From 0345464cb5da61230df46deb4825e48e239495f9 Mon Sep 17 00:00:00 2001
From: Ben Adida <ben@adida.net>
Date: Wed, 24 Aug 2011 16:53:20 -0700
Subject: [PATCH] added check that issuer is only browserid for now

---
 verifier/lib/idassertion.js | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/verifier/lib/idassertion.js b/verifier/lib/idassertion.js
index 4845f9805..90ddf93e6 100644
--- a/verifier/lib/idassertion.js
+++ b/verifier/lib/idassertion.js
@@ -12,6 +12,9 @@ const https = require("https");
 const url = require("url");
 const rsa = require("./rsa.js");
 
+// configuration information to check the issuer
+const config = require("../../libs/configuration.js");
+
 var Webfinger = (function() {
 
   if (!console) console = {};
@@ -269,6 +272,14 @@ IDAssertion.prototype  =
       return;
     }
 
+    // check that the issuer is just US for now, no other issuer
+    // FIXME: this will need to change for certs
+    var expected_issuer = config.get('hostname') + ':' + config.get('port');
+    if (payload.issuer != expected_issuer) {
+      onError("Issuer can only be ourselves for now, it should be: " + expected_issuer);
+      return;
+    }
+    
     // (if there was a certificate, we could verify it here)
     // but for now we will assume email-based lookup
     
-- 
GitLab