View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0006899||Taler||other||public||2021-06-09 15:38||2021-06-10 14:30|
|Reporter||Florian Dold||Assigned To||Christian Grothoff|
|Priority||normal||Severity||minor||Reproducibility||have not tried|
|Summary||0006899: merchant and bank require expensive computation on every API call with authorization|
|Description||Both the merchant and the bank uses hashed+salted passwords for API authentication.|
Unlike with human users, where the authentication check is done once at login (and then only a signed cookie is verified), checking a password for *every* request is rather expensive.
* move to plain text API keys
* cache hashes of successful logins in memory
As a further complication in the pybank, we need to somehow work around the built-in django authentication system and do our own checks.
|Tags||No tags attached.|
||What I do not get is that usually (in a good design), the (expensive) hash should be done on the client-side ONLY. After all, the HASH is what should be sent over the network, and a HASH of the password/passphrase is what we should store locally on the server-side. So why is this a problem in the first place?|