browserid-provider 0.4.3

data/.gitignore

@@ -0,0 +1,5 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*
+config

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in browserid-provider.gemspec
+gemspec

data/README.md

@@ -0,0 +1,90 @@
+# A Rack BrowserID Provider
+
+Become a Mozilla BrowserID Primary Identity Provider.
+
+This is a Rack middleware for providing the BrowserID Primary Identity
+service. I have so far tested this only with Ruby on Rails.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'browserid-provider'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install browserid-provider
+
+## Usage
+
+In you Rails app config/application.rb, add:
+
+```ruby
+  config.middleware.use BrowserID::Provider({:authentication_path => "/login" })
+```
+
+The default setup relies on Warden to see which user is logged in. This
+can easily be customized to fit any middleware function.
+
+The available configuration options are the following:
+
+```ruby
+  #
+  # authentication_path       Where to redirect users for login
+  #                           defaults to: "/users/sign_in" (Devise default)
+  #
+  # provision_path            What HTTP path to deliver provisioning from
+  #                           defaults to: "/browserid/provision"
+  # certify_path              What HTTP path to deliver certifying from
+  #                           defaults to: "/browserid/certify"
+  # whoami_path               What HTTP path to serve user credentials at
+  #                           defaults to: "/browserid/whoami"
+  #
+  # whoami                    What function to call for the current user object (must respond to :email method)
+  #                           defaults to: "@env['warden'].user"
+  #
+  # private_key_path          Where is the BrowserID OpenSSL private key located
+  #                           defaults to: "config/browserid_provider.pem"
+  #
+  # The "/.well-known/browserid" path is required from the BrowserID spec and used here.
+  #
+  # browserid_url             Which BrowserID server to use, ca be one of the following:
+  #                           * dev.diresworb.org for development (default)
+  #                           * diresworb.org     for beta
+  #                           * browserid.org     for production
+  #
+  # server_name               The domain name we are providing BrowserID for (default to example.org)
+  #
+```
+
+The client side is JavaScript enabled. For Rails use:
+
+```erb
+    <%= browserid_authentication_tag %>
+    <!-- Enable BrowserID authentication API on the form #new_user -->
+    <%= enable_browserid_javascript_tag "new_user" %>
+```
+
+In your login form, add a cancel button like this:
+
+```erb
+  <%= button_to_function "Cancel", "navigator.id.cancelAuthentication()" %>
+```
+
+Without Rails view helpers (in any framework), you can do:
+
+```javascript
+  $('form#new_user').bind('ajax:success', function(data, status, xhr) { navigator.id.completeAuthentication() })
+```
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/app/assets/browserid/404.html.erb

@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <title>404 - BrowserID</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <meta name="description" content="">
+    <meta name="author" content="">
+
+    <!-- Le styles -->
+    <style>
+      <%= BrowserID::Template.css_styles %>
+      body {
+        padding-top: 60px; /* 60px to make the container go all the way to the bottom of the topbar */
+      }
+      .hero-unit img {
+        float: right;
+      }
+    </style>
+
+    <!-- Le HTML5 shim, for IE6-8 support of HTML5 elements -->
+    <!--[if lt IE 9]>
+      <script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
+    <![endif]-->
+  </head>
+
+  <body>
+  <div class="hero-unit">
+  <h1>404</h1>
+  <p>No BrowserID content found here.
+  <img src="https://github.com/mozilla/browserid/raw/dev/resources/assets/browserID-366x72.png" alt="BrowserID" />
+  </p>
+  <p>
+    <a class="btn btn-primary btn-large">
+      Learn more
+    </a>
+  </p>
+  </div>
+  </body>
+</html>

