Empty password, where an empty string is stored in the password field of each
User document, has potential security problem. Set unusable password to newly
created user when using Kerberos and RemoteUser strategy.
The idea of setting unusable password is borrowed from django.contrib.auth.
Algorithm pbkdf2 is adapted as the default cryption algorithm. Due to the
limitation of old version of nodejs that we have to support, sha1 is used for
now instead of sha256. This can be changed in the future once Cantas moves to
most latest version.
Although this patch is for setting unusable password, the solution also allows
to encrypt an user's password before storing into database in a normal
authentication use case.
tkdchen
commented
9 years ago
Empty password, where an empty string is stored in the password field of each User document, has potential security problem. Set unusable password to newly created user when using Kerberos and RemoteUser strategy.
The idea of setting unusable password is borrowed from django.contrib.auth. Algorithm pbkdf2 is adapted as the default cryption algorithm. Due to the limitation of old version of nodejs that we have to support, sha1 is used for now instead of sha256. This can be changed in the future once Cantas moves to most latest version.
Although this patch is for setting unusable password, the solution also allows to encrypt an user's password before storing into database in a normal authentication use case.