.well-known/vep is now .well-known/browserid and browserid itself has such a file. closes #865

lib/browserid/views.js

@@ -116,13 +116,28 @@ exports.setup = function(app) {
 
   try {
     const publicKey = secrets.loadPublicKey();
+    const pkAsString = JSON.stringify(publicKey.toSimpleObject());
   } catch(e){
     logger.error("can't read public key, exiting: " + e);
-    setTimeout(function() { process.exit(1); }, 0);
+    process.nextTick(function() { process.exit(1); });
   }
 
-  // the public key
+  // the public key (This location is DEPRECATED)
   app.get("/pk", function(req, res) {
     res.json(publicKey.toSimpleObject());
   });
+
+  // the "declaration of support" style publishing of the public key.
+  // BrowserID.org is a (uh, THE) secondary, it should publish its key
+  // in a manner that is symmetric with how primaries do.  At present,
+  // the absence of 'provisioning' and 'authentication' keys indicates
+  // that this is a secondary, and verifiers should only trust
+  // browserid.org as a secondary (and anyone else they decide to for
+  // whatever reason).
+  app.get("/.well-known/browserid", function(req, res) {
+    res.render('declaration_of_support.ejs', {
+      key: pkAsString,
+      layout: false
+    });
+  });
 };

lib/primary.js

@@ -48,9 +48,9 @@ vep = require("jwcrypto/vep"),
 jwt = require("jwcrypto/jwt"),
 config = require("./configuration.js");
 
-const WELL_KNOWN_URL = "/.well-known/vep";
+const WELL_KNOWN_URL = "/.well-known/browserid";
 
-// cache .well-known/vep for six hours
+// cache .well-known/browserid for six hours
 const MAX_CACHE_MS = (6 * 60 * 60 * 1000);
 
 function parseWellKnownBody(body, domain) {
@@ -150,13 +150,13 @@ exports.checkSupport = function(domain, cb) {
 
 // Support "shimmed primaries" for local development.  That is an environment variable that is any number of
 // CSV values of the form:
-//  <domain>|<origin>|<path to .well-known/vep>,
+//  <domain>|<origin>|<path to .well-known/browserid>,
 // where 'domain' is the domain that we would like to shim.  'origin' is the origin to which traffic should
-// be directed, and 'path to .well-known/vep' is a path to the vep file for the domain
+// be directed, and 'path to .well-known/browserid' is a path to the browserid file for the domain
 //
 // defining this env var will pre-seed the cache so local testing can take place.  example:
 //
-// SHIMMED_PRIMARIES=eyedee.me|http://127.0.0.1:10005|example/primary/.well-known/vep
+// SHIMMED_PRIMARIES=eyedee.me|http://127.0.0.1:10005|example/primary/.well-known/browserid
 
 if (process.env['SHIMMED_PRIMARIES']) {
   var shims = process.env['SHIMMED_PRIMARIES'].split(',');

resources/views/declaration_of_support.ejs

+{
+    "public-key": <%- key %>
+}

scripts/run_locally.js

@@ -47,7 +47,7 @@ var daemonsToRun = {
 
 // all spawned process that use handle primaries should know about "shimmed"
 // primaries
-process.env['SHIMMED_PRIMARIES'] = "example.domain|http://" + HOST + ":10005|" + path.join(__dirname, "..", "example", "primary", ".well-known", "vep");
+process.env['SHIMMED_PRIMARIES'] = "example.domain|http://" + HOST + ":10005|" + path.join(__dirname, "..", "example", "primary", ".well-known", "browserid");
 
 // all spawned processes should log to console
 process.env['LOG_TO_CONSOLE'] = 1;

tests/page-requests-test.js

@@ -64,6 +64,7 @@ suite.addBatch({
   'GET /verify_email_address':   respondsWith(200),
   'GET /add_email_address':      respondsWith(200),
   'GET /pk':                     respondsWith(200),
+  'GET /.well-known/browserid':  respondsWith(200),
   'GET /signin':                 respondsWith(200),
   'GET /unsupported_dialog':     respondsWith(200),
   'GET /developers':             respondsWith(200),