data/app/assets/browserid/bootstrap.css

@@ -0,0 +1,373 @@
+/*!
+ * Bootstrap v2.0.2
+ *
+ * Copyright 2012 Twitter, Inc
+ * Licensed under the Apache License v2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Designed and built with all the love in the world @twitter by @mdo and @fat.
+ */
+.clearfix {
+  *zoom: 1;
+}
+.clearfix:before,
+.clearfix:after {
+  display: table;
+  content: "";
+}
+.clearfix:after {
+  clear: both;
+}
+.hide-text {
+  overflow: hidden;
+  text-indent: 100%;
+  white-space: nowrap;
+}
+.input-block-level {
+  display: block;
+  width: 100%;
+  min-height: 28px;
+  /* Make inputs at least the height of their button counterpart */
+
+  /* Makes inputs behave like true block-level elements */
+
+  -webkit-box-sizing: border-box;
+  -moz-box-sizing: border-box;
+  -ms-box-sizing: border-box;
+  box-sizing: border-box;
+}
+article,
+aside,
+details,
+figcaption,
+figure,
+footer,
+header,
+hgroup,
+nav,
+section {
+  display: block;
+}
+audio,
+canvas,
+video {
+  display: inline-block;
+  *display: inline;
+  *zoom: 1;
+}
+audio:not([controls]) {
+  display: none;
+}
+html {
+  font-size: 100%;
+  -webkit-text-size-adjust: 100%;
+  -ms-text-size-adjust: 100%;
+}
+a:focus {
+  outline: thin dotted #333;
+  outline: 5px auto -webkit-focus-ring-color;
+  outline-offset: -2px;
+}
+a:hover,
+a:active {
+  outline: 0;
+}
+sub,
+sup {
+  position: relative;
+  font-size: 75%;
+  line-height: 0;
+  vertical-align: baseline;
+}
+sup {
+  top: -0.5em;
+}
+sub {
+  bottom: -0.25em;
+}
+img {
+  height: auto;
+  border: 0;
+  -ms-interpolation-mode: bicubic;
+  vertical-align: middle;
+}
+button,
+input,
+select,
+textarea {
+  margin: 0;
+  font-size: 100%;
+  vertical-align: middle;
+}
+button,
+input {
+  *overflow: visible;
+  line-height: normal;
+}
+button::-moz-focus-inner,
+input::-moz-focus-inner {
+  padding: 0;
+  border: 0;
+}
+button,
+input[type="button"],
+input[type="reset"],
+input[type="submit"] {
+  cursor: pointer;
+  -webkit-appearance: button;
+}
+input[type="search"] {
+  -webkit-appearance: textfield;
+  -webkit-box-sizing: content-box;
+  -moz-box-sizing: content-box;
+  box-sizing: content-box;
+}
+input[type="search"]::-webkit-search-decoration,
+input[type="search"]::-webkit-search-cancel-button {
+  -webkit-appearance: none;
+}
+textarea {
+  overflow: auto;
+  vertical-align: top;
+}
+body {
+  margin: 0;
+  font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+  font-size: 13px;
+  line-height: 18px;
+  color: #333333;
+  background-color: #ffffff;
+}
+a {
+  color: #0088cc;
+  text-decoration: none;
+}
+a:hover {
+  color: #005580;
+  text-decoration: underline;
+}
+p {
+  margin: 0 0 9px;
+  font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
+  font-size: 13px;
+  line-height: 18px;
+}
+p small {
+  font-size: 11px;
+  color: #999999;
+}
+.lead {
+  margin-bottom: 18px;
+  font-size: 20px;
+  font-weight: 200;
+  line-height: 27px;
+}
+h1,
+h2,
+h3,
+h4,
+h5,
+h6 {
