Wow. I took one look at everyauth when I started using express, and I decided it was not a good fit for my needs. Now I'm really glad I rolled my own. Sure, my users' passwords go over the wire (https) but *never* get persisted. On Mar 20, 2012 1:09 PM, "shawn wilson" <[email protected]> wrote:
> On Tue, Mar 20, 2012 at 12:59, shawn wilson <[email protected]> wrote: > > On Tue, Mar 20, 2012 at 06:23, Alex Young <[email protected]> wrote: > > > >> > >> I feel like everyauth is currently the best solution for this -- I've > used > >> it in a few projects and I prefer it to building my own. > >> > > > > i guess my concern with everyauth is that i don't see where / how it > > is salting local passwords (as i indicated in my original email). > > now that i've had time to look at the everyauth code more thoroughly, > it appears that there is no salting or hashing of any kind for local > passwords. granted, if you just use third parties to authenticate and > use their promise, this is moot. however, if you use local passwords, > it appears that everyauth stores them in plain text. the documentation > doesn't say one way or the other, but if this is the case it's very > bad. > > just for the hell of it, i looked at the modules that are being used > (not what is in package.json) and i don't see anything dealing with > hashing / salting: > > grep -ir --color require * | perl -ne '$h{$1}++ if /.*\((.\w*.)\)/ }{ > print "$_ => $h{ $_ }\t" for keys %h;' > 'restler' => 2 'oauth' => 5 'express' => 4 'satisfy' => 1 'tls' > => 1 'osm' => 1 'xml2js' => 4 'querystring' => 3 > 'sys' => 1 'url' => 14 'tobi' => 3 'connect' => 32 'openid' > => 3 'everyauth' => 32 'http' => 1 'fs' => 1 > > i noticed in github's bug tracker someone mentioned that it was using > blowfish, but i don't see that. > > ps - i matched a wildcard because zsh didn't like \' > :| > > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
