Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't use a database account with administrator access in live version of API #8

Open
species opened this issue Feb 12, 2016 · 1 comment
Open

Don't use a database account with administrator access in live version of API #8

species opened this issue Feb 12, 2016 · 1 comment
Labels
bug
Milestone
16MMM Witz

Comments

@species
Copy link
Contributor

species commented Feb 12, 2016

As database administrative rights are not needed during normal operation of the API, there should be a non-privileged user which credentials are stored in the running node application.

Maybe we should implement an "initialize" task which has to be run on the first time on installation of the application (admin user supplied via cmdline or ENV), which creates all the databases needed in couch.

So that if the API is compromised from outside, it at least has no administrative access to the DB.
@species species added the bug label Feb 12, 2016
@species
Copy link
Contributor Author

species commented Feb 12, 2016

The initialize process may create a non-priviledged user in this process and automatically add its (random-generated) password to config/local.js

@almereyda almereyda added this to the 16MMM Witz milestone Feb 16, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
16MMM Witz
Development

No branches or pull requests
2 participants
@almereyda @species