Validating API Keys in CouchDB

Question

Hi there, I became interested in CouchDB recently and wanted to try and form a small application around it.

The way how I invition my system currently is that requests come providing two things, a id, a API Key and a format. The ID is the _id of a document in the database, the API Key is a _id of another document that has a property of {"valid" : true/false}, and the format is the format they want back. If the API Key is valid, the system would generate the show page for the id given, in the format requested. Otherwise it would return a 403 stats code.

Unfortunately I can't find a way to pull up another document from a show page. I am just beginning CouchDB, so maybe there is something simple here I'm missing.

Thank you for your help!

Answer 1

With a _show function, there are three parts involved:

1. The design document
2. The show function inside the design document
3. The additional document to be shown

For the URL format /db/_design/ddoc/_show/my_show_func/otherdoc:

1. The design document is _design/ddoc
2. The show function is shows.my_show_func within that design document
3. The document to be shown has an _id of otherdoc

Those are the only two documents involved. The only way I can think to do what you describe is have a design doc per API key. The user would query /db/_design/API_KEY/_show/other_doc_id. CouchDB is relaxed. There is nothing wrong with thousands of design docs with identical or similar _show functions. You coul use the HTTP COPY method to clone a base design doc to a new API key as needed. Then you could revoke an API key by deleting the design doc. However that is obviously a unique approach, worth a second thought.

A final consideration is (with the default CouchDB, no reverse proxies, mod_security, etc.) if a user can read one document, they can read the entire database (e.g. from the _all_docs query.) Therefore show functions are a convenience for the software but not a security gateway.