[Coquelicot] Patchset: add multiuser/pass auth module, add missing i18n tags, add Greek .po

Lunar lunar at anargeek.net
Tue Dec 20 13:49:36 CET 2016


Rowan Thorpe via Coquelicot:
> > ..[snip]..
> > either way. Regarding algo, the go-to scheme I am using for various
> > things at the moment is bcrypting server-side (with crypto-grade
> > random salt and tuning the rounds for the server) for the obvious
> > reasons, and for web-interface code doing bcrypt of the password
> > client-side in javascript where possible too - so the server will only
> > be hashing the received hash-with-salt, and the client can know they
> > are not even trusting the server with their password. Considering the
> > philosophical basis of Coquelicot that seems a particularly relevant
> > approach...

The threat model of Coquelicot assumes that if the server is
compromised, it can send the Javascript code it wants. To follow its
current model where the file is encrypted upon reception file the
server, I think it's fine to go for the easy way for the upload password
as well.

I'm working on a new release. I've used the bcrypt gem for the userpass
authentication mechanism in the end.

-- 
Lunar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://listes.potager.org/pipermail/coquelicot/attachments/20161220/eb2f8ce5/attachment.sig>


More information about the Coquelicot mailing list