On Tue, Jan 5, 2010 at 10:50 AM, Chris Anderson <[email protected]> wrote:
>
> I'd be happy to see the users db design document ported to erlang, so
> we can use erlang's bcrypt (assuming license is ok).
One problem here is I think that we currently ship with the native
query server disabled. We'd need to add this to default.ini to make
this stuff ship with CouchDB:
[native_query_servers]
erlang={couch_native_process, start_link, []}
I'm wary about making this change because native query servers aren't
as sandboxed as the couchjs query server.
So... I'm lead to think of an http api:
POST /_bcrypt
"json clearstring"
response:
{
"crypted" : "sdafkjhskasdf/sdd",
"salt" : "foo"
}
This smells. Crypto should run in the browser. I haven't found a
JavaScript bcrypt yet.
The sane alternative seems to be to special-case the user's-db _design
document somehow, so it can be in Erlang even if native query servers
are not enabled. After all, it is trusted Erlang code that ships with
the package.
I don't think I'll let our still using salted sha1 keep me from
merging to trunk. After all, it's what we're using now so this
definitely isn't a step backwards.
Chris
--
Chris Anderson
http://jchrisa.net
http://couch.io
