Description

For the /api/verify?auth=basic endpoint, caching user details would considerably increase the performance of the endpoint, as Authelia would not have to fetch details from an LDAP server or calculate expensive password hashes for every request.

The key could be derived from the user credentials. e.g. hmac_sha256(username + password, secret_key)

There are a couple security tradeoffs:

• The password hashing algorithm is downgraded. However, this hash would only live in memory.
• Brute force attacks are faster when the credentials are cached in memory. However, regulation policies could help protect against that.

The caching feature could be opt-in behind a setting. My one-factor apps use only long, randomly-generated passwords, so I'm comfortable with the tradeoffs.

Use Case

Services like WebDAV still rely on basic auth, but the current implementation can make resource usage and request latencies impractically high.

Details

No response

Documentation

There is a similar proposal for Traefik.

Pre-Submission Checklist

• I agree to follow the Code of Conduct
• I have checked for related issues and checked the documentation