Permalink
Browse files

verifier now accepts parameters over POST in addition to GET, use of …

…the former is preferred and user identifiable data out of http logs. closes #96
  • Loading branch information...
1 parent 14cabc4 commit 0a96fcf1a9febabfa3391a818c86a8948eb9914d @lloyd lloyd committed Jul 21, 2011
Showing with 24 additions and 12 deletions.
  1. +2 −2 browserid/views/developers.ejs
  2. +10 −4 rp/index.html
  3. +12 −6 verifier/app.js
@@ -56,7 +56,7 @@
free verification service provided by BrowserID.
</p><p>
To use it, you send a request
- to <tt>https://browserid.org/verify</tt> with two GET parameters:
+ to <tt>https://browserid.org/verify</tt> with two POST parameters:
</p>
<ol>
<li> <tt>assertion</tt>: The encoded assertion
@@ -66,7 +66,7 @@
The verifier will check the the assertion was meant for your site and
is valid, here's an example:
</p>
- <pre><code>$ curl "https://browserid.org/verify?assertion=&lt;ASSERTION&gt;&audience=mysite.com"
+ <pre><code>$ curl -d "assertion=&lt;ASSERTION&gt;&audience=mysite.com" "https://browserid.org/verify"
{
"status": "okay",
"email": "lloyd@mozilla.com",
View
@@ -90,13 +90,19 @@
// Now we'll send this assertion over to the verification server for validation
$("#oAssertion").empty().text(assertion);
- var url = "https://browserid.org/verify?assertion=" + window.encodeURIComponent(assertion) +
- "&audience=" + window.encodeURIComponent(window.location.host);
- $("#oVerificationRequest").empty().text(url);
+ var url = "https://browserid.org/verify"
+ var data = {
+ assertion: assertion,
+ audience: window.location.host
+ };
+
+ $("#oVerificationRequest").empty().text("POST " + url + "\n" + JSON.stringify(data));
$.ajax({
- url: url,
+ url: "https://browserid.org/verify",
+ type: "POST",
dataType: "json",
+ data: data,
success: function(data, textStatus, jqXHR) {
$("#oVerificationResponse > pre").empty().text(JSON.stringify(data, null, 4));
},
View
@@ -3,31 +3,32 @@ const path = require('path'),
fs = require('fs'),
httputils = require('./lib/httputils.js'),
idassertion = require('./lib/idassertion.js'),
- jwt = require('./lib/jwt.js');
+ jwt = require('./lib/jwt.js'),
+ express = require('express');
// create the var directory if it doesn't exist
var VAR_DIR = path.join(__dirname, "var");
try { fs.mkdirSync(VAR_DIR, 0755); } catch(e) { }
function doVerify(req, resp, next) {
- var assertion = req.query.assertion;
- var audience = req.query.audience;
+ var assertion = (req.query && req.query.assertion) ? req.query.assertion : req.body.assertion;
+ var audience = (req.query && req.query.audience) ? req.query.audience : req.body.audience;
if (!(assertion && audience))
return httputils.jsonResponse(resp, {status:"failure", reason:"need assertion and audience"});
-
+
// allow client side XHR to access this WSAPI, see
// https://developer.mozilla.org/en/http_access_control
// for details
// FIXME: should we really allow this? It might encourage the wrong behavior
resp.setHeader('Access-Control-Allow-Origin', '*');
if (req.method === 'OPTIONS') {
- resp.setHeader('Access-Control-Allow-Methods', 'GET');
+ resp.setHeader('Access-Control-Allow-Methods', 'POST, GET');
resp.writeHead(200);
resp.end();
return;
}
-
+
try {
var assertionObj = new idassertion.IDAssertion(assertion);
assertionObj
@@ -56,6 +57,8 @@ function doVerify(req, resp, next) {
exports.varDir = VAR_DIR;
exports.setup = function(app) {
+ app.use(express.bodyParser());
+
// code_update is an internal api that causes the node server to
// shut down. This should never be externally accessible and
// is used during the dead simple deployment procedure.
@@ -73,4 +76,7 @@ exports.setup = function(app) {
app.get('/', doVerify);
app.get('/verify', doVerify);
+
+ app.post('/', doVerify);
+ app.post('/verify', doVerify);
};

0 comments on commit 0a96fcf

Please sign in to comment.