rnewson commented on code in PR #4814: URL: https://github.com/apache/couchdb/pull/4814#discussion_r1388152414
########## src/couch/src/couch_httpd_auth.erl: ########## @@ -662,10 +643,14 @@ authenticate(Pass, UserProps) -> couch_util:get_value(<<"password_sha">>, UserProps, nil) }; <<"pbkdf2">> -> + PRF = couch_util:get_value(<<"pbkdf2_prf">>, UserProps, <<"sha">>), + verify_prf(PRF), Iterations = couch_util:get_value(<<"iterations">>, UserProps, 10000), Review Comment: hm, seconds thoughts on this. the 10000 setting is quite old and for the case where UserProps has pbkdf2 hash but has somehow lost its "iterations" property. Frankly having a default here makes no sense, so perhaps it should be a get_value/2 and then verify_iterations tweaked to fail for `undefined`? The get_value/3 for pbkdf2_prf on the other hand _is_ right. existing pbkdf2 hashes will be hashed with `sha` and won't have this new field. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@couchdb.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org