this is the first time I use mongodb seriously, and I have a question about best practices when it comes to access.
Say you have a typical mongodb/flask application. The users use the browser (via some e.g. react frontend) to access the flask api, and thus the mongodb database.
Users obviously authenticate to the flask server. However, the flask server runs under its own user, and access mongodb with its own unique authentication details. In other words, the flask server has generally full access to mongodb collections, and the authentication and authorization (e.g. to decide if user A can edit the content of a given collection, or user B can read the content at all) is handled by flask.
The consequence of this method is that, of course, if you accidentally make a programming mistake in the flask application, you can give full access to users that were not meant to have it.
I suspect this is the way it's normally done, but I was wondering if and how would be possible, with the same design (mongo+flask) to have the authentication also performed by the mongodb connection, to ensure that, even with a mistake in the auth code on the flask app, the database will simply reject the attempt.
Do you have more details about this and related practices? all the code I've seen uses the first approach, and it would be ok with it, but I want to know more.
1 Answer 1
You can create an user to access specific databases with specific permissions and use it with Flask: