使用 Electron 注册 PouchDB/CouchDB/ 的用户

Question

I am building an Electron desktop app, and one of the first things I want to tackle is user creation to interact with the db. The idea is they log in and then they are able to see their own user information within the app. To my understanding, I can make this happen in pouchDB and that will ultimately sync with a remote CouchDB server.

I am stuck on user creation (I haven't even begun to tackle user sessions yet). I have created an html form with Electron that takes an email, username, and a password. I plan to use PouchDB to store information locally and eventually sync with a CouchDB server. I haven't written any JS yet to handle the form submission. When they click "Sign Up", I want that user to be created.

I get confused because there is a _users database in CouchDB that I understand stores user's sensitive information (like a password).

My Question: When a user submits the aforementioned form, do I create a db in PouchDB called _users? And eventually when I sync it with CouchDB will it know automatically what information to store in users?

Answer 1

You should use PouchDB only in case it must be possible to also work offline with your application. Otherwise it makes the code unnecessary more complex, but does not bring any real benefits in your case. Simply access CouchDB directly through its HTTP API.

CouchDB distinguishes between two types of users

1. admin users are stored in the [admins] section of the configuration file $COUCHDB_HOME/etc/local.ini. When setting up your CouchDB, you're requested to define a first admin user. Additional admin users may be created later on (see Creating New Admin User ).
2. regular users are stored in the authentication database , named _users . User documents contain system information like login, password hash and roles but may also contain personal information like real name, email, phone etc. Creating a new regular user is trivial (see Creating New User ).

Answer 2

If the CouchDB is going to be on the Internet (rather than on an Intranet, with only trusted users having access), then I would consider a server-side process to handle sign-ups. That server-side process is the only one that needs to know an admin user/password that allows it to add users to the couchDB _users table (as described in the answer by uminder ).

Ie write user signup as a normal website, and in the electron app just access that as a web page.

You can have the Electron app construct and send a specially signed cookie that would stop non-app users accessing that page.

Restricting by that cookie should give you good control against abuse. But by having a webserver process you still have all the options to add an email confirmation step, restrict by IP address, rate limit, etc. (or even, if really desperate, add Cursed Captcha to the form).

The other advantage of this approach is that you don't need to hard-code your CouchDB admin username/password in the Electron app.