So... while this is cool and all, this isn't anything revolutionary or even 'new' that couldn't have been done in any other scripting language/framework (and, in fact, I daresay it could've probably been done faster in another language/framework).
While I believe Node is pretty frickin' awesome, I don't see a point in glorifying concepts that have already been done to death. Nodes entire architecture allows so many more possibilities than just a HackerNews clone, so let's see it instead of constantly reinventing the wheel.
Certainly would, although SHA1 is being phased out, it's probably still "ok" to use, but I wouldn't choose it if I wanted the project to achieve maximum longevity, I'd choose a later family of SHA, SHA2. It will be slower, but you won't end up looking like gawker. Since node just uses openssl you have quite a collection of message digest algorithms to choose from. Run an "openssl speed" on your server to get a benchmark of different algorithms.
Also, you're using iterating 1000 times for all users, you can mix it up and store that with the user in mongo. (1000-1000+). You might also want to serve up your login and any pages requiring some form of authorised behaviours using https. (Prevent auth token theft and password sniffing).
Also when validating user input for passwords, are you sure it's isAlphanumeric() that you want? Some users like to have non alphanumeric characters in their passwords. If it's just an attempt to stop xss/injection then I believe node-validator supports that without restricting you to alphanumeric characters only.
I think the general consensus post Gawker hacking was that hashing alone was inadequate and that for greater security you should use bcrypt as it takes so much longer to run attacks.
Let me be the first to say, good job. It's great to see node and coffe getting more love as they're both really fun and neat. I see you're setting up a sandbox for us HNers which is probably best to show HN something they can actually use and draw some more attention towards your project.
Heres an idea for you, we all seem to love delicious and bookmarks. Why not integrate bookmarking into this project (private by default) but allow the use of 'publishing' to ycatalyst, or viewing previous discussions on already 'published' bookmarks/topics. You could then generate 'site' posts which are from hot/popular bookmarks, (I'd also try to keep who bookmarked it private by default).
21 comments
[ 3.4 ms ] story [ 67.0 ms ] threadWhile I believe Node is pretty frickin' awesome, I don't see a point in glorifying concepts that have already been done to death. Nodes entire architecture allows so many more possibilities than just a HackerNews clone, so let's see it instead of constantly reinventing the wheel.
Klonoar, follow the github repo for future diversions from HN, or make a pull request and I'll see it through to the live site.
Any reason you chose md5? Props for at least salting and running it 1000 times.
Edit:
Also, you're using iterating 1000 times for all users, you can mix it up and store that with the user in mongo. (1000-1000+). You might also want to serve up your login and any pages requiring some form of authorised behaviours using https. (Prevent auth token theft and password sniffing).Also when validating user input for passwords, are you sure it's isAlphanumeric() that you want? Some users like to have non alphanumeric characters in their passwords. If it's just an attempt to stop xss/injection then I believe node-validator supports that without restricting you to alphanumeric characters only.
http://news.ycombinator.com/item?id=762708
For a discussion on it.
http://codahale.com/how-to-safely-store-a-password/
Heres an idea for you, we all seem to love delicious and bookmarks. Why not integrate bookmarking into this project (private by default) but allow the use of 'publishing' to ycatalyst, or viewing previous discussions on already 'published' bookmarks/topics. You could then generate 'site' posts which are from hot/popular bookmarks, (I'd also try to keep who bookmarked it private by default).
Why 20? Where did that number come from?