I have the following setup:
- CouchDB database that stores users and handles authentication; creates one db per user
- Web app that uses PouchDB to sync and authenticate via pouchdb-authentication
- A REST API server that gets requests from the web app and accesses CouchDB
Now, the REST API has admin access to CouchDB, so when it receives requests, it needs to do some form of authentication to make sure the sender has permissions to the database he claims to have access to. Since I use persistent sessions, the web app does not know the user password at all times (unless I store it in localstorage - obviously a bad idea). The session cookie is HttpOnly, so I can't access it.
What would be the best way to authenticate requests to the API under this scenario?
0 comments:
Post a Comment