Defining an Express-PouchDB middleware for enforcing ACLs
This document defines a set of behaviors for an Express middleware designed to enforce ACLs in PouchDB. This middleware tries to make relatively few assumptions about how the underlying ACL layer it is asked to enforce actually works. Instead the middleware is intended to take callbacks from the programmer using it and it is in those callbacks that actual ACL decisions will be made. The middleware’s job then is to make it as easy as possible to enforce those decisions in a secure manner for Express-PouchDB.
We do however make some very specific assumptions about how the ACL layer built on top of this middleware works. We assume that:
- The ACL engine will need to make ACL decisions at the granularity of a document (and its related attachments)
- The ACL engine will explicitly ban all admin REST endpoints (defined in detail later) as “all or nothing”, that is, either one is an admin or one is not
- Can we build middleware that lets us see requests before PouchDB and see responses after PouchDB?
- Can we set things up with Express-PouchDB so that we can parse the JSON ourselves and pass in our own (modified) request bodies and query lines without having to serialize them back out and requiring Express-PouchDB to do double parsing.
Although it is guaranteed to cause incredible annoyance the only safe way to deal with requests and responses from PouchDB is via a fail safe mechanism whereby if any request or response element is not recognized then the request/response MUST fail. This means that if Express-PouchDB adds some new route that the ACL middleware doesn’t know about or if Express-PouchDB adds new fields or arguments in existing routes, we will have to fail requests that leverage that new capability. Same thing for new fields in responses. :(
The following is all the middleware I found Express-PouchDB installing. I explore each one below to see which we should keep, which we should remove and for those we are keeping, what implications they have for Thali.
This is actually a set of useful functions that set up the infrastructure that Express-PouchDB uses to handle parsing requests.
This sets up PouchDB’s logging infrastructure and isn’t directly used to handle requests.
This loads the npm compression package which adds deflate and gzip support. Its functionality should be invisible to us. It shouldn’t even effect our eventual quota management since the compression is a transport artifact, it only reduces the size of the data on the wire, not in storage.
This puts in support for the npm package pouchdb-size which figures out the size of the underlying DB across various back ends like leveldown. In theory we shouldn’t leak the size of the DB to unauthorized callers but such a leak wouldn’t actually happen in this plugin. It would be a side effect of calling one of the administrative interfaces. So we should leave this plugin alone but we need to be on the lookout for where it actually gets used.
replicator - REMOVE
I believe this primarily installs the npm pouchdb-replicator. The files for this plugin live here. This is used to power the _replicate endpoint. In general we shouldn’t support that endpoint since we manage replication ourselves at the Thali level. So I think we should remove this route all together.
This is middleware that logs the method, path and ip on requests and ip, method, path and status code on responses. Logging this data in a privacy sensitive app like Thali worries me in general.
routes/authentication - REMOVE
This is middleware intended to provide cookie and basic based authentication sessions based on CouchDB’s authentication mechanisms. See here for details. We use a TLS based authentication mechanism that is a full layer below this one. So most likely we should just yank this middleware all together.
routes/special-test-auth - REMOVE
This is used during testing to slip in pre-configured name/passwords. It’s not appropriate for us and should be removed.
This is middleware that protects certain sensitive REST endpoints by validating that the caller is in the “_admin” role. I hope we can leverage this to put callers into the _admin role and then let this middleware handle the details.
routes/vhosts - REMOVE
This installs pouchdb-vhost which is a NPM that implements the CouchDB Virtual Hosts config functionality. We will not be using virtual hosts in Thali so we should remove this.
routes/rewrite - REMOVE
This installs pouchdb-rewrite which is intended to emulate the CouchDB rewrite functionality in PouchDB. This is part of the _design doc functionality. My own feeling is that this is way too easy to cause serious pain and suffering in Thali land. So my strong inclination is to remove it.
There is now a couchConfig file where much of the functionality of PouchDB can be configured. We need to review it to see if there are things in there that could be a security issue.
Our immediate thinking is that we will block all APIs from non-admin users that are not immediately needed by PouchDB’s pull replication functionality. So we need to walk through the replicator and understand what REST endpoints it is using.