couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <...@apache.org>
Subject Re: authentication cleanup
Date Wed, 06 Jan 2010 15:30:16 GMT

On 6 Jan 2010, at 03:25, Chris Anderson wrote:

> On Tue, Jan 5, 2010 at 10:50 AM, Chris Anderson <jchris@apache.org> wrote:
>> 
>> I'd be happy to see the users db design document ported to erlang, so
>> we can use erlang's bcrypt (assuming license is ok).
> 
> One problem here is I think that we currently ship with the native
> query server disabled. We'd need to add this to default.ini to make
> this stuff ship with CouchDB:
> 
> [native_query_servers]
> erlang={couch_native_process, start_link, []}
> 
> I'm wary about making this change because native query servers aren't
> as sandboxed as the couchjs query server.

We shouldn't enable the erlang view server by default.

Cheers
Jan
--


> 
> So... I'm lead to think of an http api:
> 
> POST /_bcrypt
> "json clearstring"
> 
> response:
> {
>  "crypted" : "sdafkjhskasdf/sdd",
>  "salt" : "foo"
> }
> 
> This smells. Crypto should run in the browser. I haven't found a
> JavaScript bcrypt yet.
> 
> The sane alternative seems to be to special-case the user's-db _design
> document somehow, so it can be in Erlang even if native query servers
> are not enabled. After all, it is trusted Erlang code that ships with
> the package.
> 
> I don't think I'll let our still using salted sha1 keep me from
> merging to trunk. After all, it's what we're using now so this
> definitely isn't a step backwards.
> 
> Chris
> 
> -- 
> Chris Anderson
> http://jchrisa.net
> http://couch.io


Mime
View raw message