This is almost certainly a stupid question, but I want to be safe and so I think its always worth double-checking.
As long as I have proper authentication (in my case cookie-based on a 1 database to 1 user basis), then is there any risk in exposing full document contents (i.e. including _id and _rev) in every single GET/PUT relating that document?
By this I mean, is there any conceivable way that providing the whole document, rather than just it’s core data could result in updates being more easily tampered with?
The only way around exposing the _rev to the client, would be to do a HEAD request [server-side] before each PUT in order to get the latest revision number – which seems like madness!
There is no way that providing the whole document could result in updates being more easily tampered with.
If you are using per-database security, then you have a perfect foundation.
The primary policy that enforces read security is the
_securityobject. The primary policy that enforces write security is thevalidate_doc_updatefunction.So I think the _id and _rev will not factor into a security assessment of your application.