Authentication Support

[tarqd]

Are you planning on supporting usernames/passwords for databases?

[marcello3d]

Would be nice, yep. :-)

[tarqd]

I was looking through your code trying to understand how it works and attempt to add it and I couldn't find an instance of mongo.Db used anywhere (how does that work without actually using mongo.db?). In order to add authentication I'd need to call db.authenticate() right?

[marcello3d]

Mongolian Deadbeef bypasses all the db/collection/cursor cruft in mongodb-native and accesses the raw connection stream. You'll need to re-implement the authenticate method.

Off the top of my head, the code will probably look something like: MongolianDB.prototype.authenticate = function(username, password, callback) { var self = this self.queryCommand({ getnonce:1 }, safetyNet(callback, function(nonce) { var hash_password = MD5.hex_md5(username + ":mongo:" + password) var key = MD5.hex_md5(nonce + username + hash_password) self.queryCommand({ authenticate:1, user:username, nonce:nonce, key:key }, callback) })) }

Isn't that a lot cleaner than using the mongodb-native stuff? :-)

[Charuru]

Would love to use this, but need some way to authenticate.

[marcello3d]

Charuru: can you write a simple test case for how you envision using authenticate?

[tarqd]

I'd reccomend being able to do

var db = server.db("dat_database", { user: "foo", pass: "bar"});
// or
var db = server.db("dat_db", user, pass);

And then lazily authenticate (if the user makes a query or gets a collection and a user/pass are passed do the authentication first silently. Of course having a

db.authenticate(user, pass, callback);

Would be nice as well

[marcello3d]

Following the mongodb shell reference, looks like we want: db.auth(user,pass) and db.addUser(user,pass)

[Charuru]

Yeah, sounds good :)

[tarqd]

Definetly! If we don't need a callback for the db.auth method that would really help keep our code stay clear and concise (which is amazing in node because I'm getting tired of callback hell)

[marcello3d]

A callback shouldn't be necessary unless you wanted to know immediately that the authentication worked for whatever reason (otherwise you wouldn't find out until you made your first request).

The password will be stored in memory, though, with this approach—a concern for the security conscious—but I'm going to ignore that problem because I don't think it's the weakest link in this security swiss cheese. ;-)

[tarqd]

Yeah I don't think that's too big a problem (if someone can read the memory of your application there are probably bigger problems at hand). Looking forward to seeing this added to Mongolian :)

[tarqd]

When do you think this will be implemented in mongolian? I can't wait to use it my project :)

[marcello3d]

I don't want to promise anything. :-) I'll add it when I can.