View Issue Details

IDProjectCategoryView StatusLast Update
0006899Talerotherpublic2021-06-10 14:30
ReporterFlorian Dold Assigned ToChristian Grothoff  
PrioritynormalSeverityminorReproducibilityhave not tried
Status assignedResolutionopen 
Summary0006899: merchant and bank require expensive computation on every API call with authorization
DescriptionBoth the merchant and the bank uses hashed+salted passwords for API authentication.

Unlike with human users, where the authentication check is done once at login (and then only a signed cookie is verified), checking a password for *every* request is rather expensive.

We could:
* move to plain text API keys
* cache hashes of successful logins in memory

As a further complication in the pybank, we need to somehow work around the built-in django authentication system and do our own checks.
TagsNo tags attached.


Christian Grothoff

2021-06-10 14:30

manager   ~0017946

What I do not get is that usually (in a good design), the (expensive) hash should be done on the client-side ONLY. After all, the HASH is what should be sent over the network, and a HASH of the password/passphrase is what we should store locally on the server-side. So why is this a problem in the first place?

Issue History

Date Modified Username Field Change
2021-06-09 15:38 Florian Dold New Issue
2021-06-09 15:38 Florian Dold Status new => assigned
2021-06-09 15:38 Florian Dold Assigned To => Christian Grothoff
2021-06-10 14:30 Christian Grothoff Note Added: 0017946