©2015 Couchbase Inc. 1

Couchbase Mobile 102:

Sync GatewayWilliam Hoang | Mobile Developer Advocate |

@sweetiewill

Couchbase Lite

3

Sync Gateway Couchbase ServerCouchbase Lite

Couchbase Peer to Peer …will be introduced in Couchbase Mobile 103

Intro to Couchbase Sync Gateway

©2015 Couchbase Inc. 6

Features: Introduction to Sync Gateway

Key Mobile Data Security Concerns

Security Solutions with Sync Gateway

LIVE Demo

Overview:

How to Add Secure Sync to Mobile Apps

Couchbase Lite Sync Gateway

Replication

Authentication

Data Partitioning

Data Access Control

©2015 Couchbase Inc. 8

Key Mobile Data Security Concerns

User Authentication

Data Read & Write Access

Data Transport on the Wire

Data Storage on Device & In the Cloud

©2015 Couchbase Inc. 9

Key Mobile Data Security Concerns

User Authentication

Data Read & Write Access

Data Transport on the Wire

Data Storage on Device & In the Cloud

©2015 Couchbase Inc. 10

Authentication - Pluggable

Public Providers

Custom Providers

Anonymous Users

©2015 Couchbase Inc. 11

Authentication – Public Providers

Basic Auth

Persona

©2015 Couchbase Inc. 12

Authentication:

Public Provider-Facebook

{

"facebook" : { "register" : false },

"databases": {

"grocery-sync": {

“server”:”http://cbserver:8091”,

“bucket":"grocery-sync",

"users": {"GUEST": {"disabled": true}},

"sync":`function(doc)

{channel(doc.channels);}`

}

}

}

©2015 Couchbase Inc. 13

Authentication:

Custom Provider[1]:-Authentication

[2]:-Valid user Session

[3]:-App to Sync Gateway

©2015 Couchbase Inc. 14

Key Mobile Data Security Concerns

User Authentication

Data Read & Write Access

Data Transport on the Wire

Data Storage on Device & In the Cloud

Couchbase Lite Sync Gateway

Security Policies

Document Level Read Side Permissions

Field Level Write Side Permissions

JavaScript Policy Enforcement

{ … sync func. .. }

©2015 Couchbase Inc. 16

Data Access:

Sync Function-config file

{ "databases": { "grocery-sync": { “server”:"http://walrus:", “bucket":"grocery-sync", "users": {"GUEST": {"disabled": true}},

“sync”:`function(doc,oldDoc) { channel(doc.channels); }`

}

}

}

©2015 Couchbase Inc. 17

Data Access:

Sync Function-Write Permissions { …

o requireUser (username)o requireRole (rolename)o requireAccess (channels)o throw()

… }

©2015 Couchbase Inc. 18

Data Access:

Sync Function-Read Permissions• channel(…)

For documents

• access(…)For users

-Special Channels• *• !

©2015 Couchbase Inc. 19

Couchbase Lite Sync Gateway Couchbase Server

©2015 Couchbase Inc. 20

Grocery Sync App Summary

©2015 Couchbase Inc. 21

Grocery Sync App Summary

©2015 Couchbase Inc. 22

Grocery Sync App Summary

©2015 Couchbase Inc. 23

{

"log" : [“*”],

"databases": {

"grocery-sync": {

“server”:”walrus:”,

“bucket":"grocery-sync",

"users": { "GUEST": {

"disabled": false,

“admin_channels” : [“*”] }

}

}

}

}

Sync Gateway:

Configure-O-Default-All Channels

©2015 Couchbase Inc. 24

{

”log" : [“*”],

"databases": {

"grocery-sync": {

“server”:”walrus:”,

“bucket":"grocery-sync",

"users": {

“alice”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“*”] },

“bob”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“*”] }

}

}

}

Sync Gateway:

Configure-1-Create Users-Remove Guest

©2015 Couchbase Inc. 25

{

”log" : [“*”],

"databases": {

"grocery-sync": {

“server”:”walrus:”,

“bucket":"grocery-sync",

"users": {

“alice”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“*”] },

“bob”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“*”] }

},

“sync” : ‘

function(doc, oldDoc) {

//Add placeholder sync function, add custom read/write

logic here }

‘ }

}

}

Sync Gateway:

