From e7774d44ae78ef021f044a31ec6ee5fdbf638d09 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Tue, 10 Jan 2012 13:28:47 -0700
Subject: [PATCH] .well-known/vep is now .well-known/browserid and browserid
 itself has such a file.  closes #865

---
 .../primary/.well-known/{vep => browserid}    |  0
 lib/browserid/views.js                        | 19 +++++++++++++++++--
 lib/primary.js                                | 10 +++++-----
 resources/views/declaration_of_support.ejs    |  3 +++
 scripts/run_locally.js                        |  2 +-
 tests/page-requests-test.js                   |  1 +
 6 files changed, 27 insertions(+), 8 deletions(-)
 rename example/primary/.well-known/{vep => browserid} (100%)
 create mode 100644 resources/views/declaration_of_support.ejs

diff --git a/example/primary/.well-known/vep b/example/primary/.well-known/browserid
similarity index 100%
rename from example/primary/.well-known/vep
rename to example/primary/.well-known/browserid
diff --git a/lib/browserid/views.js b/lib/browserid/views.js
index 43b25bcb2..92801b915 100644
--- a/lib/browserid/views.js
+++ b/lib/browserid/views.js
@@ -116,13 +116,28 @@ exports.setup = function(app) {
 
   try {
     const publicKey = secrets.loadPublicKey();
+    const pkAsString = JSON.stringify(publicKey.toSimpleObject());
   } catch(e){
     logger.error("can't read public key, exiting: " + e);
-    setTimeout(function() { process.exit(1); }, 0);
+    process.nextTick(function() { process.exit(1); });
   }
 
-  // the public key
+  // the public key (This location is DEPRECATED)
   app.get("/pk", function(req, res) {
     res.json(publicKey.toSimpleObject());
   });
+
+  // the "declaration of support" style publishing of the public key.
+  // BrowserID.org is a (uh, THE) secondary, it should publish its key
+  // in a manner that is symmetric with how primaries do.  At present,
+  // the absence of 'provisioning' and 'authentication' keys indicates
+  // that this is a secondary, and verifiers should only trust
+  // browserid.org as a secondary (and anyone else they decide to for
+  // whatever reason).
+  app.get("/.well-known/browserid", function(req, res) {
+    res.render('declaration_of_support.ejs', {
+      key: pkAsString,
+      layout: false
+    });
+  });
 };
diff --git a/lib/primary.js b/lib/primary.js
index 9bf190e9c..3ec678df4 100644
--- a/lib/primary.js
+++ b/lib/primary.js
@@ -48,9 +48,9 @@ vep = require("jwcrypto/vep"),
 jwt = require("jwcrypto/jwt"),
 config = require("./configuration.js");
 
-const WELL_KNOWN_URL = "/.well-known/vep";
+const WELL_KNOWN_URL = "/.well-known/browserid";
 
-// cache .well-known/vep for six hours
+// cache .well-known/browserid for six hours
 const MAX_CACHE_MS = (6 * 60 * 60 * 1000);
 
 function parseWellKnownBody(body, domain) {
@@ -150,13 +150,13 @@ exports.checkSupport = function(domain, cb) {
 
 // Support "shimmed primaries" for local development.  That is an environment variable that is any number of
 // CSV values of the form:
-//  <domain>|<origin>|<path to .well-known/vep>,
+//  <domain>|<origin>|<path to .well-known/browserid>,
 // where 'domain' is the domain that we would like to shim.  'origin' is the origin to which traffic should
-// be directed, and 'path to .well-known/vep' is a path to the vep file for the domain
+// be directed, and 'path to .well-known/browserid' is a path to the browserid file for the domain
 //
 // defining this env var will pre-seed the cache so local testing can take place.  example:
 //
-// SHIMMED_PRIMARIES=eyedee.me|http://127.0.0.1:10005|example/primary/.well-known/vep
+// SHIMMED_PRIMARIES=eyedee.me|http://127.0.0.1:10005|example/primary/.well-known/browserid
 
 if (process.env['SHIMMED_PRIMARIES']) {
   var shims = process.env['SHIMMED_PRIMARIES'].split(',');
diff --git a/resources/views/declaration_of_support.ejs b/resources/views/declaration_of_support.ejs
new file mode 100644
index 000000000..a7381f0c7
--- /dev/null
+++ b/resources/views/declaration_of_support.ejs
@@ -0,0 +1,3 @@
+{
+    "public-key": <%- key %>
+}
diff --git a/scripts/run_locally.js b/scripts/run_locally.js
index 36d92d779..e7da1212a 100755
--- a/scripts/run_locally.js
+++ b/scripts/run_locally.js
@@ -47,7 +47,7 @@ var daemonsToRun = {
 
 // all spawned process that use handle primaries should know about "shimmed"
 // primaries
-process.env['SHIMMED_PRIMARIES'] = "example.domain|http://" + HOST + ":10005|" + path.join(__dirname, "..", "example", "primary", ".well-known", "vep");
+process.env['SHIMMED_PRIMARIES'] = "example.domain|http://" + HOST + ":10005|" + path.join(__dirname, "..", "example", "primary", ".well-known", "browserid");
 
 // all spawned processes should log to console
 process.env['LOG_TO_CONSOLE'] = 1;
diff --git a/tests/page-requests-test.js b/tests/page-requests-test.js
index d5ca4a5c0..7e193cecf 100755
--- a/tests/page-requests-test.js
+++ b/tests/page-requests-test.js
@@ -64,6 +64,7 @@ suite.addBatch({
   'GET /verify_email_address':   respondsWith(200),
   'GET /add_email_address':      respondsWith(200),
   'GET /pk':                     respondsWith(200),
+  'GET /.well-known/browserid':  respondsWith(200),
   'GET /signin':                 respondsWith(200),
   'GET /unsupported_dialog':     respondsWith(200),
   'GET /developers':             respondsWith(200),
-- 
GitLab