helper script takes csrf into account properly

darobin · Jan 17, 2012 · 53740c0 · 53740c0
1 parent ffd8b37
commit 53740c0
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 6 deletions.
diff --git a/lib/express-browserid.js b/lib/express-browserid.js
@@ -1,20 +1,61 @@
 
-var path = require("path");
+var path = require("path")
+,   Shred = require("shred")
+,   surf = new Shred
+;
 
 exports.plugAll = function (app, opts) {
     this.plugHelperScript(app, opts);
+    this.plugVerifier(app, opts);
 };
 
 exports.plugHelperScript = function (app, opts) {
     opts = opts || {};
     var route = opts.helperScriptPath || makePath("/js/browserid-helper.js", opts)
-    ,   filepath = path.join(module.filename, "../public/js/browserid-helper.js");
+    ,   filepath = path.join(module.filename, "../../public/js/browserid-helper.js");
     ;
+    // XXX we should include strong caching headers here, and 304s for IMS
     app.get(route, function (req, res, next) {
         res.sendfile(filepath);
     });
 };
 
+exports.plugVerifier = function (app, opts) {
+    opts = opts || {};
+    var route = opts.verifierPath || makePath("/verify", opts);
+    console.log("setting up route: " + route);
+    app.post(route, function (req, res, next) {
+        console.log("contacting verifier");
+        surf.post({
+            url:        opts.verifier || "https://browserid.org/verify"
+        ,   headers:    {
+                accept: "application/json"
+            }
+        ,   content:    {
+                audience:   opts.audience || req.body.audience
+            ,   assertion:  req.body.assertion
+            }
+        ,   on: {
+                200:    function (data) {
+                    console.log("verifier replied:", data);
+                    if (data && "okay" === data.status) {
+                        if (opts.verifyCB) opts.verifyCB(null, data);
+                    }
+                    else {
+                        if (opts.verifyCB) opts.verifyCB(new Error("BrowserID verification failed"), data);
+                    }
+                    res.json(data);
+                }
+            ,   response:   function () {
+                    res.send("BrowserID verification failed", 500);
+                }
+            }
+        });
+        console.log("verifier request sent");
+    });
+    console.log("route okay");
+};
+
 function makePath (path, opts) {
     var base = opts.basePath || "/browserid";
     return base + path;

diff --git a/package.json b/package.json
@@ -4,6 +4,7 @@
 ,   "version":      "0.0.1"
 ,   "author":       "Robin Berjon <robin@berjon.com>"
 ,   "dependencies": {
+        "shred":    "= 0.6.4"
     }
 ,   "devDependencies": {
         "mocha":    "*"

diff --git a/public/js/browserid-helper.js b/public/js/browserid-helper.js
@@ -12,31 +12,35 @@
         var scheme = location.protocol
         ,   audience = scheme + "//" + location.hostname
         ;
-        if ("http:" === scheme && "80" != location.port) audience += ":" + location.port;
-        else if ("https:" === scheme && "443" != location.port) audience += ":" + location.port;
+        if ("http:" === scheme && location.port && "80" != location.port) audience += ":" + location.port;
+        else if ("https:" === scheme && location.port && "443" != location.port) audience += ":" + location.port;
         return audience;
     }
     $("script").each(function () {
-        $scr = $(this);
+        var $scr = $(this);
         if (/js\/browserid-helper\.js(?:\?.+)?$/.test($scr.attr("src"))) {
             if ("false" === $scr.attr("data-auto")) options.auto = false;
             if ("true" === $scr.attr("data-debug")) options.debug = true;
             options.verifier = $scr.attr("data-verifier") || options.verifier;
             options.selector = $scr.attr("data-selector") || options.selector;
+            options.csrf = $scr.attr("data-csrf") || "";
             options.audience = $scr.attr("data-audience") || audience();
             return false;
         }
     });
+    if (options.debug) console.log("[BrowserID] Options: ", options);
     var $win = $(window);
     $(options.selector).click(function () {
         $win.trigger("login-attempt");
         navigator.id.get(function (assertion) {
             $win.trigger("login-response", assertion);
             if (assertion) {
                 $win.trigger("received-assertion", assertion);
+                var data = { audience: options.audience, assertion: assertion };
+                if (options.csrf) data._csrf = options.csrf;
                 $.post(
                         options.verifier
-                    ,   { audience: options.audience, assertion: assertion }
+                    ,   data
                     ,   function (data) {
                             if (!data) $win.trigger("login-error", "no verify data");
                             if ("okay" === data.status) {