View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006899 | Taler | py bank (demonstrator, obsolete) | public | 2021-06-09 15:38 | 2022-11-04 20:53 |
| Reporter | Florian Dold | Assigned To | MS | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Product Version | git (master) | ||||
| Target Version | 0.9 | Fixed in Version | 0.9 | ||
| Summary | 0006899: bank requires expensive computation on every API call with authorization | ||||
| Description | The bank uses hashed+salted passwords for API authentication. Unlike with human users, where the authentication check is done once at login (and then only a signed cookie is verified), checking a password for *every* request is rather expensive. We could: * move to plain text API keys * cache hashes of successful logins in memory As a further complication in the pybank, we need to somehow work around the built-in django authentication system and do our own checks. | ||||
| Tags | No tags attached. | ||||
|
|
What I do not get is that usually (in a good design), the (expensive) hash should be done on the client-side ONLY. After all, the HASH is what should be sent over the network, and a HASH of the password/passphrase is what we should store locally on the server-side. So why is this a problem in the first place? |
|
|
This will be fixed when we migrate to libeufin as the existing Pybank should just die. |
|
|
Moved to libeufin. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2021-06-09 15:38 | Florian Dold | New Issue | |
| 2021-06-09 15:38 | Florian Dold | Status | new => assigned |
| 2021-06-09 15:38 | Florian Dold | Assigned To | => Christian Grothoff |
| 2021-06-10 14:30 | Christian Grothoff | Note Added: 0017946 | |
| 2021-07-13 06:47 | Christian Grothoff | Assigned To | Christian Grothoff => |
| 2021-07-13 06:47 | Christian Grothoff | Status | assigned => confirmed |
| 2021-07-19 14:53 | Christian Grothoff | Summary | merchant and bank require expensive computation on every API call with authorization => bank requires expensive computation on every API call with authorization |
| 2021-07-19 14:53 | Christian Grothoff | Description Updated | |
| 2021-07-19 14:53 | Christian Grothoff | Note Added: 0017999 | |
| 2021-07-19 14:53 | Christian Grothoff | Assigned To | => MS |
| 2021-07-19 14:53 | Christian Grothoff | Status | confirmed => assigned |
| 2021-08-01 15:15 | Christian Grothoff | Category | other => bank (demonstrator) |
| 2021-08-01 15:15 | Christian Grothoff | Product Version | => git (master) |
| 2021-08-01 15:15 | Christian Grothoff | Target Version | => 0.9 |
| 2022-07-18 17:46 | Christian Grothoff | Status | assigned => resolved |
| 2022-07-18 17:46 | Christian Grothoff | Resolution | open => fixed |
| 2022-07-18 17:46 | Christian Grothoff | Fixed in Version | => 0.9 |
| 2022-07-18 17:46 | Christian Grothoff | Note Added: 0018960 | |
| 2022-08-23 20:26 | Christian Grothoff | Category | bank (demonstrator) => py bank (demonstrator, obsolete) |
| 2022-11-04 20:53 | Christian Grothoff | Status | resolved => closed |
