abhishiv commented on issue #1183: Proxy Authentication doesn't work when proxy_use_secret=true URL: https://github.com/apache/couchdb/issues/1183#issuecomment-380029505 > I think the hmac encoding of the username provides only slightly better security, but it is confusing to users. Perhaps the http auth should allow both options at the same time, either the secret directly (#1174), or the encoded username. If an attacker already knows about the secret, it is trivial to generate the tokens, so there is no harm in allowing the secret as a token, if users desire it. Benefit of encoding username is that it disallows malicious users from accessing others databases. If we were to allow directly supplying secret - specially when using it with a browser client like pouchdb. If we were to allow both, at least we should document this point.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services