fxa/packages/browserid-verifier
Jared Hirsch 7d2151465d
fix(deps): Upgrade convict to resolve yargs-parser nsp advisory 1500
2020-05-11 11:39:54 -07:00
..
config chore(style): added prettier to browserid-verifier 2019-06-25 09:36:41 -07:00
lib refactor(config): replace 127.0.0.1 with localhost 2020-04-15 13:55:42 -07:00
loadtest Hack around OSX python build problems 2014-05-15 00:46:39 -07:00
tests fix(test): fixed browserid-verifier version tests 2020-03-09 13:03:20 -07:00
.eslintrc task(monorepo): eslint consolidation 2019-11-15 23:24:09 +00:00
.nsprc chore(deps): Updates to address nsp advisory 1179 2020-03-19 10:42:24 -07:00
.prettierignore chore(style): added prettier to browserid-verifier 2019-06-25 09:36:41 -07:00
.prettierrc chore(style): added prettier to browserid-verifier 2019-06-25 09:36:41 -07:00
CODE_OF_CONDUCT.md chore(style): added prettier to browserid-verifier 2019-06-25 09:36:41 -07:00
LICENSE import existing verifier from persona repo 2013-11-23 15:05:45 +02:00
README.md docs(all): update readmes across all packages to improve testing documentation 2020-05-06 12:02:21 -04:00
package-lock.json fix(deps): Upgrade convict to resolve yargs-parser nsp advisory 1500 2020-05-11 11:39:54 -07:00
package.json fix(deps): Upgrade convict to resolve yargs-parser nsp advisory 1500 2020-05-11 11:39:54 -07:00
pm2.config.js refactor(pm2): restructure our pm2 configs 2020-04-14 14:38:38 -07:00
server.js Remove `ass` dependency from server.js 2014-04-21 17:30:06 -07:00

README.md

Docker Build Status

A BrowserID verification server

This repository contains a flexible BrowserID verification server authored in Node.JS which uses the local verification library.

Getting Started

To run the verification server locally:

$ git clone git://github.com/mozilla/browserid-verifier
$ cd browserid-verifier
$ npm install
$ npm start

At this point, your verifier will be running and available to use locally over HTTP.

Configuration

There are several configuration variables which can change the behavior of the server. You can inspect available configuration variables in lib/config.js. You can specify a set of json configuration files using the CONFIG_FILES environment variable (separate each path with a comma (,)). Finally, you can inspect the current server configuration with:

$ node ./lib/server.js -c

Health Checks

The server exports an endpoint at /status that can be polled for server health. When the server is healthy, a 200 HTTP response is returned with a body of OK.

Testing

This package uses Mocha to test its code. By default npm test will test all JS files under tests/.

Test specific tests with the following commands:

# Test only tests/health-check.js
npx mocha tests/health-check.js

# Grep for "test servers should start"
npx mocha -g "test servers should start"

Refer to Mocha's CLI documentation for more advanced test configuration.

API

The server exports an HTTP endpoint at /v2 that can be POSTed to verify BrowserID assertions. Arguments may be provided inside a JSON object. The following are required:

  1. Requests must be an HTTP POST.
  2. Content-Type must equal application/json
  3. POST body must be valid JSON.

The following arguments are supported:

required (string) assertion

A BrowserID assertion

required (string) audience

The origin of the site to which the assertion is expected to be bound.

optional (array of strings) trustedIssuers

An array of domain names that are trusted issuers. Assertions signed by any of the domains in this set will be honored regardless of the presence of a subject or principal in a BrowserID assertion.

Error Response

Example:

$ curl -H 'Content-Type: application/json' \
  -d '{ "audience": "http://example.com", "assertion": "bogus" }' \
  https://verifier.mozcloud.org/v2
{
  "status": "failure",
  "reason": "no certificates provided"
}

Upon failure, the verifier returns a non-200 HTTP status code. Additionally, the response body contains a JSON formated response containing a status key with the value of failure. Additionally, more verbose developer readable information will be available in a string value on the reason key.

Success Response

Example:

$ curl -H 'Content-Type: application/json' \
  -d '{ "audience": "http://123done.org" , "assertion": "eyJhbG...ZEe7A" }'
  https://verifier.mozcloud.org/v2
{
  "audience": "http://123done.org",
  "expires": 1389791993675,
  "issuer": "mockmyid.com",
  "email": "lloyd@mockmyid.com",
  "status": "okay"
}

Upon successful assertion verification, a 200 response will be sent with a JSON formatted body. The body will always include audience, issuer, status (of "okay"), and expires.

Extra IdP claims

The verifier will extract any number of additional claims from the Identity Certificate generated by the Identity Provider. These claims will be returned under a idpClaims top level key in the success response. Hence, an identity certificate which looks like this:

{
  "pubkey": { "...": "..." },
  "sub": "60ae5097-8118-4c58-bb80-7db2742d137e",
  "iat": 1389964111,
  "exp": 1421500111,
  "iss": "example.com",
  "fxa-version": 1,
  "fxa-generation": 504,
  "email": "user@example.com"
}

Upon successful verification (which could only occur via .trustedIssuers because authority lookup will fail), will result in a verifier response like this:

{
  "audience": "...",
  "expires": 1421500111,
  "issuer": "example.com",
  "idpClaims": {
    "fxa-version": 1,
    "fxa-generation": 504,
    "email": "user@example.com"
  },
  "status": "okay"
}