On Tue, Mar 20, 2012 at 12:59, shawn wilson <[email protected]> wrote:
> On Tue, Mar 20, 2012 at 06:23, Alex Young <[email protected]> wrote:
>
>>
>> I feel like everyauth is currently the best solution for this -- I've used
>> it in a few projects and I prefer it to building my own.
>>
>
> i guess my concern with everyauth is that i don't see where / how it
> is salting local passwords (as i indicated in my original email).
now that i've had time to look at the everyauth code more thoroughly,
it appears that there is no salting or hashing of any kind for local
passwords. granted, if you just use third parties to authenticate and
use their promise, this is moot. however, if you use local passwords,
it appears that everyauth stores them in plain text. the documentation
doesn't say one way or the other, but if this is the case it's very
bad.
just for the hell of it, i looked at the modules that are being used
(not what is in package.json) and i don't see anything dealing with
hashing / salting:
grep -ir --color require * | perl -ne '$h{$1}++ if /.*\((.\w*.)\)/ }{
print "$_ => $h{ $_ }\t" for keys %h;'
'restler' => 2 'oauth' => 5 'express' => 4 'satisfy' => 1 'tls'
=> 1 'osm' => 1 'xml2js' => 4 'querystring' => 3
'sys' => 1 'url' => 14 'tobi' => 3 'connect' => 32 'openid'
=> 3 'everyauth' => 32 'http' => 1 'fs' => 1
i noticed in github's bug tracker someone mentioned that it was using
blowfish, but i don't see that.
ps - i matched a wildcard because zsh didn't like \'
:|
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
