couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Davies <>
Subject Re: Baking Cookie-Based Authentication into CouchDB
Date Wed, 27 May 2009 11:05:46 GMT
Hi again,

On 4 May 2009, at 23:31, Jason Davies wrote:

> On 29 Apr 2009, at 17:29, Jason Davies wrote:
>> I'm in the finishing stages of writing a cookie-based  
>> authentication handler for CouchDB in Erlang.  This is primarily  
>> going to be useful for CouchApps (apps running purely in CouchDB),  
>> but this also touches on a generic way to authenticate users via a  
>> CouchDB database, which could be adopted by the current default  
>> HTTP Basic auth handler.
>> I've put the code up here:
> [snip]
>> Still to do:
>> - Use some kind of challenge/response mechanism for logging in via  
>> AJAX.  At the moment the login handler just takes a plaintext  
>> username/password combination sent via POST.  I was thinking of  
>> using SRP ( 
>> ), however I believe this would require state to be stored on the  
>> server, and maybe isn't appropriate for this.
> I've now implemented SRP auth and it is working merrily.  I'm in  
> discussions with SRP's inventor, Tom Wu, about a potentially simpler  
> protocol as SRP implemented in JavaScript is probably overkill for  
> unencrypted HTTP (it is vulnerable to MITM injection attacks of the  
> JavaScript code itself, whereas SRP would otherwise protect against  
> active attacks).  It might be worth supporting a simpler protocol  
> sent over SSL too e.g. plaintext credentials.
> Any suggestions for a more appropriate authentication protocol would  
> be much appreciated.

I've now ripped out the SRP code as it was a) too slow for modular  
exponentiation for n with greater than 256 bits and b) overkill due to  
the client code itself being sent over the wire thus losing SRP's  
resistance against active attacks.  A potential higher-performing  
replacement auth protocol is SCRAM but for now I've just implemented  
simple plain-text form-based auth, which works even for non-JavaScript  
clients.  For extra security simply add SSL.

I've now put the code into its own branch here:

A brief write-up here:

  along with some thoughts on SRP (which is truly awesome and I hope  
browsers all support TLS-SRP someday!).

A code review would be appreciated and then hopefully we can get this  
into trunk so that CouchApps can use cookie-based auth out-of-the-box.

Jason Davies

View raw message