Pocketbase

(github.com)

200 points dcu | 5 comments | 03 Jul 25 15:35 UTC | HN request time: 0s | source

Show context

fkyoureadthedoc ◴[03 Jul 25 16:07 UTC] No.44456481[source]▶

> Another important file is _users.csv which contains user credentials and roles. It has the same format as other resources, but with a special _users collection name. There is no way to add new users via API, they must be created manually by editing this file:

    admin,1,salt,5V5R4SO4ZIFMXRZUL2EQMT2CJSREI7EMTK7AH2ND3T7BXIDLMNVQ====,"admin"
    alice,1,salt,PXHQWNPTZCBORTO5ASIJYVVAINQLQKJSOAQ4UXIAKTR55BU4HGRQ====,

> Here we have user ID which is user name, version number (always 1), salt for password hashing, and the password itself (hashed with SHA-256 and encoded as Base32). The last column is a list of roles assigned to the user.

I haven't had to handle password hashing in like a decade (thanks SSO), but isn't fast hashing like SHA-256 bad for it? Bcrypt was the standard last I did it. Or is this just an example and not what is actually used in the code?

replies(4): >>44456509 #>>44457381 #>>44457415 #>>44457642 #

reactordev ◴[03 Jul 25 16:09 UTC] No.44456509[source]▶

>>44456481 #

Indeed bcrypt is preferred but this is just a simple backend. My first ick was using CSV as storage as opposed to golang’s builtin SQLite support.

A SQLite connection can be made with just a sqlite://data.db connection string.

replies(1): >>44456539 #

jitl ◴[03 Jul 25 16:12 UTC] No.44456539[source]▶

>>44456509 #

Golang does not have built in SQLite. It has a SQL database abstraction in the stdlib but you must supply a sqlite driver, for example one of these: https://github.com/cvilsmeier/go-sqlite-bench

However using the stdlib abstraction adds a lot of performance overhead; although it’ll still be competitive with CSV files.

replies(1): >>44456608 #

1. reactordev ◴[03 Jul 25 16:19 UTC] No.44456608[source]▶

>>44456539 #

Ok, one additional dependency to your go.mod - big deal. And by builtin I was referring to the database/sql module which was designed for this.

replies(3): >>44456835 #>>44456856 #>>44457711 #

2. fkyoureadthedoc ◴[03 Jul 25 16:38 UTC] No.44456835[source]▶

>>44456608 (TP) #

maybe this is why they used sha-256 too, it's in the stdlib whereas bcrypt is a package (even if "official")

replies(1): >>44456932 #

3. gtufano ◴[03 Jul 25 16:39 UTC] No.44456856[source]▶

>>44456608 (TP) #

Most of the more common SQLite implementations for go require CGO and this is a pretty steep request, it's definitely more than a line in go.mod

4. ncruces ◴[03 Jul 25 16:46 UTC] No.44456932[source]▶

>>44456835 #

The standard lib has pbkdf2 though.

I'm guessing the goal is that the file can be managed more easily with a text editor and some shell utils.

5. jitl ◴[03 Jul 25 18:08 UTC] No.44457711[source]▶

>>44456608 (TP) #

Well the project goal seems to be extreme minimalism and stdlib only, and the choice of human readable data stores and manually editing the user list suggests a goal is to only need `vim` and `sha256sum` for administration

↑