Skip to content
/ CouchDB-Auth-Layer Public

A CouchDB proxy that adds session based, per document, access control (written in Python Flask)

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ben-albon/CouchDB-Auth-Layer

BranchesTags

Repository files navigation

CouchDB Integration

This proxy expects each CouchDB document to contain a dict called authLayer.

The authLayer dict is expected to contain a number of key:value pairs, where the key is a HTTP request method, and the value is a list of sessions that are allowed access.

("ANY" is an additional key, which will match any HTTP request method).

For example, a document setup for authLayer might look like this:

{
   "_id": "ExampleDocument",
   "_rev": "1234567890",
   "authLayer": {
       "GET": [
           {
               "oauth2_provider": "github.com",
               "oauth2_uid": 2345678,
               "ouath2_nickname": "jane-doe"
           },
           {
               "oauth2_provider": "github.com",
               "oauth2_uid": 3456789,
               "ouath2_nickname": "john-smith"
           }
       ],
       "ANY": [
           {
               "oauth2_provider": "github.com",
               "oauth2_uid": 1234567,
               "ouath2_nickname": "ben-albon"
           }
       ]
   }
}

In this example, jane-doe and john-smith would be allowed to GET the document, but only ben-albon would be allowed to POST changes to the document.

SessionDB Integration

This proxy is specifically written to integrate with my PHP-PostgreSQL-Session-Handler fork.

If I had more time to dedicate to it, I would have abstracted the session handling into a separate module (to allow for extensibility).

The proxy itself requires only a dict of session_data relating to the provided HTTP cookie. The elements in the CouchDB ACL (see above) are then compared against this session_data dict. If all elements in the ACL match the corresponding elements in the session_data, then access is granted. If any element does not match, then access is denied.

This gives room for a lot of flexibility in access control. For example, the following document allows GET requests from all sessions authenticated using github.com (regardless of user):

{
   "_id": "ExampleDocument",
   "_rev": "1234567890",
   "authLayer": {
       "GET": [
           {
               "oauth2_provider": "github.com"
           }
       ]
   }
}

I welcome any pull request that extends this proxy to work with other session handlers :-)

Docker

I've included some scripts to create/run your own docker container, but it's probably better to build from the official benaalbon/couchdb-auth-layer:latest.

To do that, create a folder with:

  • a configuration file, config.py, that includes your own specific auth-layer configurations
  • a Dockerfile that includes
FROM benalbon/couchdb-auth-layer
COPY config.py /usr/src/app/config.py

build the image with

docker build -t my-couchdb-auth-layer .

and you are done - easy

About

A CouchDB proxy that adds session based, per document, access control (written in Python Flask)

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages