Authentication mechanism for REST request

106 views
Skip to first unread message

BSingh

unread,
Oct 12, 2013, 3:53:01 AM10/12/13
to moch...@googlegroups.com
Hi All: 

I have  an Erlang app  and recently added REST support using Mochiweb.  I couldn't find anyway for authentication so just curious to know what are all the methods, standard practices being used.  One way could be to get  password in text format and extract using  proplsits & convert to md5 hex for further comparison or get md5 convetred for better security. 
Please share your views, and would be great to see any working snippet. 

Thanks 
bsingh

Bob Ippolito

unread,
Oct 20, 2013, 5:41:33 PM10/20/13
to moch...@googlegroups.com
mochiweb is a relatively low-level library for building web servers, it's not a web framework that would prescribe any particular methods for doing tasks such as authentication. That said, mochiweb_session would be useful for authenticating users after you have logged them in. The methodology that you would use to log a user in is application dependent and depends a lot on the capabilities of the clients you are connecting with and whether the transport is http or https.


--
You received this message because you are subscribed to the Google Groups "MochiWeb" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mochiweb+u...@googlegroups.com.
To post to this group, send email to moch...@googlegroups.com.
Visit this group at http://groups.google.com/group/mochiweb.
For more options, visit https://groups.google.com/groups/opt_out.

Dave Cottlehuber

unread,
Oct 21, 2013, 5:09:09 AM10/21/13
to BSingh, moch...@googlegroups.com
Hi bsingh

MD5 is certainly not what you want to do here. Read up on scrypt, bcrypt, and pbkdf2, the top google links should do fine. There are erlang versions of all of these, usually as NIFs.

TL;DR md5 is not secure enough, and you need to use a salted repeated hash function to make attacking passwords more complex.

For a complete but very complex example, you might want to take a look at couchdb where we use both mochiweb and also pbkdf2 for storing and hashing user passwords https://github.com/apache/couchdb/blob/master/src/couchdb/couch_passwords.erl is where the hashing magic happens.
-- 
Dave Cottlehuber
Sent with Airmail
Reply all
Reply to author
Forward
0 new messages