+  margin: 0;
+  font-family: inherit;
+  font-weight: bold;
+  color: inherit;
+  text-rendering: optimizelegibility;
+}
+h1 small,
+h2 small,
+h3 small,
+h4 small,
+h5 small,
+h6 small {
+  font-weight: normal;
+  color: #999999;
+}
+h1 {
+  font-size: 30px;
+  line-height: 36px;
+}
+h1 small {
+  font-size: 18px;
+}
+h2 {
+  font-size: 24px;
+  line-height: 36px;
+}
+h2 small {
+  font-size: 18px;
+}
+h3 {
+  line-height: 27px;
+  font-size: 18px;
+}
+h3 small {
+  font-size: 14px;
+}
+h4,
+h5,
+h6 {
+  line-height: 18px;
+}
+h4 {
+  font-size: 14px;
+}
+h4 small {
+  font-size: 12px;
+}
+h5 {
+  font-size: 12px;
+}
+h6 {
+  font-size: 11px;
+  color: #999999;
+  text-transform: uppercase;
+}
+.page-header {
+  padding-bottom: 17px;
+  margin: 18px 0;
+  border-bottom: 1px solid #eeeeee;
+}
+.page-header h1 {
+  line-height: 1;
+}
+ul,
+ol {
+  padding: 0;
+  margin: 0 0 9px 25px;
+}
+ul ul,
+ul ol,
+ol ol,
+ol ul {
+  margin-bottom: 0;
+}
+ul {
+  list-style: disc;
+}
+ol {
+  list-style: decimal;
+}
+li {
+  line-height: 18px;
+}
+ul.unstyled,
+ol.unstyled {
+  margin-left: 0;
+  list-style: none;
+}
+dl {
+  margin-bottom: 18px;
+}
+dt,
+dd {
+  line-height: 18px;
+}
+dt {
+  font-weight: bold;
+  line-height: 17px;
+}
+dd {
+  margin-left: 9px;
+}
+.dl-horizontal dt {
+  float: left;
+  clear: left;
+  width: 120px;
+  text-align: right;
+}
+.dl-horizontal dd {
+  margin-left: 130px;
+}
+hr {
+  margin: 18px 0;
+  border: 0;
+  border-top: 1px solid #eeeeee;
+  border-bottom: 1px solid #ffffff;
+}
+strong {
+  font-weight: bold;
+}
+em {
+  font-style: italic;
+}
+.muted {
+  color: #999999;
+}
+abbr[title] {
+  border-bottom: 1px dotted #ddd;
+  cursor: help;
+}
+abbr.initialism {
+  font-size: 90%;
+  text-transform: uppercase;
+}
+blockquote {
+  padding: 0 0 0 15px;
+  margin: 0 0 18px;
+  border-left: 5px solid #eeeeee;
+}
+blockquote p {
+  margin-bottom: 0;
+  font-size: 16px;
+  font-weight: 300;
+  line-height: 22.5px;
+}
+blockquote small {
+  display: block;
+  line-height: 18px;
+  color: #999999;
+}
+blockquote small:before {
+  content: '\2014 \00A0';
+}
+blockquote.pull-right {
+  float: right;
+  padding-left: 0;
+  padding-right: 15px;
+  border-left: 0;
+  border-right: 5px solid #eeeeee;
+}
+blockquote.pull-right p,
+blockquote.pull-right small {
+  text-align: right;
+}
+q:before,
+q:after,
+blockquote:before,
+blockquote:after {
+  content: "";
+}
+address {
+  display: block;
+  margin-bottom: 18px;
+  line-height: 18px;
+  font-style: normal;
+}
+small {
+  font-size: 100%;
+}
+cite {
+  font-style: normal;
+}
+.hero-unit {
+  padding: 60px;
+  margin-bottom: 30px;
+  background-color: #eeeeee;
+  -webkit-border-radius: 6px;
+  -moz-border-radius: 6px;
+  border-radius: 6px;
+}
+.hero-unit h1 {
+  margin-bottom: 0;
+  font-size: 60px;
+  line-height: 1;
+  color: inherit;
+  letter-spacing: -1px;
+}
+.hero-unit p {
+  font-size: 18px;
+  font-weight: 200;
+  line-height: 27px;
+  color: inherit;
+}

