Jay Doane
Jay Doane
Given that we may be dropping OTP 20 support "soon", what happens when you try a more modern version like [3.18.0](https://github.com/erlang/rebar3/releases/tag/3.18.0) or main? Guessing that won't help with the NIF...
I think another issue with this change is that it breaks cookie auth for rolling upgrades since a cookie issued by a sha1 node won't be readable by a sha256...
> the config proposal would appear to achieve it? upgrade all the nodes first then config:set to the new algorithm on all nodes afterward. In this scenario would not cookies...
In Cloudant's implementation of IAM auth (primarily written by Bob) exists an implementation of IAM session cookies, which are similar to regular session cookies, except that they use IAM access...
> otherwise we'd have to add some new code to only allow hmac-sha1 cookies for some period of time (as session cookies are auto-extended through active use). I was considering...
That sounds pretty good, Bob. I would suggest making the code general enough so that it can also be used for upgrading to `sha512` (or whatever) in a few years....
I was considering a list of acceptable cookie hash algorithms in a single config variable, where the first element of the list is the preferred hash, while the others are...
Not sure if this is useful, but I wrote a function to set admin passwords that could maybe be used and/or repurposed? The idea is that it takes a while...
I'm not familiar with fauxton: does it use the _config endpoint to configure admin users? If so, it would seem we'd need to expose a new endpoint for `set_cluster_admin_password` functionality....
To sync salts, we could modify [this code](https://github.com/apache/couchdb/blob/master/src/couch/src/couch_passwords.erl#L44-L49) something like this: ```diff diff --git a/src/couch/src/couch_passwords.erl b/src/couch/src/couch_passwords.erl index baf78f5d5..403b057ba 100644 --- a/src/couch/src/couch_passwords.erl +++ b/src/couch/src/couch_passwords.erl @@ -41,18 +41,24 @@ hash_admin_password(ClearPassword) when is_binary(ClearPassword)...