Can any readers of this list recommend some reasonably prudent technique for handling passwords that an XQuery module will need to retrieve things via http?
I suppose there are two questions: (1) where do people store such userid/password pairs?
If you use RESTXQ, you can build your user management on top of the existing User Module [1]. This module is also utilized by the DBA.
By default, these users have been introduced to control access to BaseX and its databases. If RESTXQ is used, all executed code will be in the realm of the default 'admin' user anyway, so we also use the BaseX user management to organize users of applications.
The passwords will never be stored as plain text, but with a salted hash. Please check out [2] to see how a user password can be compared with the registered password. When I see this, I believe it could help to have a convenience function added that does all the magic – something like user:verify($name, $password). Suggestions are welcome.
and (2) what's the best way to use them?
Talking about the client, I think you have already mentioned the most obvious choices. You could also pass them on in the HTTP header and access them value via RESTXQ or the Request Module [3]. If security is important, you could use digest authentication [4] or use an https connection.
Hope this helps Christian
[1] http://docs.basex.org/wiki/User_Module [2] https://github.com/BaseXdb/basex/blob/master/basex-api/src/main/webapp/dba/l... [3] http://docs.basex.org/wiki/Request_Module#request:header [4] http://docs.basex.org/wiki/Options#AUTHMETHOD