My very simple to-do app will use PouchDb on the client side and CouchDB on the server side. Each entry will be first saved locally in PouchDB which will then replicate with the server side CouchDB. Each user of the app will have their own client database on their device, with their own cloud database as well, all with their own authentication.
This post (Architecture of an app when using CouchDB/PouchDB) is quite helpful, but I am still struggling with what steps I need to take to ensure, at least as much as possible, that the input from the user isn't harmful.
I may be making more of this than is really there as it is likely that any bad actor will only destroy their own data (and who cares at that point?), but I would still like to know how to sanitize the user inputted data for a noSQL database. Again, the post I cite above has some great starting information, but I still can't find anything that gives tips on what to watch for, what characters to escape etc.
From my limited experience with SQL, it made sense that you had to watch for someone trying to insert HTML or some javascript, but I don't know what sequences of data might somehow be harmful to CouchDB. One article I read suggested that one should:
- avoid creating 'ad-hoc' JS commands by concatenating script with user input
- validate user input used in server-side JS commands with regular expressions (great idea...but how?)
- avoid eval. use json.parse
CouchDb has a validation hook in each database that you can use to check or prevent updates to a document. There is information in the official docs about this. It is a design document with a function called validate_doc_update written in Javascript and gives you the original and revised document context so that you can "return" or "throw" depending on what the change to the document is.