mcollina
commented
7 years ago @isdrupter the password is hashed only when the login happen, with the password given by the user: https://github.com/mcollina/mosca/blob/master/lib/authorizer.js#L99-L102. I do not understand what you are proposing. The problem with hashing password is that the longer hashing takes, the more secure your application is.
I'm glad that you find the internal authorizer useful! If you have any particular suggestion, feel free to send a PR.
We might as well stop accepting new clients if we are too busy, maybe integrating http://npm.im/loopbench. in the connect phase. In this way, we will avoid the event loop starvation that you are experiencing.
isdrupter
I'm surprised that I don't see anyone else mentioning this, because it's been an issue ever since I started using mosca. When I run mosca with over ~4000 clients, and the server is restarted, the CPU locks up when the clients begin to reconnect, and mosca goes into and endless loop-- about 5000 clients will connect, and than that number falls back down to about 2500, and than bounces back up to 5000, and repeats. This is because the server is recomputing the client's password hash every time a single client connects, which takes up enormous CPU resources when there are thousands, or tens of thousands of clients.
I was able to fix this issue by editing the authorizer.js, and disabling the hashing of the passwords, and instead authenticate by comparing the password to a plaintext string. Obviously this hackish work-around is neither ideal nor secure.
Perhaps a better solution would be to add an option to hash the passwords once at startup, and keep them in memory, to eliminate the need to recompute the hash upon every single client connection. I know it's not quite as secure, but at least it would be functional.