Fixed faulty validity check in stateless signature verification. Fixe…

…d mixed up verification methods (stateless verification used hmac and vice-versa). Fixed stateless variable typo in relying party object.
dylang · Feb 9, 2011 · c783878 · c783878
1 parent ba6e1e7
commit c783878
Showing 1 changed file with 20 additions and 5 deletions.
diff --git a/openid.js b/openid.js
@@ -59,7 +59,7 @@ openid.RelyingParty.prototype.authenticate = function(identifier, immediate, cal
 
 openid.RelyingParty.prototype.verifyAssertion = function(requestOrUrl, callback)
 {
-  openid.verifyAssertion(requestOrUrl, callback, this.stateeless);
+  openid.verifyAssertion(requestOrUrl, callback, this.stateless);
 }
 
 function _isDef(e)
@@ -819,11 +819,11 @@ function _checkSignature(params, callback, stateless)
 
   if(stateless)
   {
-    _checkSignatureUsingAssociation(params, callback);
+    _checkSignatureUsingProvider(params, callback);
   }
   else
   {
-    _checkSignatureUsingProvider(params, callback);
+    _checkSignatureUsingAssociation(params, callback);
   }
 }
 
@@ -852,7 +852,14 @@ function _checkSignatureUsingAssociation(params, callback)
   hmac.update(message);
   var ourSignature = hmac.digest('base64');
 
-  callback({ authenticated: ourSignature == params['openid.sig']});
+  if(ourSignature == params['openid.sig'])
+  {
+    callback({ authenticated: true });
+  }
+  else
+  {
+    callback({ authenticated: false, error: 'Invalid signature' });
+  }
 }
 
 function _checkSignatureUsingProvider(params, callback)
@@ -878,7 +885,15 @@ function _checkSignatureUsingProvider(params, callback)
     else
     {
       data = _decodePostData(data);
-      callback({ authenticated: data['is_valid']});
+
+      if(data['is_valid'] == 'true')
+      {
+        callback({ authenticated: true });
+      }
+      else
+      {
+        callback({ authenticated: false, error: 'Invalid signature' });
+      }
     }
   });
 }