You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2018/04/10 09:09:23 UTC

[GitHub] abhishiv commented on issue #1183: Proxy Authentication doesn't work when proxy_use_secret=true

abhishiv commented on issue #1183: Proxy Authentication doesn't work when proxy_use_secret=true
URL: https://github.com/apache/couchdb/issues/1183#issuecomment-380029505
 
 
   > I think the hmac encoding of the username provides only slightly better security, but it is confusing to users. Perhaps the http auth should allow both options at the same time, either the secret directly (#1174), or the encoded username. If an attacker already knows about the secret, it is trivial to generate the tokens, so there is no harm in allowing the secret as a token, if users desire it.
   
   Benefit of encoding username is that it disallows malicious users from accessing others databases. If we were to allow directly supplying secret - specially when using it on client like pouchdb.
   
   If we were to allow both, at least we should document this point.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services