couchdb - PouchDB security

Question

What's the best security practice to follow while using PouchDB on the client-side to access a remote server?

The example on https://pouchdb.com/getting-started.html syncs with the remote server with the code:

var remoteCouch = 'http://user:[email protected]/todos';

The problem is I probably don't want the user to see the plaintext password with a file they can download -- even if that file is shown to the authenticated users only.

Please advise. Thanks in advance,

Answer 1

Here's a really good article regarding all things auth for CouchDB.

I've got a production server with CouchDB configured to use HTTP over localhost but external requests require HTTPS redirected via stunnel to CouchDB.

On the client I use PouchDB to maintain a local, replicated db. As part of the handshake to establish communication with CouchDB over HTTPS, the software acquires CouchDB credentials from another server - the credentials are never stored client side.

pouchdb-authentication is a good plugin, but I've found it better to handle auth personally.