This is an example of how an endpoint on an MIT scripts site can authenticate MIT certificates for servers not hosted on an MIT domain.
It is possible to easily authenticate MIT certificates on a scripts.mit.edu website. The aim is to securely utilize this capability on an external server that cannot itself authenticate certificates.
There are two components: the scripts authentication endpoint (
auth.php) and an external server (
example-app.js) that hosts an app. The flow is as follows:
A user goes to the app and attempts to log in.
The server generates a random key, storing it in the user's app session. It then redirects the user to the authentication endpoint, passing the key in the query string.
The authentication endpoint requests a certificate from the user. (If the user doesn't provide a valid certificate, the authentication fails.)
The authentication endpoint computes the hash of the concatenation of the user's email (from certificate), random key, and a server secret (stored on both the authentication endpoint and the app server). The result is an alphanumeric token.
The authentication endpoint redirects the user back to the app and passes the user's email, token, and name.
The app also computes the hash of the concatenation of the user's email, random key (reloaded from the session), and the server secret. If the result matches the given token, the user is authenticated.
Note: Step 5 is done using a GET request when it really should be a POST request (although this doesn't make it insecure). The reason for this is that the scripts site is HTTPS and the assumption is that the external app is not, so standard Internet security rules don't allow a POST request.
Another note: Including the email in the hash isn't absolutely necessary for logging in, but would be needed for something like linking an existing account to an MIT certificate. (It also doesn't hurt to include the email in the hash.)
This assumes you have installed Node.js and npm.
First, install packages by running
npm install. You will probably also want to customize
config.json (in particular the
Now the authentication endpoint must be deployed on MIT scripts, which is done by running
node deploy-auth.js. Note that this puts two files,
auth-secret.php, at the path specified in
config.json. (An MIT Athena account is required for this step.)
Finally, start the example app by running
node example-app.js. You can test it out by going to http://localhost:8000.
When actually deploying this, make sure to make the secrets in
config.json not publicly accessible.
Please let me know if something is wrong in either the theory or the code!