data/app/assets/browserid/bootstrap.min.css

@@ -0,0 +1,72 @@
+/*!
+ * Bootstrap v2.0.2
+ *
+ * Copyright 2012 Twitter, Inc
+ * Licensed under the Apache License v2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Designed and built with all the love in the world @twitter by @mdo and @fat.
+ */
+.clearfix{*zoom:1;}.clearfix:before,.clearfix:after{display:table;content:"";}
+.clearfix:after{clear:both;}
+.hide-text{overflow:hidden;text-indent:100%;white-space:nowrap;}
+.input-block-level{display:block;width:100%;min-height:28px;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;-ms-box-sizing:border-box;box-sizing:border-box;}
+article,aside,details,figcaption,figure,footer,header,hgroup,nav,section{display:block;}
+audio,canvas,video{display:inline-block;*display:inline;*zoom:1;}
+audio:not([controls]){display:none;}
+html{font-size:100%;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%;}
+a:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px;}
+a:hover,a:active{outline:0;}
+sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline;}
+sup{top:-0.5em;}
+sub{bottom:-0.25em;}
+img{height:auto;border:0;-ms-interpolation-mode:bicubic;vertical-align:middle;}
+button,input,select,textarea{margin:0;font-size:100%;vertical-align:middle;}
+button,input{*overflow:visible;line-height:normal;}
+button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0;}
+button,input[type="button"],input[type="reset"],input[type="submit"]{cursor:pointer;-webkit-appearance:button;}
+input[type="search"]{-webkit-appearance:textfield;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;}
+input[type="search"]::-webkit-search-decoration,input[type="search"]::-webkit-search-cancel-button{-webkit-appearance:none;}
+textarea{overflow:auto;vertical-align:top;}
+body{margin:0;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;line-height:18px;color:#333333;background-color:#ffffff;}
+a{color:#0088cc;text-decoration:none;}
+a:hover{color:#005580;text-decoration:underline;}
+p{margin:0 0 9px;font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:13px;line-height:18px;}p small{font-size:11px;color:#999999;}
+.lead{margin-bottom:18px;font-size:20px;font-weight:200;line-height:27px;}
+h1,h2,h3,h4,h5,h6{margin:0;font-family:inherit;font-weight:bold;color:inherit;text-rendering:optimizelegibility;}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small{font-weight:normal;color:#999999;}
+h1{font-size:30px;line-height:36px;}h1 small{font-size:18px;}
+h2{font-size:24px;line-height:36px;}h2 small{font-size:18px;}
+h3{line-height:27px;font-size:18px;}h3 small{font-size:14px;}
+h4,h5,h6{line-height:18px;}
+h4{font-size:14px;}h4 small{font-size:12px;}
+h5{font-size:12px;}
+h6{font-size:11px;color:#999999;text-transform:uppercase;}
+.page-header{padding-bottom:17px;margin:18px 0;border-bottom:1px solid #eeeeee;}
+.page-header h1{line-height:1;}
+ul,ol{padding:0;margin:0 0 9px 25px;}
+ul ul,ul ol,ol ol,ol ul{margin-bottom:0;}
+ul{list-style:disc;}
+ol{list-style:decimal;}
+li{line-height:18px;}
+ul.unstyled,ol.unstyled{margin-left:0;list-style:none;}
+dl{margin-bottom:18px;}
+dt,dd{line-height:18px;}
+dt{font-weight:bold;line-height:17px;}
+dd{margin-left:9px;}
+.dl-horizontal dt{float:left;clear:left;width:120px;text-align:right;}
+.dl-horizontal dd{margin-left:130px;}
+hr{margin:18px 0;border:0;border-top:1px solid #eeeeee;border-bottom:1px solid #ffffff;}
+strong{font-weight:bold;}
+em{font-style:italic;}
+.muted{color:#999999;}
+abbr[title]{border-bottom:1px dotted #ddd;cursor:help;}
+abbr.initialism{font-size:90%;text-transform:uppercase;}
+blockquote{padding:0 0 0 15px;margin:0 0 18px;border-left:5px solid #eeeeee;}blockquote p{margin-bottom:0;font-size:16px;font-weight:300;line-height:22.5px;}
+blockquote small{display:block;line-height:18px;color:#999999;}blockquote small:before{content:'\2014 \00A0';}
+blockquote.pull-right{float:right;padding-left:0;padding-right:15px;border-left:0;border-right:5px solid #eeeeee;}blockquote.pull-right p,blockquote.pull-right small{text-align:right;}
+q:before,q:after,blockquote:before,blockquote:after{content:"";}
+address{display:block;margin-bottom:18px;line-height:18px;font-style:normal;}
+small{font-size:100%;}
+cite{font-style:normal;}
+.hero-unit{padding:60px;margin-bottom:30px;background-color:#eeeeee;-webkit-border-radius:6px;-moz-border-radius:6px;border-radius:6px;}.hero-unit h1{margin-bottom:0;font-size:60px;line-height:1;color:inherit;letter-spacing:-1px;}
+.hero-unit p{font-size:18px;font-weight:200;line-height:27px;color:inherit;}

