Verify that auth-related properties are well-formed

Passing unexpected values to auth fields can result in server issues. Notably, setting "iterations" to a string will cause an infinite loop as the comparison 'when Iteration > Iterations' will never evaluate to true. The latest validate_doc_update prevents user docs with this problem and administrators can deploy that check themselves (and only administrators can edit design documents). A server administrator can also insist on lower and upper bounds for iteration count to reject weakly protected passwords and resource-hungry passwords respectively. COUCHDB-2221
apache · Apr 6, 2014 · 9d61faf · 9d61faf
1 parent 1d31c3a
commit 9d61faf
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/src/config/auth.rst b/src/config/auth.rst
@@ -166,6 +166,30 @@ Authentication Configuration
       [couch_httpd_auth]
       iterations = 10000
 
+  .. config:option:: min_iterations :: Minimum PBKDF2 iterations count
+
+    .. versionadded:: 1.6
+
+    The minimum number of iterations allowed for passwords hashed by
+    the PBKDF2 algorithm. Any user with fewer iterations is forbidden.
+
+    ::
+
+      [couch_httpd_auth]
+      min_iterations = 100
+
+  .. config:option:: max_iterations :: Maximum PBKDF2 iterations count
+
+    .. versionadded:: 1.6
+
+    The maximum number of iterations allowed for passwords hashed by
+    the PBKDF2 algorithm. Any user with greater iterations is forbidden.
+
+    ::
+
+      [couch_httpd_auth]
+      max_iterations = 100000
+
 
   .. config:option:: proxy_use_secret :: Force proxy auth use secret token