This repository has been archived by the owner on Jan 15, 2021. It is now read-only.
Create spec for ACL layer #318
Assignees
Milestone
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
This spec will define how we control access to all of Express-PouchDB's endpoints as well as our own endpoints and decide who can make requests and who cannot.
We also have to protect _local so that remote requesters can only see entries they created. We almost certainly have to put in some kind of key protection to make sure that IDs can't collide as this could be used to cause malicious behavior.
Note that with the exception of _local we only support GET and sometimes POST on a few endpoints needed for pull replication. For _local we have to allow write both to the magic ID that PouchDB will create on its own (and somehow prevent collisions so bad guys can't screw things up for other folks) but we also need to allow write for our own magic _local value.
We also need to make sure that we can associate an authenticated ID via PSK with a particular native level connection. Trust is still at the TCP layer but this does help the peer pool implementation when it has to pick a connection to kill.
The text was updated successfully, but these errors were encountered: