CouchDB now uses PBKDF2 instead of salted hashes

However, only if you pass in an un-encrypted password. This is thus the first step in verifying that doing this won't result in having unencrypted passwords anywhere along the chain.
npm · Feb 23, 2014 · effb4bc · effb4bc
1 parent 33c19d5
commit effb4bc
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 9 deletions.
diff --git a/lib/adduser.js b/lib/adduser.js
@@ -24,8 +24,7 @@ function adduser (username, password, email, cb) {
   var salt = crypto.randomBytes(30).toString('hex')
     , userobj =
       { name : username
-      , salt : salt
-      , password_sha : sha(password + salt)
+      , password : password
       , email : email
       , _id : 'org.couchdb.user:'+username
       , type : "user"
@@ -51,7 +50,7 @@ function adduser (username, password, email, cb) {
   cb = done.call(this, cb, pre)
 
   var logObj = Object.keys(userobj).map(function (k) {
-    if (k === 'salt' || k === 'password_sha') return [k, 'XXXXX']
+    if (k === 'password') return [k, 'XXXXX']
     return [k, userobj[k]]
   }).reduce(function (s, kv) {
     s[kv[0]] = kv[1]

diff --git a/test/adduser-new.js b/test/adduser-new.js
@@ -32,9 +32,7 @@ tap.test("create new user account", function (t) {
 
     req.on("end", function () {
       var o = JSON.parse(b)
-      var salt = o.salt
-      userdata.salt = salt
-      userdata.password_sha = sha(password + salt)
+      userdata.password = password
       userdata.date = o.date
       t.deepEqual(o, userdata)
 

diff --git a/test/adduser-update.js b/test/adduser-update.js
@@ -47,9 +47,7 @@ tap.test("update a user acct", function (t) {
 
     req.on("end", function () {
       var o = JSON.parse(b)
-      var salt = o.salt
-      userdata.salt = salt
-      userdata.password_sha = sha(password + salt)
+      userdata.password = password
       userdata.date = o.date
       t.deepEqual(o, userdata)