From the previous Coffee on Couchbase Sync Gateway series, we explored how to authenticate users and also how to use Channels in Sync Gateway.  Sync Gateway provides the data orchestration layer for Couchbase Mobile and previously we saw how data routing can be done by validating the document types from within the Sync Function.     

In the video below, we are again joined by Chris Anderson who will discuss together about Sync Gateway and dive deeper on how to secure your mobile applications with using Channels.  We will continue to use the Stackoverflow example and the tags we imported.    

The administrator is able to specify whatever channel they like to see from the admin port which is secured behind a firewall.  The public port is where the end users connect to through the privileges that are set from the 'users' key.  This is defines such as:

where the user is able to see the 'android' channel; this is the Stackoverflow questions that contain all the android tags will be available to the user if the specific tag is contained in the 'admin_channels' key.  If for a particular user accesses a channel that they have not been granted for then the end user will see an empty set back.  This is channel setting on the server side where the users/clients do not need to specify the channel that they are interested in.  

Administrator API

If we want our users to have different channel accesses aside from the ones set explicitly on the server side, then a way we can set that is to use the Administrator API.  The Admin REST API runs on port 4985 and we can update the user record with a JSON such as :

and through the Admin REST API, we can give the GUEST user access to a different set of channels by executing the command:

Sending the above request to Sync Gateway will allow the GUEST user to have access to the 'html' channel as well.  There is an API endpoint that is GET/{db}/_changes which would allow us to see all the document change request made to the database from port 4984.  From an adminstrator's perspective, this allows you to provide permissions to what your users is allowed to see and hence control READ access to your data.

If we now provide both the 'html' and 'android' tag names for the channels in the command below:

the GUEST user will now have access to both channels and the dataset will be expanded accordingly with both 'android' and 'html' documents in the '_changes' endpoint.  This controls which channels an user is allowed to see and controls READ access to the database.  The Channel security model can be controlled with the Admin REST API and through the user requirements, you as a developer are able to incorporate fine grain level control to the database.

Sync Gateway           

In the Coffee on Couchbase Sync Gateway series, we have talk about Channels and how you are able to secure or restrict proportions of your database through various feature enablements in the Sync Function.  We will explore Sync Gateway further and also dive into encryption of data next in our series with ForestDB as our new storage engine in Couchbase Lite. 

Be sure to connect with us over in our Mobile Developer Forums for any questions or on Stackoverflow.

Posted by William Hoang, Mobile Developer Advocate, Couchbase

William was a Developer Advocate on the Mobile Engineering/Developer Experience team at Couchbase. His love for coffee and code has transcended him into the world of mobile while appreciating the offline in-person experiences. Prior, William worked on the Developer Relations team over at Twitter, BlackBerry, and Microsoft while also having been a Software Embedded GPS engineer at Research In Motion. William graduated from McGill University in Electrical Software Engineering

Leave a reply