Return-Path: 
 <dev-return-4080-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org>
Delivered-To: apmail-couchdb-dev-archive@www.apache.org
Received: (qmail 9163 invoked from network); 4 May 2009 22:31:51 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 4 May 2009 22:31:51 -0000
Received: (qmail 84417 invoked by uid 500); 4 May 2009 22:31:50 -0000
Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org
Received: (qmail 84340 invoked by uid 500); 4 May 2009 22:31:50 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 84330 invoked by uid 99); 4 May 2009 22:31:50 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 May 2009 22:31:50 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of jason@jasondavies.com
 designates 89.145.97.179 as permitted sender)
Received: from [89.145.97.179] (HELO www1.netspade.com) (89.145.97.179)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 May 2009 22:31:40 +0000
Received: from jddavies.gotadsl.co.uk ([82.133.112.184] helo=[10.0.1.2])
	by www1.netspade.com with esmtpa (Exim 4.69)
	(envelope-from <jason@jasondavies.com>)
	id 1M16mW-000314-3x
	for dev@couchdb.apache.org; Mon, 04 May 2009 22:37:04 +0000
Message-Id: <4EA19F24-6C9C-41A8-A433-464375B48F34@jasondavies.com>
From: Jason Davies <jason@jasondavies.com>
To: dev@couchdb.apache.org
In-Reply-To: <34FA3001-954A-4DD0-9E62-226F49C950CF@jasondavies.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Mon, 4 May 2009 23:31:17 +0100
References: <34FA3001-954A-4DD0-9E62-226F49C950CF@jasondavies.com>
X-Mailer: Apple Mail (2.930.3)
X-SA-Exim-Connect-IP: 82.133.112.184
X-SA-Exim-Mail-From: jason@jasondavies.com
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on www1.netspade.com
X-Spam-Level: 
Subject: Re: Baking Cookie-Based Authentication into CouchDB
X-SA-Exim-Version: 4.2.1 (built Wed, 25 Jun 2008 17:14:11 +0000)
X-SA-Exim-Scanned: Yes (on www1.netspade.com)
X-Virus-Checked: Checked by ClamAV on apache.org
X-Old-Spam-Status: No, score=-4.5 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00
	autolearn=ham version=3.2.5

On 29 Apr 2009, at 17:29, Jason Davies wrote:

> I'm in the finishing stages of writing a cookie-based authentication  
> handler for CouchDB in Erlang.  This is primarily going to be useful  
> for CouchApps (apps running purely in CouchDB), but this also  
> touches on a generic way to authenticate users via a CouchDB  
> database, which could be adopted by the current default HTTP Basic  
> auth handler.
>
> I've put the code up here: http://github.com/jasondavies/couchdb/tree/master

[snip]

> Still to do:
>
> - Use some kind of challenge/response mechanism for logging in via  
> AJAX.  At the moment the login handler just takes a plaintext  
> username/password combination sent via POST.  I was thinking of  
> using SRP (http://en.wikipedia.org/wiki/Secure_remote_password_protocol 
> ), however I believe this would require state to be stored on the  
> server, and maybe isn't appropriate for this.

I've now implemented SRP auth and it is working merrily.  I'm in  
discussions with SRP's inventor, Tom Wu, about a potentially simpler  
protocol as SRP implemented in JavaScript is probably overkill for  
unencrypted HTTP (it is vulnerable to MITM injection attacks of the  
JavaScript code itself, whereas SRP would otherwise protect against  
active attacks).  It might be worth supporting a simpler protocol sent  
over SSL too e.g. plaintext credentials.

Any suggestions for a more appropriate authentication protocol would  
be much appreciated.

> - Store hashes of passwords in the database.  We can already do  
> this, but we might want to send something like hash(password 
> +password_salt) to the server, which would involve retrieving the  
> appropriate password_salt for a given user first.

Done.  In SRP, a special non-plaintext-equivalent "verifier" is stored  
in the database along with a salt.

> - At the moment the cookie is set for Path=/ - this probably needs  
> to be set to Path=/current_database by default, and be configurable  
> so that it can be used by a proxy.
> - I need to work on making my tests more exhaustive, they're pretty  
> minimal for the moment.

These still need working on.

> - All this auth stuff should probably go into its own module,  
> couch_httpd_auth or similar.

Also done.

--
Jason Davies

www.jasondavies.com