Module: Sinatra::BrowserID

Defined in:
lib/sinatra/browserid.rb,
lib/sinatra/browserid/helpers.rb,
lib/sinatra/browserid/template.rb

Defined Under Namespace

Modules: Helpers, Templates

Class Method Summary collapse

Class Method Details

.registered(app) ⇒ Object 



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 
# File 'lib/sinatra/browserid.rb', line 36

def self.registered(app)
    app.helpers BrowserID::Helpers

    app.set :browserid_url, "https://broker.portier.io"
    app.set :browserid_login_button, :red
    app.set :browserid_login_url, "/_browserid_login"
    app.set :browserid_button_class, ""
    app.set :browserid_button_text, "Log in"

    app.get '/_browserid_login' do
        
    end

  app.post '/_browserid_assert' do
      begin
          # Server checks signature
          # For that, fetch the public key from the LA instance (TODO: Do that beforehand for trusted instances, and generally cache the key)
          public_key_jwks_uri = Addressable::URI.parse(settings.browserid_url + '/keys.json')
          public_key_jwks = ::JSON.parse(URI.parse(public_key_jwks_uri).read)
          public_key = OpenSSL::PKey::RSA.new
          if public_key.respond_to? :set_key
            # We initially set n and d via the then new set_key function, as direct access to n and e is blocked for some ruby and openssl versions.
            # But with OpenSSL 3 this function throws an error, as keys are immutable now. Instead we have to generate the key directly with
            # the right params, as in https://github.com/railslove/epics/issues/138
            sequence = []
            # modulus:
            sequence << OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(UrlSafeBase64.decode64(public_key_jwks["keys"][0]["n"]), 2))
            # exponent:
            sequence << OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(UrlSafeBase64.decode64(public_key_jwks["keys"][0]["e"]), 2))

            public_key = OpenSSL::PKey::RSA.new(OpenSSL::ASN1::Sequence(sequence).to_der)
          else
            public_key.e = OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["e"]), 2 
            public_key.n = OpenSSL::BN.new UrlSafeBase64.decode64(public_key_jwks["keys"][0]["n"]), 2
          end
          
          id_token = JWT.decode params[:id_token], public_key, true, { :algorithm => 'RS256' }
          id_token = id_token[0]
          # Needs to make sure token is still valid
          if (id_token["iss"] == settings.browserid_url &&
              id_token["aud"] == request.base_url.chomp('/') &&        
              id_token["exp"] > Time.now.to_i &&
              id_token["email_verified"] &&
              # nonce is really known to us
              Cachy.get(id_token["nonce"]))
                  session[:browserid_email] = id_token['email']
                  Cachy.delete_key(id_token["nonce"])
                  session.delete(:nonce)  # it's possible the session persisted
                  if session['redirect_url']
                    redirect session['redirect_url']
                  else
                    redirect "/"
                  end
          else
            # Even when the token check failed the nonce has to be invalidated
            Cachy.delete_key(id_token["nonce"])
            session.delete(:nonce)
          end
      rescue OpenURI::HTTPError => e
          puts "could not validate token: " + e.to_s
      end
      halt 403
      
    end
end