[GitHub] abhishiv commented on issue #1183: Proxy Authentication doesn't work when proxy_use_secret=true
abhishiv commented on issue #1183: Proxy Authentication doesn't work when proxy_use_secret=true URL: https://github.com/apache/couchdb/issues/1183#issuecomment-380029505 > I think the hmac encoding of the username provides only slightly better security, but it is confusing to users. Perhaps the http auth should allow both options at the same time, either the secret directly (#1174), or the encoded username. If an attacker already knows about the secret, it is trivial to generate the tokens, so there is no harm in allowing the secret as a token, if users desire it. Benefit of encoding username is that it disallows malicious users from accessing others databases. If we were to allow directly supplying secret - specially when using it with a browser client like pouchdb. If we were to allow both, at least we should document this point. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] abhishiv commented on issue #1183: Proxy Authentication doesn't work when proxy_use_secret=true
abhishiv commented on issue #1183: Proxy Authentication doesn't work when proxy_use_secret=true URL: https://github.com/apache/couchdb/issues/1183#issuecomment-380029505 > I think the hmac encoding of the username provides only slightly better security, but it is confusing to users. Perhaps the http auth should allow both options at the same time, either the secret directly (#1174), or the encoded username. If an attacker already knows about the secret, it is trivial to generate the tokens, so there is no harm in allowing the secret as a token, if users desire it. Benefit of encoding username is that it disallows malicious users from accessing others databases. If we were to allow directly supplying secret - specially when using it on client like pouchdb. If we were to allow both, at least we should document this point. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] abhishiv commented on issue #1183: Proxy Authentication doesn't work when proxy_use_secret=true
abhishiv commented on issue #1183: Proxy Authentication doesn't work when proxy_use_secret=true URL: https://github.com/apache/couchdb/issues/1183#issuecomment-374010917 Just got bitten by this. For a workaround, as @wohali suggested I'm running a small `express-http-proxy` on the same instance as couchdb which rejects request if they don't have the proper secret. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] abhishiv commented on issue #1183: Proxy Authentication doesn't work when proxy_use_secret=true
abhishiv commented on issue #1183: Proxy Authentication doesn't work when proxy_use_secret=true URL: https://github.com/apache/couchdb/issues/1183#issuecomment-374010917 Just got bitten by this. For a workaround, as @wohali suggested I'm running a small `express-http-proxy` on the same instance as couchdb which rejects request if they don't have the proxy. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services