rnewson commented on code in PR #4140:
URL: https://github.com/apache/couchdb/pull/4140#discussion_r941528036
##########
src/couch/src/couch_httpd_auth.erl:
##########
@@ -308,15 +308,26 @@ cookie_authentication_handler(#httpd{mochi_req =
MochiReq} = Req, AuthModule) ->
{ok, UserProps, _AuthCtx} ->
UserSalt = couch_util:get_value(<<"salt">>,
UserProps, <<"">>),
FullSecret = <<Secret/binary, UserSalt/binary>>,
- ExpectedHash = couch_util:hmac(sha, FullSecret,
User ++ ":" ++ TimeStr),
+ CalculatedHashes = lists:map(
Review Comment:
this will cause us to hash each cookie with every algorithm each time, which
is wasteful. instead we want to stop at the first successful match.
##########
src/couch/src/couch_httpd_auth.erl:
##########
@@ -296,9 +296,9 @@ cookie_authentication_handler(#httpd{mochi_req = MochiReq}
= Req, AuthModule) ->
end,
% Verify expiry and hash
CurrentTime = make_cookie_time(),
+ HashAlgorithms = get_config_hash_algorithms(),
case chttpd_util:get_chttpd_auth_config("secret") of
undefined ->
- couch_log:debug("cookie auth secret is not set", []),
Review Comment:
restore this line please.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
