Marius Mauch

So now I'm at the point where I need to work on the authentication part for the stats server code, and I noticed that my plan to use http digest authentication doesn't work as that requires to store the plaintext password of clients on the server which I'd like to avoid (generally one should only store a hash of the passwords in the authentication backend).
Before going into alternatives let me list a few requirements I have for them:
- don't require the real password in the auth backend
- don't transmit the real password unsecured over the network
- must work with only http headers, don't touch the body in any way
- must be easily scriptable
- preemptive authorization (e.g. send the auth data with the first request)
- should work within a webbrowser
So, what options do I have now? Well, I can't see a single alternative that fits all requirements (if you know one let me know), the closest is http basic auth, but I really don't want to send the password over network as almost-plaintext. This lead me to the idea of extending it with gpg-encrypting the password, but that's not transparent when you use the browser (not that important for the current use case) and more importantly gpg adds about 600 bytes of protocol overhead for encrypted data (without using --armor), with the base64 encoding required for http that's almost one kilobyte just for a password that originally only had a few bytes.
So, right now I have to select between a rather hackish, inefficient and untested but secure solution and a well-tested, relatively efficient and well-specified but insecure one. What would people prefer here?
Or does anyone know another solution to the problem that satisfies the above requirements? (the first four are hard requirements, the other two I could work around)

Don't get too excited about the title, most stuff isn't usable yet, though I think it doesn't hurt if a few people start testing the parts in the client that are supposed to work. If you feel brave enough start reading the little test-howto (work in progress).

So after slacking for about a week or two due to the crappy weather
here (I guess most people would call >=30°C awesome, but not 24h a day)
I decided that I have to get back to this code even though the weather
still sucks.
So today I've added most of the db processing code that parses the
uploaded record files and adds/removes the data into/from the db, still
figuring out how to store installed package metadata without creating
another huge table or bloating the existing simple installed packages
table.
After that I'm gonna work on the registration/authentication stuff and
the uri mapping so this gets somewhat testable as the test system
should be available soon. Still won't have the query part, but that's
rather simple once the infrastructure is in place and works, just have
to assemble the right select statements and put them into psp/html.

While I'm not a fan of winter, the current temperature is simply too much, in the last few days I'm measuring a constant (= day and night) room temperature of about 30°C! Now such temperatures might be nice over a short period of time (if you want to go swimming or so), but working or sleeping at those temps (with a rather high humidity) is a killer. Sometimes I just wanto to put myself in the fridge just to cool down a bit.
So if you see me doing stupid stuff these days blame it on the weather.