It makes sense to me that a single-page app hosted on the same domain as the backend and SG can get a cookie through custom authentication and use that to access the SG.
What’s puzzling me is how this is supposed to work when using a 3rd party authentication solution like Auth0, and authenticating from a mobile application.
I’m picturing two possibilities:
One would be almost the same as if I was doing custom authentication with a single page app(and something like PouchDB); the app would authenticate with the backend, and if the backend gets a token back from Auth0, the backend would then find or create a user in the SG and the SG would then return a session_id. The backend would return that session_id and the app would then include it as a cookie in any request that it makes to the SG.
Alternatively, the password of the user in SG could be updated upon every authentication with a random string, and that string could be returned to the app; the app could then use that string as the password with HTTP Basic authentication every time it makes a request to the SG.
Does this make sense? It’s not clear to me whether or not something like Couchbase Lite could be made to work this way(use custom authentication with the app backend). Other Couchbase documentation is understandable to me, but there’s something about the mobile aspect that I’m not getting.