Cloudant auth: lacks _users database

In fact, cloudant does not support the hash value generation. I found this alternative that helps to use the _users db in the cloudant service...

https://github.com/doublerebel/cloudant-user


As of 2020, Cloudant hashes the password but doesn't use the same hashing algorithm as CouchDB currently does (pbkdf2). For better security and compatibilty, it is still advisable to generate the hash yourselves, e.g. with couch-pwd.

And instead of supplying

{ "cloudant": { "nobody": ["_reader", "_writer", "_admin"] }, "readers": { "names":["demo"],"roles":[] } }

The docs now suggest the couchdb_auth_only flag:

{
  "couchdb_auth_only": true,
  "members": {
      "names": ["demo"],"roles":[]
  },
  "admins": {
      "names": ["admin"],"roles":[]
  }
}

But mind that the _admin role is not set automatically as in CouchDB 3.


I found the answer via #cloudant IRC:

09:59 <+kocolosk> creating _users was the right thing to do

09:59 <+kocolosk> the API matches an older version of CouchDB where the passwords needed to hashed client-side

10:00 < jbeard> oh, I see

10:00 <+kocolosk> we're addressing that lack of support for automatic hashing

10:01 < jbeard> I'm trying to find documentation on client-side hashing in Couch.

10:02 < jbeard> What version of Couch is Cloudant aiming to be compatible with for _users?

10:04 <+kocolosk> jbeard: http://wiki.apache.org/couchdb/Security_Features_Overview

10:04 <+kocolosk> see "Generating password_sha (only applicable for 1.1.x and earlier)"

10:04 <+kocolosk> jbeard: this particular feature is the last bit where we are compatible with 1.1.x but not newer version

10:05 < jbeard> Excellent

10:05 < jbeard> That's what I needed to know