data/app/assets/browserid/provision.html.erb

@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+<script type="text/javascript" src="https://<%= @env[:browserid_url] %>/provisioning_api.js"></script>
+<script type="text/javascript" src="http://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
+<script type="text/javascript">
+  // an alias
+  var fail = navigator.id.raiseProvisioningFailure;
+
+  // begin provisioning!  This both gives us indicated to browserid that we're
+  // a well formed provisioning page and gives us the parameters of the provisioning
+  navigator.id.beginProvisioning(function(email, cert_duration) {
+    // now we have the email address that wishes to be provisioned!
+    // is he authenticated to underpin.no?
+    $.get('<%= @env[:whoami_path] %>')
+      .success(function(r) {
+        email = email.replace('@<%= @env[:server_name] %>', '').toLowerCase();
+        if (email != r.user) {
+          return fail('user is not authenticated as target user');
+        }
+
+        // Awesome!  The user is authenticated as who we want to provision.  let's
+        // generate a keypair
+        navigator.id.genKeyPair(function(pubkey) {
+          // finally, once we have a public key from the browser, we'll certify it, and
+          // go pass it back
+          $.ajax({
+            url: '<%= @env[:certify_path] %>',
+            data: JSON.stringify({
+              pubkey: pubkey,
+              duration: cert_duration
+            }),
+            type: 'POST',
+            headers: { "Content-Type": 'application/json' },
+            dataType: 'json',
+            success: function(r) {
+              // all done!  woo!
+              navigator.id.registerCertificate(r.cert);
+            },
+            error: function(r) {
+              fail("couldn't certify key");
+            }
+          });
+        });
+      })
+      .error(function() {
+        fail('user is not authenticated');
+      });
+  });
+</script>
+</head>
+</html>

data/browserid-provider.gemspec

@@ -0,0 +1,23 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "browserid-provider/version"
+
+Gem::Specification.new do |s|
+  s.name        = "browserid-provider"
+  s.version     = BrowserID::VERSION
+  s.authors     = ["ringe"]
+  s.email       = ["runar@rin.no"]
+  s.homepage    = "https://github.com/ringe/browserid-provider"
+  s.summary     = %q{Rack-based Mozilla BrowserID Provider}
+  s.description = %q{With the BrowserID provider you enable your users to authenticate themselves across the web using a single authority.}
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_dependency "json-jwt"
+  s.add_development_dependency "rack-test"
+  s.add_development_dependency "mocha"
+  s.add_development_dependency "warden"
+end