Configure-2-Sync Function-Owner Field

©2015 Couchbase Inc. 26

{

”log" : [“*”],

"databases": {

"grocery-sync": {

“server”:”walrus:”,

“bucket":"grocery-sync",

"users": {

“alice”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-alice”] },

“bob”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-bob”] }

},

“sync” : ‘

function(doc, oldDoc) {

//Add placeholder sync function, add custom read/write

logic here }

‘ }

}

}

Sync Gateway:

Configure-3-Private Channel-Remove *

©2015 Couchbase Inc. 27

{

”log" : [“*”],

"databases": {

"grocery-sync": {

“server”:”walrus:”,

“bucket":"grocery-sync",

"users": {

“alice”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-alice”] },

“bob”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-bob”] }

},

“sync” : ‘

function(doc, oldDoc) {

channel(“items-”+doc.owner); }

//Add item document to owner’s items channel

‘ }

}

}

Sync Gateway:

Configure-4-Document to Channel

-Programmatic Access

©2015 Couchbase Inc. 28

{

”log" : [“*”],

"databases": {

"grocery-sync": {

“server”:”walrus:”,

“bucket":"grocery-sync",

"users": {

“alice”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-alice”] },

“bob”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-bob”] }

},

“sync” : ‘

function(doc, oldDoc) {

requireUser(doc.owner); //The owner of the item document must

be the authenticated user

channel(“items-”+doc.owner); } ‘

}

}

}

Sync Gateway:

Configure-5-requireUser-owner property

©2015 Couchbase Inc. 29

{

”log" : [“*”],

"databases": {

"grocery-sync": {

“server”:”walrus:”,

“bucket":"grocery-sync",

"users": {

“alice”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-alice”] },

“bob”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-bob”] }

},

“sync” : ‘

function(doc, oldDoc) {

if (doc.type == “friends”) { //process new friends

document

requireUser(doc.owner); //The owner of the friends

access(doc.friends, “items-”+doc.owner);

channel(“private-”+doc.owner);

access(doc.owner, “private-”+doc.owner)

} else {

requireUser(doc.owner)

channel(“items-”+doc.owner); }

} ‘ }

}

Sync Gateway:

Configure-6-Document Type-Authentication

©2015 Couchbase Inc. 30

{

”log" : [“*”],

"databases": {

"grocery-sync": {

“server”:”walrus:”,

“bucket":"grocery-sync",

"users": {

“alice”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-alice”] },

“bob”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-bob”] }

},

“sync” : ‘

function(doc, oldDoc) { if (doc.type == “friends”) { //process new friends document

requireUser(doc.owner); //The owner of the friends

access(doc.friends, “items-”+doc.owner);

channel(“private-”+doc.owner);

access(doc.owner, “private-”+doc.owner);

} else if (doc.type == “item”) {

requireUser(doc.owner)

channel(“items-”+doc.owner); }

else{ throw({forbidden: “Invalid document

type”}); }

} ‘ }

}

Sync Gateway:

Configure-7-throw()-Other Doc Types

©2015 Couchbase Inc. 31

{

”log" : [“*”],

"databases": {

"grocery-sync": {

“server”:”walrus:”,

“bucket":"grocery-sync",

"users": {

“alice”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-alice”] },

“bob”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-bob”] }

},

“sync” : ‘

function(doc, oldDoc) { if (doc.type == “friends”) { //process new friends document

requireUser(doc.owner); //The owner of the friends

access(doc.friends, “items-”+doc.owner);

channel(“private-”+doc.owner);

access(doc.owner, “private-”+doc.owner);

} else if (doc.type == “item”) {

requireAccess(“items-”+doc.owner)

channel(“items-”+doc.owner); }

else{ throw({forbidden: “Invalid document

type”}); }

} ‘ }

}

Sync Gateway:

