REST API MongoDB Authentication
I am thinking in usin开发者_如何学编程g MongoDB as my main database. However, my app is fully in JavaScript and I wanted to use the REST API, client side.
I still can't understand what security mechanisms can I use in order to make a JS call to the database without revealing all the data to all the users.
Please advice on this matter.
Regards, Donald
First of all, you can enable database auth which will make the REST interface require authentication if connected to from a remote machine.
That said, it's a very bad idea to expose your database like you suggest. Build a persistence abstraction layer in a server technology you're comfortable with (node.js for example) and put all security constraints and authentication there. The advantages are numerous :
- You can keep your API stable even if the MongoDB one changes. You can even replace it with another persistence solution if the need arises in most cases.
- You can limit the load a single client can put on your database. If you expose the database directly there's very little you can do to avoid people doing expensive queries or even potentially corrupting writes.
- You can often do smart app-side caching and optimization that is not possible if every client directly accesses the database (this depends a bit on the app in question though).
Check out Sleepy.Mongoose, it's a REST API interface for MongoDB. I haven't tried it, but it appears to support standard MongoDB authentication.
MongoLab has MongoDB database hosting with a REST API that can be accessed client side, they even through in some jQuery based examples in their support documentation. That said, Remon is right that you sacrifice any security by doing so because you're making your API key public.
RESTHeart is a Web API for MongoDB.
It provides application level authorization and authentication.
Check the security documentation section.
Also some example applications are available on github:
- blog example (using AngularJs via $htpp service)
- notes example (using AngularJs via Restangular service)
精彩评论