CouchDB, limit creating users to admins only - couchdb

I'm working on a CouchDB backend that will exist as a central store for a React app using PouchDB. Reading the docs on the security section: http://docs.couchdb.org/en/2.1.1/intro/security.html, one does not need an admin account or a user account of any kind to create user records. Now, they wouldn't be able to create any documents, as I have admin party disabled. But I also don't want an open API end point to allow just anyone to write data. Is there a way for me to restrict this?
I've tried to see if I could setup a security document like so:
curl -X PUT http://admin:admin#localhost:5984/_users/_security -d '{"admins":{"names":[],"roles":[]},"members":{"names":[],"roles":[]}}'
But I'm still able to add users:
curl -X PUT http://localhost:5984/_users/org.couchdb.user:abc1 -d '{"name":"abc1", "password":"abc1", "roles":[], "type":"user"}'
Is there something I can change so I cannot do a put request to the couchdb.users namespace without admin credentials?

You are setting no admins or users in your security document and a database with no members allows any user to write regular documents, same as default behaviour.
Try to set your server's admin as _users database admin, i.e. change the security document to -d '{"admins": { "names": ["admin"], "roles": [] }, "members": { "names": [], "roles": [] }}' or even better create an admin role and assign it to a separate CouchDB user for more granular control.

Related

Validate organization email extension using MS Graph API

In my application, I have a list of users with their organization email-id. As per the requirement, I want to check user's email-id extension is of a valid Microsoft 365 account. For users who passed this check, I want to enable the SSO feature.
Example: If the user email-id is "user#company-domain.com" then I want to check that "#company-domain.com" is registered in MS 365.
I am not able to find any graph API to resolve this issue.
Any help would be appreciated.
What you should be able to use is the Organizations endpoint eg
https://learn.microsoft.com/en-us/graph/api/organization-get?view=graph-rest-1.0&tabs=http
then use the verified domains node
"verifiedDomains": [
{
"capabilities": "Email, OfficeCommunicationsOnline",
"isDefault": true,
"isInitial": true,
"name": "Contoso.com",
"type": "Managed"
}
This is what you see in the Portal or enumerated in things like Azure AD Connect
This will give you the verified domains for a particular org and your app will need permissions to query it.

How to allow any user to access/control only particular application?

Is there any way to allow user to get access of stream URLs and embed code of only one application and restrict access to other applications?
Yes, you can restrict your specific user. You just need to create a user according to below CURL command or Ant Media Server Dashboard Users section in Settings tab.
curl -X POST -H "Content-Type: application/json" -d '{"email": "test", "password": "testtest", "scope": "system", "userType": "ADMIN"}' "https://{YOUR_SERVER_ADDRESS}:5443/rest/v2/users"
Note: scope parameter can be system or specific application name such as LiveApp. If you use LiveApp, user will have permission only for LiveApp. system can access each application scope.
userType parameter can be ADMIN, USER or READ-ONLY.
Check this guide for more detail.

Docuasign REST API re-enable e-signature user account

I am trying to write some REST api functions to perform some basic user administration. I cannot seem to find the secret sauce for re-enabling a closed e-signature user, using either the Admin API or the E-signature API.
I saw a post that said just send the create user POST with the same username and email, but every time I do that, I get a new e-signature user, and not a reactivated closed user. I would appreciate any tips anyone could share.
Thanks
BL
Perhaps try issuing an Update User request, which allows you to specify the userId of the user account you want to (re)activate. For example:
PUT /accounts/{{accountId}}/users
{
"users": [{
"userId": "00000000-0000-0000-0000-000000000000",
"sendActivationEmail": "send"
}]
}

How to only allow a specific user to create new users in Firebase?

There are a lot of posts and discussions about restricting read/write access to specific users in the Firebase real-time database. However, I am not able to find a way to restrict the creation of new users to only a specific user/admin.
My application consists of a manager and employees. Only the manager should be able to add new users (employees) to the database along with having access to specific data which employees cannot access. From my understanding, the API which Firebase provides means that any client can create new users.
Could someone please guide me on how I can achieve this?
You can do as follows:
Firstly, create an admins node in your database to which you add the admin/manager user(s) with their userId, as follows:
- admins
- Br8kiG5....
- users
- Abcd88676....
- ....
- JHgU76hgh....
- ....
Secondly, set-up some security rules as follows,
{
"rules": {
"users": {
".write": "auth != null && root.child('admins').hasChild(auth.uid)",
".read": .....
".indexOn": .....
},
.....
}
}
Thirdly, implement the Firebase authentication in your app and only the user(s) listed under the admins database node will be able to write under the users node.

Session and security in CouchApp/CouchDB?

I'm new to CouchApp and CouchDB and have some questions.
How can I make sessions in CouchApp from my own database (not _users)?
How would I retrieve that session?
How can I parse data from a document?
I can do it with a view, but when someone calls my view url and gets the id, he can get all data like passwords (I'm trying to use my own database to store login information).
In my database I have a document like this:
{
"_id": "...",
"_rev": "...",
"XDocType": "user",
"name": "Administrator",
"password": "1234",
"username": "admin"
}
I want to make a simple login/register/logout with sessions, not cookies.
A session is less important with a Couch app because the whole application runs in the client (browser). CouchDB only does the following:
Authentication (user can connect with a password, or get a cookie to identify later)
Authorization (CouchDB will allow or disallow reading or writing data, depending on the user's name and roles, and the database _security object and validate_doc_update functions.
You can change the default database for user accounts (instead of _users) however you must always have a users database. You can set the _security of the database so that anonymous users cannot access it. (However new users cannot easily sign-up, so it is a trade-off.)
Jan has an excellent post about CouchDB security.

Resources