Configure-8-requireAccess-friends

©2015 Couchbase Inc. 32

{

”log" : [“*”],

"databases": {

"grocery-sync": {

“server”:”walrus:”,

“bucket":"grocery-sync",

"users": {

“alice”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-alice”] },

“bob”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-bob”] }

},

“sync” : ‘

function(doc, oldDoc) { if (doc.type == “friends”) { //process new friends document

requireUser(doc.owner); //The owner of the friends

access(doc.friends, “items-”+doc.owner);

channel(“private-”+doc.owner);

access(doc.owner, “private-”+doc.owner);

} else if (doc.type == “item”) {

requireAccess(“items-”+doc.owner)

if (oldDoc == null) {

if (doc.check == true) { throw( {forbidden: “new items

cannot be checked”}); }

}

channel(“items-”+doc.owner); }

else { throw( {forbidden: “Invalid document type”}); }

} ‘

}

}

Sync Gateway:

Configure-9-oldDoc-doc.check

©2015 Couchbase Inc. 33

{ ”log" : [“*”],

"databases": {

"grocery-sync": {

“server”:”walrus:”,

“bucket":"grocery-sync",

"users": {

“alice”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-alice”] },

“bob”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-bob”] }

},

“sync” : ‘

function(doc, oldDoc) { if (doc.type == “friends”) { //process new friends document

requireUser(doc.owner); //The owner of the friends

access(doc.friends, “items-”+doc.owner);

channel(“private-”+doc.owner);

access(doc.owner, “private-”+doc.owner);

} else if (doc.type == “item”) {

requireAccess(“items-”+doc.owner)

if (oldDoc == null) {

if (doc.check == true) { throw( {forbidden: “new items

cannot be checked”}); }

else {

if (doc.check != oldDoc.check)

{ requireUser(doc.owner); }

}

}

channel(“items-”+doc.owner); }

else { throw( {forbidden: “Invalid document type”}); }

} ‘

}

}

Sync Gateway:

Configure-10-doc vs oldDoc-requireUser

©2015 Couchbase Inc. 34

{ ”log" : [“*”],

"databases": {

"grocery-sync": {

“server”:”walrus:”,

“bucket":"grocery-sync",

"users": {

“alice”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-alice”] },

“bob”: {

“disabled” : false,

“password”: “password”,

“admin_channels”:[“items-bob”] }

},

“sync” : ‘

function(doc, oldDoc) { if (doc.type == “friends”) { //process new friends document

requireUser(doc.owner); //The owner of the friends

access(doc.friends, “items-”+doc.owner);

channel(“private-”+doc.owner);

access(doc.owner, “private-”+doc.owner);

} else if (doc.type == “item”) {

requireAccess(“items-”+doc.owner)

if (oldDoc == null) {

if (doc.check == true) { throw( {forbidden: “new items

cannot be checked”}); }

else {

if (doc.owner != oldDoc.owner) { throw({forbidden:

“Quits Stealing Items”}); }

if (doc.check != oldDoc.check)

{ requireUser(doc.owner); }

}

}

channel(“items-”+doc.owner); }

else { throw( {forbidden: “Invalid document type”}); }

} ‘

}

}

Sync Gateway:

Configure-11-doc vs oldDoc-Owner Property

©2015 Couchbase Inc. 35

User Authentication

Data Read & Write Access

Data Transport on the Wire

Data Storage on Device & In the Cloud

Key Mobile Data Security Concerns

©2015 Couchbase Inc. 36

Security Concerns:

Data Transport-On the Wire

SSL / TLS

Sync Gateway Config

©2015 Couchbase Inc. 37

Key Mobile Data Security Concerns

User Authentication

Data Read & Write Access

Data Transport on the Wire

Data Storage on Device & In the Cloud

©2015 Couchbase Inc. 38

Security Concerns:

Data Storage-On Device-In Cloud

File System Encryption

Secure Cloud Environment

Configure for File System Encryption

©2015 Couchbase Inc. 39

Getting Started

Documentations on Sync Gateway: bit.ly/sync_gateway

Grocery-Sync-iOS: https://github.com/couchbaselabs/

Grocery-Sync-iOS

Sync Gateway Demo:https://github.com/couchbaselabs/

Downloadbit.ly/couchbase_downloads

Sync Gateway

©2015 Couchbase Inc. 40

Couchbase Peer to Peer – 103 Session

Thank you.@sweetiewill