perfood
couch-auth session validation fails on valid sessions - CouchDB > v3.4
CouchDB > 3.4 moved from SHA-1 to PBKDF2 with SHA-256 for password hashing as a default (see https://github.com/apache/couchdb/pull/4814 and https://docs.couchdb.org/en/stable/whatsnew/3.4.html). Also the default iteration count increased to 600000, and the new key length is 32.
As a result, new sessions issued by CouchDB are always considered invalid by couch-auth, since there is a digest, iteration and key length mismatch. Among others, this affects all endpoints using middleware auch as requireAuth.
To make things more complicated, CouchDB allows both legacy SHA-1 sessions and SHA-256 sessions in the _users DB for the time being. I'm no expert on the CouchDB internals, but the way I understand it both types need to be supported for now (even though SHA-1 is considered deprecated).
I wrote a quick and naïve hotfix that creates two couch-pwd instances in hashing.ts, one with the legacy and one with the new defaults. The naïve implementations uses the iterations property of the hash_object to determine which couch-pwd instance to use. The hotfix won't work for custom iterations settings, and is only tested for user login and session validation. Also, it doesn't include a hash cache similar to CouchDB, so validation takes (too) long given the high iteration count. In any way, it's not really suitable for a PR, and was solely made to fix prod (note to self: don't ever do a minor CouchDB update on a friday afternoon) 🤷♂
In any way, I'm open for better ideas of how to implement the new password hashing strategy!
@chrispahm how has it been working for you? Would you mind creating a PR now?
It's working so far. Some couch-auth tests are failing (e.g. the custom settings for iterations and some other thing we don't use), that's why I didn't create a PR yet. The changes I made are live on my fork → https://github.com/perfood/couch-auth/compare/master...chrispahm:couch-auth:master. I could open a PR, but unfortunately can't commit to fix the tests!