运行它;或者简单地阅读源代码可以让您了解它正在寻找什么。

I recommend to set secure_rewrites=false and don't worry about it.

We had a great discussion about CouchDB rewrites and security in the Iris Couch forum. Also see my post later about using Audit CouchDB. These are the highlights:

  • The secure_rewrites option is not the ultimate source of security for your data. At best, it is one layer in a multi-layer solution
  • The ultimate source of security is the _security object in the database. So that is where you should focus your attention
  • The Audit CouchDB tool scans every detail about your couch and it will tell you if any red-flags are present. It is implemented in Javascript so if you have NodeJS, you can run it; or simply reading the source code gives you an idea of what it is looking for.
不羁少年2024-12-15 08:09:52

如果您使用的是虚拟主机,则 /_session 处理程序可在虚拟主机根目录中使用,无需任何重写规则(默认情况下)。

请参阅 default.ini[httpd] 部分:

vhost_global_handlers = _utils, _uuids, _session, _oauth, _users

If you are using vhost, than /_session handler is available at the vhost root without any rewrite rules (by default).

See the section [httpd] of default.ini:

vhost_global_handlers = _utils, _uuids, _session, _oauth, _users
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文