pouchdb-dac
Distributed access control for PouchDB
Strategy
--write access is hanlded by restricting writes into the DB. Override 'put' in database so that only documents that are "correctly signed" can be written. "Correctly" implies that if an existing document has an attribute ACU_OWNER (indicating ownership), then any overwrites of that document require signing by some owner listed in that attribute.
--read access is handled by encryption. Sensitive attributes of the document are (optionally) symetrically encrypted, and a key is stored for each potential reader asymetrically encrypted with their public key. During decrypt, each secret key in the user's possession is checked to see if it can decrypt a key that can be used to decrypt the document.
Encryption and signing is provided by another module. See 'pouch-dac-nacl' for an example.
npm install pouchdb-dac pouchdb-dac-nacl --save
Use:
var PouchDB = ; var pouchDAC = ; var pouchNaCl = ; var db = "test"; //install DAC into db instance with NaCl encryption pouchDAC; //create some credentials var one_cred = db; var other_cred = db; db; db; // (in practice this would be elsewhere and // they would be saved persistently) ; ; db