Create Sync Gateway user without a password

[Constantine Kozak]

I want to use a custom auth provider and create a session in SG by calling POST /$DB/_session. But documentation says that I this request may return 404 if a user doesn't exist in DB so I need to create it. When I try to create a user calling PUT /$DB/_user/$id it requires a password but I don't want to store a password in SG/CDB because I'll need to keep it with sync with a password in an external auth system. 

I could provide a dummy password but how to ensure that nobody will be able to login using this dummy password? Or is there a better way to deal with a user creation without a password?

[Jens Alfke]

On Feb 13, 2015, at 2:11 AM, Constantine Kozak <mak...@gmail.com> wrote:

I want to use a custom auth provider and create a session in SG by calling POST /$DB/_session. But documentation says that I this request may return 404 if a user doesn't exist in DB so I need to create it. When I try to create a user calling PUT /$DB/_user/$id it requires a password but I don't want to store a password in SG/CDB because I'll need to keep it with sync with a password in an external auth system. 

If you’re using custom auth and users won’t be authenticating directly with SG, then just set the password to a random string (should be at least 128 bits of entropy generated by a secure random number generator.) You don’t need to remember that password anywhere; the user’s never going to need it, and you don’t need it on the server side either.

—Jens