Class: BrowserID::Verifier::Persona

Inherits:

Object

Object
BrowserID::Verifier::Persona

show all

Defined in:: lib/browserid/verifier/persona.rb

Overview

Public: This class sends the assertion to Mozilla’s Persona server for verification.

Constant Summary collapse

VERIFICATION_SERVER = Public: String defining the endpoint of the server to perform Persona verifications against.

'verifier.login.persona.org'

VERIFICATION_PATH = Public: String defining the normal path to POST assertion verifications to.

'/verify'

Instance Attribute Summary collapse

#path ⇒ Object

Returns the value of attribute path.
#server ⇒ Object

Returns the value of attribute server.

Instance Method Summary collapse

#initialize(server = VERIFICATION_SERVER, path = VERIFICATION_PATH) ⇒ Persona constructor

Public: Constructs a new Persona verifier.
#verify(assertion, audience) ⇒ Object

Public: Verifies a Persona assertion for a given audience.

Constructor Details

#initialize(server = VERIFICATION_SERVER, path = VERIFICATION_PATH) ⇒ `Persona`

Public: Constructs a new Persona verifier.

server - Domain String of the server to send assertions to for

verifications (default: VERIFICATION_SERVER).

path - Path String to POST to on the server (default:

VERIFICATION_PATH).

# File 'lib/browserid/verifier/persona.rb', line 26

def initialize(server=VERIFICATION_SERVER, path=VERIFICATION_PATH)
  @server = server
  @path = path
end

Instance Attribute Details

#path ⇒ `Object`

Returns the value of attribute path.



9
10
11

# File 'lib/browserid/verifier/persona.rb', line 9

def path
  @path
end

#server ⇒ `Object`

Returns the value of attribute server.



9
10
11

# File 'lib/browserid/verifier/persona.rb', line 9

def server
  @server
end

Instance Method Details

#verify(assertion, audience) ⇒ `Object`

Public: Verifies a Persona assertion for a given audience.

assertion - Persona authentication assertion. audience - Audience String to verify assertion against. This should be

the URI of the service with scheme, authority, and port.

Returns the authenticated email address String and the issuing domain if the assertion is valid. Raises an exception with a failure message if the client was not successfully authenticated.

Examples

verify(assertion, "https://app.example.com:443")
# => "[email protected]", "persona.mozilla.com"

# File 'lib/browserid/verifier/persona.rb', line 47

def verify(assertion, audience)
  http = Net::HTTP.new(@server, 443)
  http.use_ssl = true

  verification = Net::HTTP::Post.new(@path)
  verification.set_form_data(assertion: assertion, audience: audience)

  response = http.request(verification)
  raise "Unsuccessful response from #{@server}: #{response}" unless response.kind_of? Net::HTTPSuccess
  authentication = JSON.parse(response.body)

  # Authentication response is a JSON hash which must contain a 'status'
  # of "okay" or "failure".
  status = authentication['status']
  raise "Unknown authentication status '#{status}'" unless %w{okay failure}.include? status

  # An unsuccessful authentication response should contain a reason string.
  raise "Assertion failure: #{authentication['reason']}" unless status == "okay"

  # A successful response looks like the following:
  # {
  #   "status": "okay",
  #   "email": "[email protected]",
  #   "audience": "https://service.example.com:443",
  #   "expires": 1234567890,
  #   "issuer": "persona.mozilla.com"
  # }

  auth_audience = authentication['audience']
  raise "Persona assertion audience '#{auth_audience}' does not match verifier audience '#{audience}'" unless auth_audience == audience

  expires = authentication['expires'] && Time.at(authentication['expires'].to_i/1000.0)
  raise "Persona assertion expired at #{expires}" if expires && expires < Time.now

  [authentication['email'], authentication['issuer']]
end