fix: restrict to /_users/

Probably not a good idea to expose all CouchDB routes... BREAKING CHANGE: only requests to the _users DB are proxied
tlvince · Nov 12, 2015 · c4f122e · c4f122e
1 parent af73174
commit c4f122e
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/readme.md b/readme.md
@@ -7,8 +7,8 @@
 [travis-url]: https://travis-ci.org/tlvince/hassock
 [travis-image]: https://img.shields.io/travis/tlvince/hassock.svg
 
-Passes through any requests as-is to CouchDB, optionally setting an HTTP auth
-header if `DB_USERNAME` and `DB_PASSWORD` are set.
+Passes through any requests to `/_users/` as-is to CouchDB, optionally setting
+an HTTP auth header if `DB_USERNAME` and `DB_PASSWORD` are set.
 
 Intended to be used to manage (regular) CouchDB user accounts. Allows you to
 keep your CouchDB admin account credentials out of your client code, whilst

diff --git a/server.js b/server.js
@@ -20,7 +20,7 @@ var db = {
   password: process.env.DB_PASSWORD
 }
 
-app.all('*', function (req, res) {
+app.all('/_users/*', function (req, res) {
   var opts = {
     uri: db.url + req.url,
     method: req.method