Yeah, rolled my own too, because: a) I wanted it independent of actual password storage b) Wanted authorization as a middleware with a *ton* of flexibility but still easy to use c) Wanted it to store sessions across servers
So I rolled my own and published it as cansecurity https://github.com/deitch/cansecurity or "npm install cansecurity" If cansec is in the right direction but missing things, raise an issue in github and I will get it in. On Thursday, March 22, 2012 6:22:08 AM UTC+2, C. Mundi wrote: > > Wow. I took one look at everyauth when I started using express, and I > decided it was not a good fit for my needs. Now I'm really glad I rolled > my own. Sure, my users' passwords go over the wire (https) but *never* get > persisted. > >> > >> >> >> >> I feel like everyauth is currently the best solution for this -- I've >> used >> >> it in a few projects and I prefer it to building my own. >> >> >> > >> > i guess my concern with everyauth is that i don't see where / how it >> > is salting local passwords (as i indicated in my original email). >> >> now that i've had time to look at the everyauth code more thoroughly, >> it appears that there is no salting or hashing of any kind for local >> passwords. granted, if you just use third parties to authenticate and >> use their promise, this is moot. however, if you use local passwords, >> it appears that everyauth stores them in plain text. the documentation >> doesn't say one way or the other, but if this is the case it's very >> bad. >> >> just for the hell of it, i looked at the modules that are being used >> (not what is in package.json) and i don't see anything dealing with >> hashing / salting: >> >> grep -ir --color require * | perl -ne '$h{$1}++ if /.*\((.\w*.)\)/ }{ >> print "$_ => $h{ $_ }\t" for keys %h;' >> 'restler' => 2 'oauth' => 5 'express' => 4 'satisfy' => 1 'tls' >> => 1 'osm' => 1 'xml2js' => 4 'querystring' => 3 >> 'sys' => 1 'url' => 14 'tobi' => 3 'connect' => 32 'openid' >> => 3 'everyauth' => 32 'http' => 1 'fs' => 1 >> >> i noticed in github's bug tracker someone mentioned that it was using >> blowfish, but i don't see that. >> >> ps - i matched a wildcard because zsh didn't like \' >> :| >> >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines<https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines> >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> nodejs+unsubscribe@googlegroups.com<nodejs%[email protected]> >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en<http://groups.google.com/group/nodejs?hl=en?hl=en> >> > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
