I became interested in CouchDB recently and wanted to try and form a small application around it.
The way how I invition my system currently is that requests come providing two things, a id, a API Key and a format. The ID is the _id of a document in the database, the API Key is a _id of another document that has a property of {“valid” : true/false}, and the format is the format they want back. If the API Key is valid, the system would generate the show page for the id given, in the format requested. Otherwise it would return a 403 stats code.
Unfortunately I can’t find a way to pull up another document from a show page. I am just beginning CouchDB, so maybe there is something simple here I’m missing.
With a
_showfunction, there are three parts involved:For the URL format
/db/_design/ddoc/_show/my_show_func/otherdoc:_design/ddocshows.my_show_funcwithin that design document_idofotherdocThose are the only two documents involved. The only way I can think to do what you describe is have a design doc per API key. The user would query
/db/_design/API_KEY/_show/other_doc_id. CouchDB is relaxed. There is nothing wrong with thousands of design docs with identical or similar_showfunctions. You coul use the HTTPCOPYmethod to clone a base design doc to a new API key as needed. Then you could revoke an API key by deleting the design doc. However that is obviously a unique approach, worth a second thought.A final consideration is (with the default CouchDB, no reverse proxies, mod_security, etc.) if a user can read one document, they can read the entire database (e.g. from the
_all_docsquery.) Therefore show functions are a convenience for the software but not a security gateway.