From dev-return-10585-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org Wed Jul 07 07:03:18 2010 Return-Path: Delivered-To: apmail-couchdb-dev-archive@www.apache.org Received: (qmail 83284 invoked from network); 7 Jul 2010 07:03:17 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 7 Jul 2010 07:03:17 -0000 Received: (qmail 64282 invoked by uid 500); 7 Jul 2010 07:03:17 -0000 Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org Received: (qmail 64074 invoked by uid 500); 7 Jul 2010 07:03:15 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 64056 invoked by uid 99); 7 Jul 2010 07:03:13 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Jul 2010 07:03:13 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [209.85.210.52] (HELO mail-pz0-f52.google.com) (209.85.210.52) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Jul 2010 07:03:06 +0000 Received: by pzk27 with SMTP id 27so1221047pzk.11 for ; Wed, 07 Jul 2010 00:01:55 -0700 (PDT) MIME-Version: 1.0 Received: by 10.142.207.9 with SMTP id e9mr6871969wfg.328.1278486115515; Wed, 07 Jul 2010 00:01:55 -0700 (PDT) Received: by 10.142.156.7 with HTTP; Wed, 7 Jul 2010 00:01:55 -0700 (PDT) Date: Wed, 7 Jul 2010 14:01:55 +0700 Message-ID: Subject: Proper use of _users for authentication module From: Jason Smith To: dev@couchdb.apache.org Content-Type: text/plain; charset=UTF-8 X-Virus-Checked: Checked by ClamAV on apache.org When is it appropriate for an authentication module to use the _users database (or whatever it is configured to be)? I am investigating OpenID 2.0 support. A requirent is to store a nonce to protect against replay attacks. I am evaluating using a database to store the nonce. (Another option is an ets table but that has it's own issues.) The built-in design document IIRC rejects all non-user documents. So storing a nonce as a new document type would require changing that policy in an unclear way. Would it be better to create a whole new _openid database for the task? Suggestions welcome. Thanks! -- Jason Smith Couchio Hosting