couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnew...@apache.org
Subject [03/11] couch commit: updated refs/heads/master to 7ab7995
Date Wed, 21 May 2014 16:53:18 GMT
Upgrade password hashes on authentication

We now upgrade user docs to the new PBKDF2 password scheme on successful
authentication if the password hash is still from the old days where we
only used plain SHA-1 for hashing salted passwords.

Closes COUCHDB-1780.


Project: http://git-wip-us.apache.org/repos/asf/couchdb-couch/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-couch/commit/69f881d2
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-couch/tree/69f881d2
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-couch/diff/69f881d2

Branch: refs/heads/master
Commit: 69f881d2f216d042186030eeac5f6e280c746c3d
Parents: b805a02
Author: Klaus Trainer <klaus_trainer@posteo.de>
Authored: Wed Feb 19 23:17:02 2014 +0100
Committer: Robert Newson <rnewson@apache.org>
Committed: Wed May 21 14:58:02 2014 +0100

----------------------------------------------------------------------
 src/couch_httpd_auth.erl | 35 +++++++++++++++++++++++++++--------
 1 file changed, 27 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/69f881d2/src/couch_httpd_auth.erl
----------------------------------------------------------------------
diff --git a/src/couch_httpd_auth.erl b/src/couch_httpd_auth.erl
index c982167..e10ac25 100644
--- a/src/couch_httpd_auth.erl
+++ b/src/couch_httpd_auth.erl
@@ -68,11 +68,14 @@ default_authentication_handler(Req) ->
             nil ->
                 throw({unauthorized, <<"Name or password is incorrect.">>});
             UserProps ->
-                case authenticate(?l2b(Pass), UserProps) of
+                UserName = ?l2b(User),
+                Password = ?l2b(Pass),
+                case authenticate(Password, UserProps) of
                     true ->
+                        UserProps2 = maybe_upgrade_password_hash(UserName, Password, UserProps),
                         Req#httpd{user_ctx=#user_ctx{
-                            name=?l2b(User),
-                            roles=couch_util:get_value(<<"roles">>, UserProps,
[])
+                            name=UserName,
+                            roles=couch_util:get_value(<<"roles">>, UserProps2,
[])
                         }};
                     _Else ->
                         throw({unauthorized, <<"Name or password is incorrect.">>})
@@ -263,15 +266,16 @@ handle_session_req(#httpd{method='POST', mochi_req=MochiReq}=Req) ->
     UserName = ?l2b(couch_util:get_value("name", Form, "")),
     Password = ?l2b(couch_util:get_value("password", Form, "")),
     ?LOG_DEBUG("Attempt Login: ~s",[UserName]),
-    User = case couch_auth_cache:get_user_creds(UserName) of
+    UserProps = case couch_auth_cache:get_user_creds(UserName) of
         nil -> [];
         Result -> Result
     end,
-    UserSalt = couch_util:get_value(<<"salt">>, User, <<>>),
-    case authenticate(Password, User) of
+    case authenticate(Password, UserProps) of
         true ->
+            UserProps2 = maybe_upgrade_password_hash(UserName, Password, UserProps),
             % setup the session cookie
             Secret = ?l2b(ensure_cookie_auth_secret()),
+            UserSalt = couch_util:get_value(<<"salt">>, UserProps2),
             CurrentTime = make_cookie_time(),
             Cookie = cookie_auth_cookie(Req, ?b2l(UserName), <<Secret/binary, UserSalt/binary>>,
CurrentTime),
             % TODO document the "next" feature in Futon
@@ -284,8 +288,8 @@ handle_session_req(#httpd{method='POST', mochi_req=MochiReq}=Req) ->
             send_json(Req#httpd{req_body=ReqBody}, Code, Headers,
                 {[
                     {ok, true},
-                    {name, couch_util:get_value(<<"name">>, User, null)},
-                    {roles, couch_util:get_value(<<"roles">>, User, [])}
+                    {name, couch_util:get_value(<<"name">>, UserProps2, null)},
+                    {roles, couch_util:get_value(<<"roles">>, UserProps2, [])}
                 ]});
         _Else ->
             % clear the session
@@ -340,6 +344,21 @@ maybe_value(_Key, undefined, _Fun) -> [];
 maybe_value(Key, Else, Fun) ->
     [{Key, Fun(Else)}].
 
+maybe_upgrade_password_hash(UserName, Password, UserProps) ->
+    case couch_util:get_value(<<"password_scheme">>, UserProps, <<"simple">>)
of
+    <<"simple">> ->
+        DbName = ?l2b(config:get("couch_httpd_auth", "authentication_db", "_users")),
+        couch_util:with_db(DbName, fun(UserDb) ->
+            UserProps2 = proplists:delete(<<"password_sha">>, UserProps),
+            UserProps3 = [{<<"password">>, Password} | UserProps2],
+            NewUserDoc = couch_doc:from_json_obj({UserProps3}),
+            {ok, _NewRev} = couch_db:update_doc(UserDb, NewUserDoc, []),
+            couch_auth_cache:get_user_creds(UserName)
+        end);
+    _ ->
+        UserProps
+    end.
+
 authenticate(Pass, UserProps) ->
     UserSalt = couch_util:get_value(<<"salt">>, UserProps, <<>>),
     {PasswordHash, ExpectedHash} =


Mime
View raw message