couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J Chris Anderson <jch...@apache.org>
Subject Re: Best performing login implementation?
Date Mon, 06 Sep 2010 15:24:49 GMT

On Sep 6, 2010, at 8:10 AM, Matt Goodall wrote:

> On 6 September 2010 15:18, Wout Mertens <wout.mertens@gmail.com> wrote:
> 
>> 
>> On Sep 6, 2010, at 15:39 , Tiago Freire wrote:
>> 
>>> I am wondering about the best method for
>>> implementing this.
>>> 
>>> 1) Each username+login in a document.
>>> 2) One document for username+logins, each one in a separate property.
>>> {username:password}
>>> 3) One document for username+logins, all in a single 'logins' array.
>>> {logins: [{username:foo, password: bar}]}
>> 
>> From general principle, 1) is the one you want. I haven't set up user auth
>> myself, but in document-oriented databases you want to keep your data
>> together in logical units that have a practical maximum size.
>> 
>> So while, in a way, all your logins are a logical unit, there is no limit
>> on how large that array will get so that is not a good way to store that
>> information.
>> 
>> 
> I'd go for one document per username+login. Don't be shy about throwing in
> lots of other information about the user unless it really doesn't make sense
> to store it in the same document for some reason. Your view can emit just
> the username and password to keep the authentication request fast:
> 
>    function(doc) {
>        if(doc.type == 'user') {
>            emit(doc.username, doc.password);
>        }
>    }
> 

Also, please do not store plain text passwords. Read this:

http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html

Also it is worth noting that CouchDB has a builtin authentication system that gets this right,
and you might just be able to piggyback on it, depending on your application:

http://blog.couch.io/post/1027100082/whats-new-in-couchdb-1-0-part-4-securityn-stuff

If you decide to roll your own, I agree that a document-per-user is a good approach.

Chris

> The other thing to consider when designing your documents is who will be
> updating them and how often. Ideally, you only want updates to come from one
> person to avoid conflicts. If you put all username+password in a single
> document then as the number of users grows you're increasingly likely to get
> conflicts, e.g. whenever someone tries to change their password.
> 
> - Matt


Mime
View raw message