Secure creating database endpoint

[harris]

Apology in advance if this is not the correct venue to ask this question.

I am creating a per user database and everything works perfectly but I am a little concerned about anyone can create a database on a remote server (attackers could potentially do "database squatting") . My ideal scenario is whenever a user creation (signup() is called), either I can check with a specific endpoint or signup could only be called from a specific domain. After that, everything should just work as it.

Thank you for this nifty plugin! It saved me a lot of work.

[rokgfx]

If I understand correctly, I faced a related issue. See my thread here if this helps:
#248

[harris]

@rokgfx that's not the same issue. I create db when there is no basic auth. I turned on the couch_peruser option to true. Every user "sign up" for a db will get one and I am worried that we will have some db names collision.

[tabeth]

@harris

Isn't the situation you pose a non-issue? Presumably the database name is some transformation (if not just the same) of the username? In other words, the database name "squatting" would be the same as username or email "squatting".

What you could do is just (on your server level) setup a white list so all connections from anything other than your application domain(s) are blocked. Of course this quickly turns into the same problem most companies have with detecting blocks.