1 | [back to hoodie-server-account](README.md)
|
2 |
|
3 | # How it works
|
4 |
|
5 | ## CouchDB `_users` doc specification & custom properties used by `hoodie-server-account`
|
6 |
|
7 | `hoodie-server-account` works directly against [CouchDB’s Authentication System](http://docs.couchdb.org/en/latest/api/server/authn.html).
|
8 | User accounts are docs in the `_users` database, and they have the following
|
9 | requirements:
|
10 |
|
11 | ```js
|
12 | {
|
13 | // Properties required by CouchDB
|
14 | // _id MUST consist of "org.couchdb.user:" + username
|
15 | "_id": "org.couchdb.user:test",
|
16 | // _rev is required by CouchDB for every document
|
17 | "_rev": "1-c7eb42781549d144e6a42814376686e0",
|
18 | // name MUST be the username
|
19 | "name": "pat",
|
20 | // type MUST be set to "user"
|
21 | "type": "user",
|
22 | // iterations, password_scheme, derived_key & salt are automatically created
|
23 | // by CouchDB to hash the password. The original password does not get stored
|
24 | // and cannot be retrieved
|
25 | "iterations": 10,
|
26 | "password_scheme": "pbkdf2",
|
27 | "derived_key": "94266b18ecec62aa78cbe15cb27e98d7689ded5c",
|
28 | "salt": "ae995d9d359cb88105d120a0a8c498a2",
|
29 | // roles must be an array of strings. Roles can be used to give access
|
30 | // to databases. It must include an "id:..." role, see below
|
31 | "roles": ["id:abc4567"],
|
32 | }
|
33 | ```
|
34 |
|
35 | ### <a name="id-role"></a>The "id role" – because usernames can change.
|
36 |
|
37 | Access permissions can be set in CouchDB on a database level, by using usernames
|
38 | or roles. As usernames are prone to change, `hoodie-server-account` adds an
|
39 | id that is globally unique and will never change, and can therefore be used to
|
40 | reference ownership & permissions. The id is added as the first entry in `"roles"`,
|
41 | for example if the account id is `abc4567`, the role is `id:abc4567`
|
42 |
|
43 | ```js
|
44 | {
|
45 | // ...
|
46 | "roles": [
|
47 | "id:abc4567"
|
48 | ]
|
49 | }
|
50 | ```
|
51 |
|
52 | It's recommended to always use the "id role" to grant permissions to databases,
|
53 | as usernames can change.
|
54 |
|
55 | ### Exposed account properties by `hoodie-server-account`
|
56 |
|
57 | `hoodie-server-account`’s REST API will only ever expose the following properties:
|
58 |
|
59 | 1. `username` – read only
|
60 | 2. `id` – read only
|
61 |
|
62 | Usernames can be changed using the `"requests"` API, for which a custom routine
|
63 | can be defined, for example an email confirmation workflow.
|
64 |
|
65 | As no other properties from the `_users` docs will be exposed by
|
66 | `hoodie-server-account`’s API by default, you can securely store sensitive
|
67 | information like API keys, or password reset tokens.
|
68 |
|
69 | ### Account Profile
|
70 |
|
71 | Custom user properties like full name, address, etc are stored in the `"profile"`
|
72 | property of the `_users` doc. The properties can be accessed / changed using the
|
73 | `GET /session/account/profile` & `PATCH /session/account/profile`.
|
74 |
|
75 | ```js
|
76 | {
|
77 | "_id": "org.couchdb.user:pat"
|
78 | //...
|
79 | "profile": {
|
80 | "fullname": "Pat Hook"
|
81 | }
|
82 | }
|
83 | ```
|
84 |
|
85 | ### Tokens
|
86 |
|
87 | Tokens are stored for flexible usage in the `tokens` property. It's an array
|
88 | of objects, in which all objects have an id, timestamp, expiration date and
|
89 | a name. More meta properties can be added as needed.
|
90 |
|
91 | ```js
|
92 | {
|
93 | "_id": "org.couchdb.user:pat"
|
94 | //...
|
95 | "tokens": [
|
96 | {
|
97 | "id": "token123",
|
98 | "name": "password reset",
|
99 | "createdAt": "2015-11-01T00:00:00.000Z",
|
100 | "expiresAt": "2015-11-15T00:00:00.000Z",
|
101 | }
|
102 | ]
|
103 | }
|
104 | ```
|