couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Kocoloski <>
Subject Re: authentication cleanup
Date Tue, 05 Jan 2010 01:20:14 GMT
On Jan 4, 2010, at 4:54 PM, Chris Anderson wrote:

> On Mon, Jan 4, 2010 at 1:26 PM, Adam Kocoloski <> wrote:
>> Hi, just catching up on this very nice thread.  I'm +1 on using the login for the
docid instead of triggering a view lookup, for the reasons Chris outlined.  Regarding resistance
to brute force attacks, bcrypt storage is definitely better than salted sha-anything, and
Colin Percival's scrypt[1] is definitely better than bcrypt.  I'm not aware of javascript
implementations of either of them, though.
> The current implementation runs the crypto in the browser to create
> the user document. This could be run in an Erlang _update function and
> then we could use erlang's bcrypt.

Yep, that would work.

>> I'm curious to see where we end up on the whole 401 Unauthorized browser popup thing.
 At Cloudant we still respond with a 401 if a basic auth request failed, but we send a 403
if a /_session request failed or a cookie expired, and for exactly this reason.
> The solution I'm going with right now is to send a 401, but without
> the WWW-Authenticate header. This avoids triggering the popup, without
> breaking anything else.

That sounds like a better approach.  Cheers, Adam

View raw message