8000
couch-auth session validation fails on valid sessions - CouchDB > v3.4 · Issue #100 · perfood/couch-auth · GitHub
More Web Proxy on the site http://driver.im/
You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a result, new sessions issued by CouchDB are always considered invalid by couch-auth, since there is a digest, iteration and key length mismatch. Among others, this affects all endpoints using middleware auch as requireAuth.
To make things more complicated, CouchDB allows both legacy SHA-1 sessions and SHA-256 sessions in the _users DB for the time being. I'm no expert on the CouchDB internals, but the way I understand it both types need to be supported for now (even though SHA-1 is considered deprecated).
I wrote a quick and naïve hotfix that creates two couch-pwd instances in hashing.ts, one with the legacy and one with the new defaults. The naïve implementations uses the iterations property of the hash_object to determine which couch-pwd instance to use. The hotfix won't work for custom iterations settings, and is only tested for user login and session validation. Also, it doesn't include a hash cache similar to CouchDB, so validation takes (too) long given the high iteration count. In any way, it's not really suitable for a PR, and was solely made to fix prod (note to self: don't ever do a minor CouchDB update on a friday afternoon) 🤷♂
In any way, I'm open for better ideas of how to implement the new password hashing strategy!
The text was updated successfully, but these errors were encountered:
CouchDB > 3.4 moved from SHA-1 to PBKDF2 with SHA-256 for password hashing as a default (see apache/couchdb#4814 and https://docs.couchdb.org/en/stable/whatsnew/3.4.html). Also the default iteration count increased to
600000, and the new key length is32.As a result, new sessions issued by CouchDB are always considered invalid by couch-auth, since there is a digest, iteration and key length mismatch. Among others, this affects all endpoints using middleware auch as
requireAuth.To make things more complicated, CouchDB allows both legacy SHA-1 sessions and SHA-256 sessions in the
_usersDB for the time being. I'm no expert on the CouchDB internals, but the way I understand it both types need to be supported for now (even though SHA-1 is considered deprecated).I wrote a quick and naïve hotfix that creates two couch-pwd instances in
hashing.ts, one with the legacy and one with the new defaults. The naïve implementations uses theiterationsproperty of thehash_objectto determine whichcouch-pwdinstance to use. The hotfix won't work for customiterationssettings, and is only tested for user login and session validation. Also, it doesn't include a hash cache similar to CouchDB, so validation takes (too) long given the high iteration count. In any way, it's not really suitable for a PR, and was solely made to fix prod (note to self: don't ever do a minor CouchDB update on a friday afternoon) 🤷♂In any way, I'm open for better ideas of how to implement the new password hashing strategy!
The text was updated successfully, but these errors were encountered: