realulim commented on issue #844: Add new explicit authentication-tokens that can be revoked URL: https://github.com/apache/couchdb/issues/844#issuecomment-478287126 I've detailed a possible approach in my posting on October 10th, 2017. There may be holes in my scheme, so I'd welcome any comments. My idea involves keeping state on the server, but only per user, not per session. Also, eventual consistency suffices, so I see no issues with scalability and distribution and no changes to existing APIs are needed. Also I believe that the "invalidate" request does not need the user's password for authentication, it would be enough to use a valid stateless token. Sure, a hacker could "invalidate" with a stolen token, but he would actually be doing the user a favor, because he locks himself out that way.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
