couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benoit Chesneau <bchesn...@gmail.com>
Subject Re: authentication cleanup
Date Wed, 06 Jan 2010 06:21:06 GMT
On Wed, Jan 6, 2010 at 3:25 AM, Chris Anderson <jchris@apache.org> wrote:
> On Tue, Jan 5, 2010 at 10:50 AM, Chris Anderson <jchris@apache.org> wrote:
>>
>> I'd be happy to see the users db design document ported to erlang, so
>> we can use erlang's bcrypt (assuming license is ok).
>
> One problem here is I think that we currently ship with the native
> query server disabled. We'd need to add this to default.ini to make
> this stuff ship with CouchDB:
>
> [native_query_servers]
> erlang={couch_native_process, start_link, []}
>
> I'm wary about making this change because native query servers aren't
> as sandboxed as the couchjs query server.
>
> So... I'm lead to think of an http api:
>
> POST /_bcrypt
> "json clearstring"
>
> response:
> {
>  "crypted" : "sdafkjhskasdf/sdd",
>  "salt" : "foo"
> }
>
> This smells. Crypto should run in the browser. I haven't found a
> JavaScript bcrypt yet.
>
> The sane alternative seems to be to special-case the user's-db _design
> document somehow, so it can be in Erlang even if native query servers
> are not enabled. After all, it is trusted Erlang code that ships with
> the package.
>
> I don't think I'll let our still using salted sha1 keep me from
> merging to trunk. After all, it's what we're using now so this
> definitely isn't a step backwards.
>
> Chris
>
> --
There is a blowfish encryption implementation available in javascript.
doesn't bcrypt  stand for "blowfish crypt" ?
http://www.openbsd.org/cgi-bin/man.cgi?query=bcrypt&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

fro where it has been created.

- benoît

Mime
View raw message