From e057a6f9b01185965caf77295556c76e31c54703 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Tue, 21 Jun 2011 14:02:42 -0600
Subject: [PATCH] return the string encoded JWT to the client, don't wrap it in
a magic object as it might guide developers into trusting something that is
untrustworthy. closes #33
---
browserid/static/include.js | 31 ++++---------------------------
rp/index.html | 15 +--------------
2 files changed, 5 insertions(+), 41 deletions(-)
diff --git a/browserid/static/include.js b/browserid/static/include.js
index 4bffd6545..56cc35534 100644
--- a/browserid/static/include.js
+++ b/browserid/static/include.js
@@ -525,29 +525,6 @@ if (!navigator.id.getVerifiedEmail || navigator.id._getVerifiedEmailIsShimmed)
};
})();
- function JWTWrapper(jwtBlob) {
- var obj = {
- jwt: jwtBlob,
- email: undefined,
- audience: undefined,
- issuer: undefined,
- "valid-until": undefined,
- toString: function() { return this.jwt; }
- };
- // attempt to decode the middle part of the assertion to populate object keys
- try {
- var jwtContents = JSON.parse(window.atob(jwtBlob.split(".")[1]));
- for (var k in obj) {
- if (obj.hasOwnProperty(k) && obj[k] === undefined) {
- if (typeof jwtContents[k] === 'string' || typeof jwtContents[k] === 'number') obj[k] = jwtContents[k];
- }
- }
- } catch(e) {
- // failure is an option.
- }
-
- return obj;
- }
var chan = undefined;
@@ -582,8 +559,8 @@ if (!navigator.id.getVerifiedEmail || navigator.id._getVerifiedEmailIsShimmed)
method: "getVerifiedEmail",
success: function(rv) {
if (callback) {
- // wrap the raw JWT with a handy dandy object that exposes everything in a readable form
- callback(JWTWrapper(rv));
+ // return the string representation of the JWT, the client is responsible for unpacking it.
+ callback(rv);
}
cleanup();
},
@@ -659,8 +636,8 @@ if (!navigator.id.getVerifiedEmail || navigator.id._getVerifiedEmailIsShimmed)
params: [email, token],
success: function(rv) {
if (onsuccess) {
- // wrap the raw JWT with a handy dandy object that exposes everything in a readable form
- onsuccess(JWTWrapper(rv));
+ // return the string representation of the JWT, the client is responsible for unpacking it.
+ onsuccess(rv);
}
cleanup();
},
diff --git a/rp/index.html b/rp/index.html
index c331e8d58..ccab62f54 100644
--- a/rp/index.html
+++ b/rp/index.html
@@ -81,19 +81,6 @@ a:hover { border-bottom: 2px solid black ; }
<script src="jquery-min.js"></script>
<script src="https://browserid.org/include.js"></script>
<script>
- function dumpObject(obj) {
- var htmlRep = "";
- for (var k in obj) {
- if (obj.hasOwnProperty(k) && typeof obj[k] === 'string') {
- htmlRep += "<b>" + k + ":</b> " + obj[k] + "<br/>";
- } else if (k === 'valid-until') {
- htmlRep += "<b>" + k + ":</b> " + (new Date(obj[k])).toString() + "<br/>";
- }
-
- }
- return htmlRep;
- }
-
$(document).ready(function() {
$("#partyStarter").click(function() {
navigator.id.getVerifiedEmail(function(assertion) {
@@ -101,7 +88,7 @@ a:hover { border-bottom: 2px solid black ; }
alert("couldn't get the users email address!");
} else {
// Now we'll send this assertion over to the verification server for validation
- $("#oAssertion").empty().html(dumpObject(assertion));
+ $("#oAssertion").empty().text(assertion);
var url = "http://browserid.org/verify?assertion=" + window.encodeURIComponent(assertion) +
"&audience=" + window.encodeURIComponent(window.location.host);
--
GitLab