data/lib/browserid-provider/config.rb

@@ -0,0 +1,76 @@
+module BrowserID
+  #
+  # authentication_path       Where to redirect users for login
+  #                           defaults to: "/users/sign_in" (Devise default)
+  #
+  # provision_path            What HTTP path to deliver provisioning from
+  #                           defaults to: "/browserid/provision"
+  # certify_path              What HTTP path to deliver certifying from
+  #                           defaults to: "/browserid/certify"
+  # whoami_path               What HTTP path to serve user credentials at
+  #                           defaults to: "/browserid/whoami"
+  #
+  # whoami                    What function to call for the current user object (must respond to :email method)
+  #                           defaults to: "@env['warden'].user"
+  #
+  # private_key_path          Where is the BrowserID OpenSSL private key located
+  #                           defaults to: "config/browserid_provider.pem"
+  #
+  # The "/.well-known/browserid" path is required from the BrowserID spec and used here.
+  #
+  # browserid_url             Which BrowserID server to use, ca be one of the following:
+  #                           * dev.diresworb.org for development (default)
+  #                           * diresworb.org     for beta
+  #                           * browserid.org     for production
+  #
+  # server_name               The domain name we are providing BrowserID for (default to example.org)
+  #
+  class Config < Hash
+    # Creates an accessor that simply sets and reads a key in the hash:
+    #
+    #   class Config < Hash
+    #     hash_accessor :login_path
+    #   end
+    #
+    #   config = Config.new
+    #   config.login_path = "/users/sign_in"
+    #   config[:login_path] #=> "/users/sign_in"
+    #
+    #   config[:login_path] = "/login"
+    #   config.login_path #=> "/login"
+    #
+    # Thanks to Warden. :)
+    def self.hash_accessor(*names) #:nodoc:
+      names.each do |name|
+        class_eval <<-METHOD, __FILE__, __LINE__ + 1
+          def #{name}
+            self[:#{name}]
+          end
+
+          def #{name}=(value)
+            self[:#{name}] = value
+          end
+        METHOD
+      end
+    end
+
+    hash_accessor :login_path, :provision_path, :whoami, :whoami_path, :certify_path, :private_key_path, :browserid_url, :server_name
+
+    def initialize(other={})
+      merge!(other)
+      self[:login_path]       ||= "/users/sign_in"
+      self[:provision_path]   ||= "/browserid/provision"
+      self[:certify_path]     ||= "/browserid/certify"
+      self[:whoami_path]      ||= "/browserid/whoami"
+      self[:whoami]           ||= "@env['warden'].user"
+      self[:private_key_path] ||= "config/browserid_provider.pem"
+      self[:browserid_url]    ||= "dev.diresworb.org"
+      self[:server_name]      ||= "example.org"
+    end
+
+    def urls
+      [ self[:provision_path], self[:certify_path], self[:whoami_path], "/.well-known/browserid" ]
+    end
+
+  end
+end

data/lib/browserid-provider/engine.rb

@@ -0,0 +1,6 @@
+module BrowserID
+  module Rails
+    class Engine < ::Rails::Engine
+    end
+  end
+end

data/lib/browserid-provider/identity.rb

@@ -0,0 +1,44 @@
+require "openssl"
+require "json/jwt"
+
+module BrowserID
+  class Identity
+    attr_accessor :config
+
+    # == Options ==
+    # :key_path     where to store the OpenSSL private key
+    def initialize(options = {})
+      @config = BrowserID::Config.new(options)
+
+      keypath = @config.private_key_path
+
+      if File.exists?(keypath)
+        File.open(keypath) {|f| @privkey = OpenSSL::PKey::RSA.new(f.read) }
+        @pubkey = @privkey.public_key
+      else
+        require 'fileutils'
+        FileUtils.mkdir_p keypath.sub(File.basename(keypath),'')
+        @privkey = OpenSSL::PKey::RSA.new(2048)
+        @pubkey = @privkey.public_key
+        File.open(keypath, "w") {|f| f.write(@privkey) }
+      end
+    end
+
+    def public_key
+      @pubkey
+    end
+
+    def private_key
+      @privkey
+    end
+
+    # Return BrowserID Identity JSON
+    def to_json
+      {
+        "public-key" => { "algorithm"=> "RS", "n" => public_key.n.to_s, "e" => public_key.e.to_s },
+        "authentication" => @config.login_path,
+        "provisioning" => @config.provision_path
+      }.to_json
+    end
+  end
+end

