couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Davies <>
Subject Re: Baking Cookie-Based Authentication into CouchDB
Date Mon, 04 May 2009 22:31:17 GMT
On 29 Apr 2009, at 17:29, Jason Davies wrote:

> I'm in the finishing stages of writing a cookie-based authentication  
> handler for CouchDB in Erlang.  This is primarily going to be useful  
> for CouchApps (apps running purely in CouchDB), but this also  
> touches on a generic way to authenticate users via a CouchDB  
> database, which could be adopted by the current default HTTP Basic  
> auth handler.
> I've put the code up here:


> Still to do:
> - Use some kind of challenge/response mechanism for logging in via  
> AJAX.  At the moment the login handler just takes a plaintext  
> username/password combination sent via POST.  I was thinking of  
> using SRP ( 
> ), however I believe this would require state to be stored on the  
> server, and maybe isn't appropriate for this.

I've now implemented SRP auth and it is working merrily.  I'm in  
discussions with SRP's inventor, Tom Wu, about a potentially simpler  
protocol as SRP implemented in JavaScript is probably overkill for  
unencrypted HTTP (it is vulnerable to MITM injection attacks of the  
JavaScript code itself, whereas SRP would otherwise protect against  
active attacks).  It might be worth supporting a simpler protocol sent  
over SSL too e.g. plaintext credentials.

Any suggestions for a more appropriate authentication protocol would  
be much appreciated.

> - Store hashes of passwords in the database.  We can already do  
> this, but we might want to send something like hash(password 
> +password_salt) to the server, which would involve retrieving the  
> appropriate password_salt for a given user first.

Done.  In SRP, a special non-plaintext-equivalent "verifier" is stored  
in the database along with a salt.

> - At the moment the cookie is set for Path=/ - this probably needs  
> to be set to Path=/current_database by default, and be configurable  
> so that it can be used by a proxy.
> - I need to work on making my tests more exhaustive, they're pretty  
> minimal for the moment.

These still need working on.

> - All this auth stuff should probably go into its own module,  
> couch_httpd_auth or similar.

Also done.

Jason Davies

View raw message