Return-Path: 
 <dev-return-7902-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org>
Delivered-To: apmail-couchdb-dev-archive@www.apache.org
Received: (qmail 56292 invoked from network); 5 Jan 2010 18:38:34 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 5 Jan 2010 18:38:34 -0000
Received: (qmail 26503 invoked by uid 500); 5 Jan 2010 18:38:33 -0000
Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org
Received: (qmail 26428 invoked by uid 500); 5 Jan 2010 18:38:33 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 26418 invoked by uid 99); 5 Jan 2010 18:38:33 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Jan 2010 18:38:33 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of jchris@gmail.com designates
 209.85.216.180 as permitted sender)
Received: from [209.85.216.180] (HELO mail-px0-f180.google.com)
 (209.85.216.180)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Jan 2010 18:38:25 +0000
Received: by pxi10 with SMTP id 10so11952711pxi.13
        for <dev@couchdb.apache.org>; Tue, 05 Jan 2010 10:38:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:sender:received:in-reply-to
         :references:date:x-google-sender-auth:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        bh=kcwaUVBu2N4bsBsicIlgyiQUHmKYf/Ecj3TYrtBuE1U=;
        b=UkWMT5p+ZDoVZzNI7uZzVTHXULbhslTlgkxtE6+L8pi8s29w5hocONOOdV8SlktTYr
         MHMRhjOACHsDpSEevTrd7QPvDqJtLNJVT8Q1eOKbzoXIoFKKYaQ8dYFoWSoyrFhbauwN
         ig8bU7hNdjZ59SxqI8dzBZnK2PQlIBELmJLD0=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        b=X2/kS1O2Ds+dRTq2D+5vgg0N9SU+g0HBvF2DcNtuNz2WfyroIiLU+8QgV1+DIYDLwd
         Mo7mIw0+9YjDrBcghd454GdBhqEjB/XYtjAshkyibq6wEDzKIyyfHNfOVAIN3XP6GceW
         tbjYuSq0MUndlAESicRouxdkK/uG/OUk7ikdU=
MIME-Version: 1.0
Sender: jchris@gmail.com
Received: by 10.142.122.6 with SMTP id u6mr16078963wfc.95.1262716684915; Tue,
	05 Jan 2010 10:38:04 -0800 (PST)
In-Reply-To: <8D6E5FA3-9215-49D0-8DD7-172FBE9D6ECF@apache.org>
References: <e282921e0912240827t64e37b24l777d6c8f640e972c@mail.gmail.com>
	 <hha5eb$6nv$1@ger.gmane.org>
	 <e282921e1001010821p54a602adv6618287f499a1fe2@mail.gmail.com>
	 <hhtfn8$u2f$1@ger.gmane.org>
	 <e282921e1001041142g3809f5eel59cc2070cb33037b@mail.gmail.com>
	 <41A81121-F352-4EF7-A840-1A5175FF0559@apache.org>
	 <e282921e1001041354k1d6c307djb14d44161768d109@mail.gmail.com>
	 <8D6E5FA3-9215-49D0-8DD7-172FBE9D6ECF@apache.org>
Date: Tue, 5 Jan 2010 10:38:04 -0800
X-Google-Sender-Auth: 5108a108a63fe935
Message-ID: <e282921e1001051038l17b35ed7xdfbba2eeb66e56e3@mail.gmail.com>
Subject: Re: authentication cleanup
From: Chris Anderson <jchris@apache.org>
To: dev@couchdb.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

FYI - I have pushed the account branch to Apache SVN.

I plan to merge it to trunk in the next couple of days. Please test,
especially if you are making heavy use of authentication / oauth /
cookie auth.

There may be some small backwards incompatibilities, hopefully these
are slight enough that we can fix them in CouchDB or your application
code. My intention is to make this patch as smooth as possible for
people to work with. If you see something that's not fun to handle on
your end, please let us know.

Chris

On Mon, Jan 4, 2010 at 5:20 PM, Adam Kocoloski <kocolosk@apache.org> wrote:
> On Jan 4, 2010, at 4:54 PM, Chris Anderson wrote:
>
>> On Mon, Jan 4, 2010 at 1:26 PM, Adam Kocoloski <kocolosk@apache.org> wro=
te:
>>> Hi, just catching up on this very nice thread. =A0I'm +1 on using the l=
ogin for the docid instead of triggering a view lookup, for the reasons Chr=
is outlined. =A0Regarding resistance to brute force attacks, bcrypt storage=
 is definitely better than salted sha-anything, and Colin Percival's scrypt=
[1] is definitely better than bcrypt. =A0I'm not aware of javascript implem=
entations of either of them, though.
>>
>> The current implementation runs the crypto in the browser to create
>> the user document. This could be run in an Erlang _update function and
>> then we could use erlang's bcrypt.
>
> Yep, that would work.
>
>>> I'm curious to see where we end up on the whole 401 Unauthorized browse=
r popup thing. =A0At Cloudant we still respond with a 401 if a basic auth r=
equest failed, but we send a 403 if a /_session request failed or a cookie =
expired, and for exactly this reason.
>>>
>>
>> The solution I'm going with right now is to send a 401, but without
>> the WWW-Authenticate header. This avoids triggering the popup, without
>> breaking anything else.
>
> That sounds like a better approach. =A0Cheers, Adam
>
>



--=20
Chris Anderson
http://jchrisa.net
http://couch.io