Re: Baking Cookie-Based Authentication into CouchDB

Wed, 27 May 2009 04:06:35 -0700 

Hi again,

On 4 May 2009, at 23:31, Jason Davies wrote:


On 29 Apr 2009, at 17:29, Jason Davies wrote:
I'm in the finishing stages of writing a cookie-based authentication handler for CouchDB in Erlang. This is primarily going to be useful for CouchApps (apps running purely in CouchDB), but this also touches on a generic way to authenticate users via a CouchDB database, which could be adopted by the current default HTTP Basic auth handler. 

I've put the code up here: http://github.com/jasondavies/couchdb/tree/master


[snip]


Still to do:
- Use some kind of challenge/response mechanism for logging in via AJAX. At the moment the login handler just takes a plaintext username/password combination sent via POST. I was thinking of using SRP (http://en.wikipedia.org/wiki/Secure_remote_password_protocol ), however I believe this would require state to be stored on the server, and maybe isn't appropriate for this.
I've now implemented SRP auth and it is working merrily. I'm in discussions with SRP's inventor, Tom Wu, about a potentially simpler protocol as SRP implemented in JavaScript is probably overkill for unencrypted HTTP (it is vulnerable to MITM injection attacks of the JavaScript code itself, whereas SRP would otherwise protect against active attacks). It might be worth supporting a simpler protocol sent over SSL too e.g. plaintext credentials.
Any suggestions for a more appropriate authentication protocol would be much appreciated.
I've now ripped out the SRP code as it was a) too slow for modular exponentiation for n with greater than 256 bits and b) overkill due to the client code itself being sent over the wire thus losing SRP's resistance against active attacks. A potential higher-performing replacement auth protocol is SCRAM but for now I've just implemented simple plain-text form-based auth, which works even for non-JavaScript clients. For extra security simply add SSL. 

I've now put the code into its own branch here: 
http://github.com/jasondavies/couchdb/tree/cookie-auth
A brief write-up here: http://www.jasondavies.com/blog/2009/05/27/secure-cookie-authentication-couchdb/ along with some thoughts on SRP (which is truly awesome and I hope browsers all support TLS-SRP someday!).
A code review would be appreciated and then hopefully we can get this into trunk so that CouchApps can use cookie-based auth out-of-the-box. 

Thanks,
--
Jason Davies

www.jasondavies.com

Reply via email to