data/lib/browserid-provider/provider.rb

@@ -0,0 +1,111 @@
+module BrowserID
+  # The BrowserID Provider Rack App
+  #
+  # Default paths are:
+  #   GET  /users/sign_in
+  #   GET  /browserid/provision
+  #   GET  /browserid/whoami
+  #   POST /browserid/certify
+  class Provider
+    attr_accessor :config, :env, :req, :identity
+
+    def initialize(app = nil, options = {})
+      @app, @config = app, BrowserID::Config.new(options)
+      @identity = BrowserID::Identity.new
+    end
+
+    # Rack enabled!
+    def call(env)
+      @env, @path = env, env["PATH_INFO"], @req = Rack::Request.new(env)
+      env['browserid'] = @config
+
+      # Return Not found or send call back to middleware stack unless the URL is captured here
+      return (@app ? @app.call(env) : not_found) unless @config.urls.include? @path
+
+      case @path
+        when "/.well-known/browserid"
+          @req.get? ? well_known_browserid : not_found
+        when config.whoami_path
+          @req.get? ? whoami : not_found
+        when config.provision_path
+          @req.get? ? provision : not_found
+        when config.certify_path
+          @req.post? ? certify : not_found
+        else not_found
+      end
+    end
+
+    private
+    def well_known_browserid
+      [ 200, {"Content-Type" => "application/json"}, [@identity.to_json] ]
+    end
+
+    def whoami
+      email = current_user_email
+      [ 200, {"Content-Type" => "application/json"}, [{ user: email ? email.sub(/@.*/,'') : nil }.to_json] ]
+    end
+
+    #
+    # The certify function will be called by BrowserID with a public key and duration as parameters. The
+    # request is a POST with JSON data that looks like this:
+    #
+    #   {
+    #     "pubkey" :
+    #       {
+    #         "algorithm":"DS",
+    #         "y":"62b0ea6936a7ab30c95d8ffbbc77438a342faed99b6fc643a58f28d9ed2017177354f9f1d1d7e6b9e1c543780c3517953a124e66bc409fcaaa671d87a39cf897b32f47aaaffb7a3d297b89f9e116870a2182e2b2f84d68a7bc21a3f7934727e45e50a083e71a965d0cc320062598e407463f0c31cc2c20ed74d9bda98b21c902",
+    #         "p":"ff600483db6abfc5b45eab78594b3533d550d9f1bf2a992a7a8daa6dc34f8045ad4e6e0c429d334eeeaaefd7e23d4810be00e4cc1492cba325ba81ff2d5a5b305a8d17eb3bf4a06a349d392e00d329744a5179380344e82a18c47933438f891e22aeef812d69c8f75e326cb70ea000c3f776dfdbd604638c2ef717fc26d02e17",
+    #         "q":"e21e04f911d1ed7991008ecaab3bf775984309c3",
+    #         "g":"c52a4a0ff3b7e61fdf1867ce84138369a6154f4afa92966e3c827e25cfa6cf508b90e5de419e1337e07a2e9e2a3cd5dea704d175f8ebf6af397d69e110b96afb17c7a03259329e4829b0d03bbc7896b15b4ade53e130858cc34d96269aa89041f409136c7242a38895c9d5bccad4f389af1d7a4bd1398bd072dffa896233397a"
+    #       },
+    #     "duration":3600
+    #   }
+    #
+    # We're going to certify that public key for the currently logged in user.
+    #
+    def certify
+      email = current_user_email
+      return err "No user is logged in." unless email
+
+      # Get params from Rails' ActionDispatch or from Rack Request
+      params = env["action_dispatch.request.request_parameters"] ? env["action_dispatch.request.request_parameters"] : @req.params
+      return err "Missing a required parameter (duration, pubkey)" if params.keys.sort != ["duration", "pubkey"]
+
+      expiration = (Time.now.strftime("%s").to_i + params["duration"].to_i) * 1000
+      issue = { "iss" => @config.server_name,
+        "exp" => expiration,
+        "public-key" => params["pubkey"],
+        "principal" => { "email"=> email }
+      }
+      jwt = JSON::JWT.new(issue)
+      jws = jwt.sign(@identity.private_key, :RS256)
+
+      return [ 200, {"Content-Type" => "application/json"}, [{ "cert" => jws.to_s }.to_json] ]
+    end
+
+    # Something went wrong.
+    def err(message)
+      [ 403, {"Content-Type" => "text/plain"}, [message] ]
+    end
+
+    # Return the provision iframe content.
+    def provision
+      [200, {"Content-Type" => "text/html"}, BrowserID::Template.render("provision", @config)]
+    end
+
+    # This middleware doesn't find what you are looking for.
+    def not_found
+      [404, {"Content-Type" => "text/html"}, BrowserID::Template.render("404", @env)]
+    end
+
+    # Return the email of the user logged in currently, or nil
+    def current_user_email
+      begin
+        current_user = eval config.whoami
+        current_user ? current_user.email : nil
+      rescue NoMethodError
+        raise NoMethodError, "The function provided in BrowserID::Config.whoami doesn't exist."
+      end
+    end
+  end
+end

