| 1 | [back to hoodie-server-account](README.md)
|
| 2 |
|
| 3 | # How it works
|
| 4 |
|
| 5 | ## CouchDB `_users` doc specification & custom properties used by `hoodie-server-account`
|
| 6 |
|
| 7 | `hoodie-server-account` works directly against [CouchDB’s Authentication System](http://docs.couchdb.org/en/latest/api/server/authn.html).
|
| 8 | User accounts are docs in the `_users` database, and they have the following
|
| 9 | requirements:
|
| 10 |
|
| 11 | ```js
|
| 12 | {
|
| 13 | // Properties required by CouchDB
|
| 14 | // _id MUST consist of "org.couchdb.user:" + username
|
| 15 | "_id": "org.couchdb.user:test",
|
| 16 | // _rev is required by CouchDB for every document
|
| 17 | "_rev": "1-c7eb42781549d144e6a42814376686e0",
|
| 18 | // name MUST be the username
|
| 19 | "name": "pat",
|
| 20 | // type MUST be set to "user"
|
| 21 | "type": "user",
|
| 22 | // iterations, password_scheme, derived_key & salt are automatically created
|
| 23 | // by CouchDB to hash the password. The original password does not get stored
|
| 24 | // and cannot be retrieved
|
| 25 | "iterations": 10,
|
| 26 | "password_scheme": "pbkdf2",
|
| 27 | "derived_key": "94266b18ecec62aa78cbe15cb27e98d7689ded5c",
|
| 28 | "salt": "ae995d9d359cb88105d120a0a8c498a2",
|
| 29 | // roles must be an array of strings. Roles can be used to give access
|
| 30 | // to databases. It must include an "id:..." role, see below
|
| 31 | "roles": ["id:abc4567"],
|
| 32 | }
|
| 33 | ```
|
| 34 |
|
| 35 | ### <a name="id-role"></a>The "id role" – because usernames can change.
|
| 36 |
|
| 37 | Access permissions can be set in CouchDB on a database level, by using usernames
|
| 38 | or roles. As usernames are prone to change, `hoodie-server-account` adds an
|
| 39 | id that is globally unique and will never change, and can therefore be used to
|
| 40 | reference ownership & permissions. The id is added as the first entry in `"roles"`,
|
| 41 | for example if the account id is `abc4567`, the role is `id:abc4567`
|
| 42 |
|
| 43 | ```js
|
| 44 | {
|
| 45 | // ...
|
| 46 | "roles": [
|
| 47 | "id:abc4567"
|
| 48 | ]
|
| 49 | }
|
| 50 | ```
|
| 51 |
|
| 52 | It's recommended to always use the "id role" to grant permissions to databases,
|
| 53 | as usernames can change.
|
| 54 |
|
| 55 | ### Exposed account properties by `hoodie-server-account`
|
| 56 |
|
| 57 | `hoodie-server-account`’s REST API will only ever expose the following properties:
|
| 58 |
|
| 59 | 1. `username` – read only
|
| 60 | 2. `id` – read only
|
| 61 |
|
| 62 | Usernames can be changed using the `"requests"` API, for which a custom routine
|
| 63 | can be defined, for example an email confirmation workflow.
|
| 64 |
|
| 65 | As no other properties from the `_users` docs will be exposed by
|
| 66 | `hoodie-server-account`’s API by default, you can securely store sensitive
|
| 67 | information like API keys, or password reset tokens.
|
| 68 |
|
| 69 | ### Account Profile
|
| 70 |
|
| 71 | Custom user properties like full name, address, etc are stored in the `"profile"`
|
| 72 | property of the `_users` doc. The properties can be accessed / changed using the
|
| 73 | `GET /session/account/profile` & `PATCH /session/account/profile`.
|
| 74 |
|
| 75 | ```js
|
| 76 | {
|
| 77 | "_id": "org.couchdb.user:pat"
|
| 78 | //...
|
| 79 | "profile": {
|
| 80 | "fullname": "Pat Hook"
|
| 81 | }
|
| 82 | }
|
| 83 | ```
|
| 84 |
|
| 85 | ### Tokens
|
| 86 |
|
| 87 | Tokens are stored for flexible usage in the `tokens` property. It's an array
|
| 88 | of objects, in which all objects have an id, timestamp, expiration date and
|
| 89 | a name. More meta properties can be added as needed.
|
| 90 |
|
| 91 | ```js
|
| 92 | {
|
| 93 | "_id": "org.couchdb.user:pat"
|
| 94 | //...
|
| 95 | "tokens": [
|
| 96 | {
|
| 97 | "id": "token123",
|
| 98 | "name": "password reset",
|
| 99 | "createdAt": "2015-11-01T00:00:00.000Z",
|
| 100 | "expiresAt": "2015-11-15T00:00:00.000Z",
|
| 101 | }
|
| 102 | ]
|
| 103 | }
|
| 104 | ```
|