On 6 Jan 2010, at 03:25, Chris Anderson wrote:
> On Tue, Jan 5, 2010 at 10:50 AM, Chris Anderson <[email protected]> wrote:
>>
>> I'd be happy to see the users db design document ported to erlang, so
>> we can use erlang's bcrypt (assuming license is ok).
>
> One problem here is I think that we currently ship with the native
> query server disabled. We'd need to add this to default.ini to make
> this stuff ship with CouchDB:
>
> [native_query_servers]
> erlang={couch_native_process, start_link, []}
>
> I'm wary about making this change because native query servers aren't
> as sandboxed as the couchjs query server.
We shouldn't enable the erlang view server by default.
Cheers
Jan
--
>
> So... I'm lead to think of an http api:
>
> POST /_bcrypt
> "json clearstring"
>
> response:
> {
> "crypted" : "sdafkjhskasdf/sdd",
> "salt" : "foo"
> }
>
> This smells. Crypto should run in the browser. I haven't found a
> JavaScript bcrypt yet.
>
> The sane alternative seems to be to special-case the user's-db _design
> document somehow, so it can be in Erlang even if native query servers
> are not enabled. After all, it is trusted Erlang code that ships with
> the package.
>
> I don't think I'll let our still using salted sha1 keep me from
> merging to trunk. After all, it's what we're using now so this
> definitely isn't a step backwards.
>
> Chris
>
> --
> Chris Anderson
> http://jchrisa.net
> http://couch.io
