CouchDB Proxy Authentication security - user roles confusion -
on user auth success auth server generates token , passes client.
the docs client has add following headers:
x-auth-couchdb-username: username;
x-auth-couchdb-roles:comma-separated (,) list of user roles;
x-auth-couchdb-token: authentication token.
does mean client defines own roles on every request? why can't add 'admin' list of roles then?
a client uses or requests resources server.
"the client" in case proxy/auth server, not web browser. (the documentation stand clarified bit.)
so yes, proxy/auth server, client couchdb, should set header appropriate.
by extension, should not pass through x-auth-couch
headers received its client (presumably web browser).
Comments
Post a Comment