In the previous blog of the Sync Gateway series, we explored how to Authenticate and Authorize users in an application through some of the Sync Gateway features.  Building from the series, we will now explore how to validate Document Types in Sync Gateway to determine their accessibility from the mobile client side with a particular user.  This will lead into the Channel discussion on how Couchbase Mobile does read-side security in the next blog of our series.  For write-side security, we will explore the key methods in the Sync Function that would enable particular documents coming in from known users to be written to the backend database.

Sync Function

Imagine that we have a document or many documents in our database for example where we have a type key that we will reference in our validation code.  The heart of Sync Gateway is the implementation logic of the Sync Function and below we see how a document type can be verified for accessibility controls for users in an application.  

With the ‘type’ field in the documents, we can differentiate by specific values of what the document represents.  If a document type represents ‘schools’ or ‘vehicles’ or ‘friends’ then from within the Sync Function we can add a switch statement to capture how we will allow for the processing of different document types in different ways from within the Sync Function.  What we do first is check for the document type to see that if it is a ‘friends’ type and then first see if the document owner property matches the current authenticated user ID through the ‘requireUser()‘ method.  If the owner property does match the current authenticated user, then we will give access to a document to all of the friends through the ‘items-doc.owner’ channel.  This basically means that no one else will see the list of friends that has been invited by the user as that is private only to the user themselves.

The ‘else’ clause is where if this is not a friend’s or vehicles’ document, then this will be a school’s item document and again we validate that the owner property matches the current authenticated user ID.  As before, we add the items to the ‘items-‘ channel for the item owner property and we give that user access to that channel.

While we updated the Sync Function with the switch logic above, we can actually add an additional test to reject any unknown document types so if it is not a ‘friends’ or ‘vehicles’ or ‘schools’ document’ type, then we will reject the document by calling the ‘throw()‘ method.

Instead of the ‘requireUser()’ method, we will replace it with the ‘requireAccess(“items-“+doc.owner)’ method where now basically if you want to write a new item to a list, you have to have access to the items channel for the particular user that you want to add the item for.

Author

Posted by William Hoang, Mobile Developer Advocate, Couchbase

William was a Developer Advocate on the Mobile Engineering/Developer Experience team at Couchbase. His love for coffee and code has transcended him into the world of mobile while appreciating the offline in-person experiences. Prior, William worked on the Developer Relations team over at Twitter, BlackBerry, and Microsoft while also having been a Software Embedded GPS engineer at Research In Motion. William graduated from McGill University in Electrical Software Engineering

Leave a reply