couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Davies <ja...@jasondavies.com>
Subject Re: Baking Cookie-Based Authentication into CouchDB
Date Wed, 27 May 2009 11:05:46 GMT
Hi again,

On 4 May 2009, at 23:31, Jason Davies wrote:

> On 29 Apr 2009, at 17:29, Jason Davies wrote:
>
>> I'm in the finishing stages of writing a cookie-based  
>> authentication handler for CouchDB in Erlang.  This is primarily  
>> going to be useful for CouchApps (apps running purely in CouchDB),  
>> but this also touches on a generic way to authenticate users via a  
>> CouchDB database, which could be adopted by the current default  
>> HTTP Basic auth handler.
>>
>> I've put the code up here: http://github.com/jasondavies/couchdb/tree/master
>
> [snip]
>
>> Still to do:
>>
>> - Use some kind of challenge/response mechanism for logging in via  
>> AJAX.  At the moment the login handler just takes a plaintext  
>> username/password combination sent via POST.  I was thinking of  
>> using SRP (http://en.wikipedia.org/wiki/Secure_remote_password_protocol 
>> ), however I believe this would require state to be stored on the  
>> server, and maybe isn't appropriate for this.
>
> I've now implemented SRP auth and it is working merrily.  I'm in  
> discussions with SRP's inventor, Tom Wu, about a potentially simpler  
> protocol as SRP implemented in JavaScript is probably overkill for  
> unencrypted HTTP (it is vulnerable to MITM injection attacks of the  
> JavaScript code itself, whereas SRP would otherwise protect against  
> active attacks).  It might be worth supporting a simpler protocol  
> sent over SSL too e.g. plaintext credentials.
>
> Any suggestions for a more appropriate authentication protocol would  
> be much appreciated.


I've now ripped out the SRP code as it was a) too slow for modular  
exponentiation for n with greater than 256 bits and b) overkill due to  
the client code itself being sent over the wire thus losing SRP's  
resistance against active attacks.  A potential higher-performing  
replacement auth protocol is SCRAM but for now I've just implemented  
simple plain-text form-based auth, which works even for non-JavaScript  
clients.  For extra security simply add SSL.

I've now put the code into its own branch here: http://github.com/jasondavies/couchdb/tree/cookie-auth

A brief write-up here: http://www.jasondavies.com/blog/2009/05/27/secure-cookie-authentication-couchdb/

  along with some thoughts on SRP (which is truly awesome and I hope  
browsers all support TLS-SRP someday!).

A code review would be appreciated and then hopefully we can get this  
into trunk so that CouchApps can use cookie-based auth out-of-the-box.

Thanks,
--
Jason Davies

www.jasondavies.com

Mime
View raw message