kat.io
November 15, 2016, 6:33pm
1
Hi all.
When creating a sync gateway (SG) user via curl (just like the code below), SG automatically hash or bcrypt the password.
curl -X PUT ‘domain-here.com:4985/sync_gateway/_user/usernameHere ’ -d ‘{“name”: “usernameHere”, “password”: “pwHere”, “admin_channels”: [“channelNameHere”]}’
I noticed that same password produced different hash. My question is, does this mean that we don’t need to add salt since SG is already doing this? Does SG also takes care of adding secret key ?
Thanks in advance!
adamf
November 15, 2016, 7:35pm
2
That’s correct - Sync Gateway manages the bcrypt encoding of the password. There’s no additional configuration required for consumers.
Sync Gateway uses the standard golang bcrypt library (https://godoc.org/golang.org/x/crypto/bcrypt ), which calculates it’s own randomly generated salt.
1 Like
kat.io
November 15, 2016, 10:56pm
3
Thank you for responding… What about secret key? Does Sync Gateway also handles it? If not, how can we add secret key? Is it via the SG config file?
Thanks.
jens
November 15, 2016, 11:26pm
4
There’s no secret key needed. You don’t need to configure anything; it’s secure by default.
kat.io
November 16, 2016, 12:00am
5
Ok. This also answers my questions. Thanks.