diff --git a/browserid/views/developers.ejs b/browserid/views/developers.ejs
index 85a67d0110f3645aa19503e1146c296f4a590956..e4e8344573fc7ff316a33a490bd78d836df082bb 100644
--- a/browserid/views/developers.ejs
+++ b/browserid/views/developers.ejs
@@ -56,7 +56,7 @@
free verification service provided by BrowserID.
</p><p>
To use it, you send a request
- to <tt>https://browserid.org/verify</tt> with two GET parameters:
+ to <tt>https://browserid.org/verify</tt> with two POST parameters:
</p>
<ol>
<li> <tt>assertion</tt>: The encoded assertion
@@ -66,7 +66,7 @@
The verifier will check the the assertion was meant for your site and
is valid, here's an example:
</p>
- <pre><code>$ curl "https://browserid.org/verify?assertion=<ASSERTION>&audience=mysite.com"
+ <pre><code>$ curl -d "assertion=<ASSERTION>&audience=mysite.com" "https://browserid.org/verify"
{
"status": "okay",
"email": "lloyd@mozilla.com",
diff --git a/rp/index.html b/rp/index.html
index be382ce9a307e87e06f06c24d9ad8f059c01fd34..53fd47c1e96512349a30a8db290754a1b24f36b4 100644
--- a/rp/index.html
+++ b/rp/index.html
@@ -90,13 +90,19 @@ a:hover { border-bottom: 2px solid black ; }
// Now we'll send this assertion over to the verification server for validation
$("#oAssertion").empty().text(assertion);
- var url = "https://browserid.org/verify?assertion=" + window.encodeURIComponent(assertion) +
- "&audience=" + window.encodeURIComponent(window.location.host);
- $("#oVerificationRequest").empty().text(url);
+ var url = "https://browserid.org/verify"
+ var data = {
+ assertion: assertion,
+ audience: window.location.host
+ };
+
+ $("#oVerificationRequest").empty().text("POST " + url + "\n" + JSON.stringify(data));
$.ajax({
- url: url,
+ url: "https://browserid.org/verify",
+ type: "POST",
dataType: "json",
+ data: data,
success: function(data, textStatus, jqXHR) {
$("#oVerificationResponse > pre").empty().text(JSON.stringify(data, null, 4));
},
diff --git a/verifier/app.js b/verifier/app.js
index cf5833ec6ca395d917880f592adfa94ba15ba104..4fbd67b20f4cdcd56d8e9050e1ada6482eca6a50 100644
--- a/verifier/app.js
+++ b/verifier/app.js
@@ -3,31 +3,32 @@ const path = require('path'),
fs = require('fs'),
httputils = require('./lib/httputils.js'),
idassertion = require('./lib/idassertion.js'),
- jwt = require('./lib/jwt.js');
+ jwt = require('./lib/jwt.js'),
+ express = require('express');
// create the var directory if it doesn't exist
var VAR_DIR = path.join(__dirname, "var");
try { fs.mkdirSync(VAR_DIR, 0755); } catch(e) { }
function doVerify(req, resp, next) {
- var assertion = req.query.assertion;
- var audience = req.query.audience;
+ var assertion = (req.query && req.query.assertion) ? req.query.assertion : req.body.assertion;
+ var audience = (req.query && req.query.audience) ? req.query.audience : req.body.audience;
if (!(assertion && audience))
return httputils.jsonResponse(resp, {status:"failure", reason:"need assertion and audience"});
-
+
// allow client side XHR to access this WSAPI, see
// https://developer.mozilla.org/en/http_access_control
// for details
// FIXME: should we really allow this? It might encourage the wrong behavior
resp.setHeader('Access-Control-Allow-Origin', '*');
if (req.method === 'OPTIONS') {
- resp.setHeader('Access-Control-Allow-Methods', 'GET');
+ resp.setHeader('Access-Control-Allow-Methods', 'POST, GET');
resp.writeHead(200);
resp.end();
return;
}
-
+
try {
var assertionObj = new idassertion.IDAssertion(assertion);
assertionObj
@@ -56,6 +57,8 @@ function doVerify(req, resp, next) {
exports.varDir = VAR_DIR;
exports.setup = function(app) {
+ app.use(express.bodyParser());
+
// code_update is an internal api that causes the node server to
// shut down. This should never be externally accessible and
// is used during the dead simple deployment procedure.
@@ -73,4 +76,7 @@ exports.setup = function(app) {
app.get('/', doVerify);
app.get('/verify', doVerify);
+
+ app.post('/', doVerify);
+ app.post('/verify', doVerify);
};