lua的mongodb库auth验证方法耗费时间占请求的三分之二!请问大神怎么优化下呢
验证的方法代码:
function dbmethods:auth_scram_sha1(username, password)
local user = string.gsub(string.gsub(username, '=', '=3D'), ',' , '=2C')
local nonce = ngx.encode_base64(string.sub(tostring(math.random()), 3 , 14))
local first_bare = "n=" .. user .. ",r=" .. nonce
local sasl_start_payload = ngx.encode_base64("n,," .. first_bare)
r, err = self:cmd(attachpairs_start({
saslStart = 1 ;
mechanism = "SCRAM-SHA-1" ;
autoAuthorize = 1 ;
payload = sasl_start_payload ;
} , "saslStart" ) )
if not r then
return nil, err
end
local conversationId = r['conversationId']
local server_first = r['payload']
local parsed_s = ngx.decode_base64(server_first)
local parsed_t = {}
for k, v in string.gmatch(parsed_s, "(%w+)=([^,]*)") do
parsed_t[k] = v
end
local iterations = tonumber(parsed_t['i'])
local salt = parsed_t['s']
local rnonce = parsed_t['r']
if not string.sub(rnonce, 1, 12) == nonce then
return nil, 'Server returned an invalid nonce.'
end
local without_proof = "c=biws,r=" .. rnonce
local pbkdf2_key = pass_digest ( username , password )
local salted_pass = pbkdf2_hmac_sha1(pbkdf2_key, iterations, ngx.decode_base64(salt), 20)
local client_key = ngx.hmac_sha1(salted_pass, "Client Key")
local stored_key = ngx.sha1_bin(client_key)
local auth_msg = first_bare .. ',' .. parsed_s .. ',' .. without_proof
local client_sig = ngx.hmac_sha1(stored_key, auth_msg)
local client_key_xor_sig = xor_bytestr(client_key, client_sig)
local client_proof = "p=" .. ngx.encode_base64(client_key_xor_sig)
local client_final = ngx.encode_base64(without_proof .. ',' .. client_proof)
local server_key = ngx.hmac_sha1(salted_pass, "Server Key")
local server_sig = ngx.encode_base64(ngx.hmac_sha1(server_key, auth_msg))
r, err = self:cmd(attachpairs_start({
saslContinue = 1 ;
conversationId = conversationId ;
payload = client_final ;
} , "saslContinue" ) )
if not r then
return nil, err
end
parsed_s = ngx.decode_base64(r['payload'])
parsed_t = {}
for k, v in string.gmatch(parsed_s, "(%w+)=([^,]*)") do
parsed_t[k] = v
end
if parsed_t['v'] ~= server_sig then
return nil, "Server returned an invalid signature."
end
if not r['done'] then
r, err = self:cmd(attachpairs_start({
saslContinue = 1 ;
conversationId = conversationId ;
payload = ngx.encode_base64("") ;
} , "saslContinue" ) )
if not r then
return nil, err
end
if not r['done'] then
return nil, 'SASL conversation failed to complete.'
end
return 1
end
return 1
end完整文件github的地址:
https://github.com/LuaDist2/l...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
openresty有连接池,只有在首次与数据库建立连接的时候进行认证,应该没有太大影响吧
不需要每次都验证的吧?
问一下这个怎么解决?加了账号密码每次请求查询都要验证,时间由30ms上升带500ms