Hi, I'm working on an app that I need to write player account support for. I've created "profiles" and "high-scores" databases on Cloudant and I'm planning to use the HTTP API to work with the database from my code. I've generated an API key for the database with the permissions I'll need the program to have. I'm going to create a document for each user profile. How should I handle users? If I just had a username and password field stored in the database then it wouldn't be secure since the password would be sent along with the HTTP request. Is there a way to run code on the server? Like a script that will only return the profile's data if the password sent to it matches the user's password? Obviously I would use HTTPs instead of HTTP when sending the data.

EDIT
I found out I can create accounts through the HTTP API should I have the "everyone else" permissions set to allow read and write so that I just use the HTTP API to log the user in and start accessing files? Or are users of the database meant to be something else? If I understand correctly accounts can only be created by admins, so then I would use the API key that I generated to create accounts and upload high scores.

Hi, I'm working on an app that I need to write player account support for. I've created "profiles" and "high-scores" databases on Cloudant and I'm planning to use the HTTP API to work with the database from my code. I've generated an API key for the database with the permissions I'll need the program to have. I'm going to create a document for each user profile. How should I handle users? If I just had a username and password field stored in the database then it wouldn't be secure since the password would be sent along with the HTTP request. Is there a way to run code on the server? Like a script that will only return the profile's data if the password sent to it matches the user's password? Obviously I would use HTTPs instead of HTTP when sending the data.