On Wed, Jul 7, 2010 at 12:32 PM, J Chris Anderson <jch...@gmail.com> wrote: > > On Jul 7, 2010, at 12:01 AM, Jason Smith wrote: > >> When is it appropriate for an authentication module to use the _users >> database (or whatever it is configured to be)? >> >> I am investigating OpenID 2.0 support. A requirent is to store a nonce >> to protect against replay attacks. I am evaluating using a database to >> store the nonce. (Another option is an ets table but that has it's own >> issues.) >> >> The built-in design document IIRC rejects all non-user documents. So >> storing a nonce as a new document type would require changing that >> policy in an unclear way. > > Does it make sense to add the nonce to the existing user document? That will > allow a single lookup instead of multiple lookups.
The only potential snag is that you need to store all nonces from the last X minutes (and reject any nonces with a timestamp longer than X minutes ago, as well as nonces which have already been used), so it would need to maintain and trim the list as it goes. > >> >> Would it be better to create a whole new _openid database for the task? >> >> Suggestions welcome. Thanks! >> >> -- >> Jason Smith >> Couchio Hosting > > -- Paul Bonser http://probablyprogramming.com
