Permalink
Browse files

helper script takes csrf into account properly

  • Loading branch information...
1 parent ffd8b37 commit 53740c0ce59f31d50f496143e78de8b59f7aa2c4 @darobin committed Jan 17, 2012
Showing with 52 additions and 6 deletions.
  1. +43 −2 lib/express-browserid.js
  2. +1 −0 package.json
  3. +8 −4 public/js/browserid-helper.js
View
@@ -1,20 +1,61 @@
-var path = require("path");
+var path = require("path")
+, Shred = require("shred")
+, surf = new Shred
+;
exports.plugAll = function (app, opts) {
this.plugHelperScript(app, opts);
+ this.plugVerifier(app, opts);
};
exports.plugHelperScript = function (app, opts) {
opts = opts || {};
var route = opts.helperScriptPath || makePath("/js/browserid-helper.js", opts)
- , filepath = path.join(module.filename, "../public/js/browserid-helper.js");
+ , filepath = path.join(module.filename, "../../public/js/browserid-helper.js");
;
+ // XXX we should include strong caching headers here, and 304s for IMS
app.get(route, function (req, res, next) {
res.sendfile(filepath);
});
};
+exports.plugVerifier = function (app, opts) {
+ opts = opts || {};
+ var route = opts.verifierPath || makePath("/verify", opts);
+ console.log("setting up route: " + route);
+ app.post(route, function (req, res, next) {
+ console.log("contacting verifier");
+ surf.post({
+ url: opts.verifier || "https://browserid.org/verify"
+ , headers: {
+ accept: "application/json"
+ }
+ , content: {
+ audience: opts.audience || req.body.audience
+ , assertion: req.body.assertion
+ }
+ , on: {
+ 200: function (data) {
+ console.log("verifier replied:", data);
+ if (data && "okay" === data.status) {
+ if (opts.verifyCB) opts.verifyCB(null, data);
+ }
+ else {
+ if (opts.verifyCB) opts.verifyCB(new Error("BrowserID verification failed"), data);
+ }
+ res.json(data);
+ }
+ , response: function () {
+ res.send("BrowserID verification failed", 500);
+ }
+ }
+ });
+ console.log("verifier request sent");
+ });
+ console.log("route okay");
+};
+
function makePath (path, opts) {
var base = opts.basePath || "/browserid";
return base + path;
View
@@ -4,6 +4,7 @@
, "version": "0.0.1"
, "author": "Robin Berjon <robin@berjon.com>"
, "dependencies": {
+ "shred": "= 0.6.4"
}
, "devDependencies": {
"mocha": "*"
@@ -12,31 +12,35 @@
var scheme = location.protocol
, audience = scheme + "//" + location.hostname
;
- if ("http:" === scheme && "80" != location.port) audience += ":" + location.port;
- else if ("https:" === scheme && "443" != location.port) audience += ":" + location.port;
+ if ("http:" === scheme && location.port && "80" != location.port) audience += ":" + location.port;
+ else if ("https:" === scheme && location.port && "443" != location.port) audience += ":" + location.port;
return audience;
}
$("script").each(function () {
- $scr = $(this);
+ var $scr = $(this);
if (/js\/browserid-helper\.js(?:\?.+)?$/.test($scr.attr("src"))) {
if ("false" === $scr.attr("data-auto")) options.auto = false;
if ("true" === $scr.attr("data-debug")) options.debug = true;
options.verifier = $scr.attr("data-verifier") || options.verifier;
options.selector = $scr.attr("data-selector") || options.selector;
+ options.csrf = $scr.attr("data-csrf") || "";
options.audience = $scr.attr("data-audience") || audience();
return false;
}
});
+ if (options.debug) console.log("[BrowserID] Options: ", options);
var $win = $(window);
$(options.selector).click(function () {
$win.trigger("login-attempt");
navigator.id.get(function (assertion) {
$win.trigger("login-response", assertion);
if (assertion) {
$win.trigger("received-assertion", assertion);
+ var data = { audience: options.audience, assertion: assertion };
+ if (options.csrf) data._csrf = options.csrf;
$.post(
options.verifier
- , { audience: options.audience, assertion: assertion }
+ , data
, function (data) {
if (!data) $win.trigger("login-error", "no verify data");
if ("okay" === data.status) {

0 comments on commit 53740c0

Please sign in to comment.