data/lib/browserid-provider/railtie.rb

@@ -0,0 +1,8 @@
+require 'browserid-provider/view_helpers'
+module BrowserId
+  class Railtie < Rails::Railtie
+    initializer "browser_id.view_helpers" do
+      ActionView::Base.send :include, ViewHelpers
+    end
+  end
+end

data/lib/browserid-provider/template.rb

@@ -0,0 +1,24 @@
+require 'erb'
+module BrowserID
+  class Template
+    PATH = File.expand_path(File.join(File.dirname(__FILE__), "../..", "app", "assets", "browserid"))
+
+    def initialize(env)
+      @env = env
+    end
+
+    def get_binding
+      binding
+    end
+
+    def self.render(template, env)
+      rhtml = ERB.new File.read(PATH + "/" + template + ".html.erb")
+      view = BrowserID::Template.new(env)
+      [rhtml.result(view.get_binding)]
+    end
+
+    def self.css_styles
+      File.read(PATH + "/bootstrap.css")
+    end
+  end
+end

data/lib/browserid-provider/version.rb

@@ -0,0 +1,3 @@
+module BrowserID
+  VERSION = "0.4.3"
+end

data/lib/browserid-provider/view_helpers.rb

@@ -0,0 +1,22 @@
+module BrowserId
+  module ViewHelpers
+
+    # BrowserID JavaScript tags:
+    # - The official BrowserID include.js
+    # - The Devise enabled login and assertion reponse
+    def browserid_authentication_tag
+      javascript_include_tag(browserid_authentication_api_js_url)
+    end
+
+    # JavaScript enable BrowserID authentication for the form with the given #id
+    def enable_browserid_javascript_tag(id)
+      raw "<script type='text/javascript'>$('form##{id}').bind('ajax:success', function(data, status, xhr) { navigator.id.completeAuthentication() })</script>"
+    end
+
+    # The URL to the BrowserID official JavaScript
+    def browserid_authentication_api_js_url
+      "https://#{ request.env['browserid'][:browserid_url] }/authentication_api.js"
+    end
+
+  end
+end

data/lib/browserid-provider.rb

@@ -0,0 +1,10 @@
+require "browserid-provider/version"
+require "browserid-provider/config"
+require "browserid-provider/identity"
+require "browserid-provider/provider"
+require "browserid-provider/template"
+
+if defined?(Rails)
+  require "browserid-provider/engine"
+  require "browserid-provider/railtie"
+end

data/test/browserid-provider.rb

@@ -0,0 +1,81 @@
+require "test/unit"
+require "json"
+require "rack"
+require "rack/test"
+require "mocha"
+require "browserid-provider"
+require "ruby-debug"
+require "warden"
+
+class MyTest < Test::Unit::TestCase
+  include Rack::Test::Methods
+  include Warden::Test::Helpers
+  attr_accessor :thisapp
+
+  def app
+    @thisapp = Rack::Builder.new do
+      use Rack::CommonLogger
+      use Rack::Session::Cookie
+      use Warden::Manager do |manager|
+        manager.default_strategies :basic
+      end
+
+      run BrowserID::Provider.new
+    end
+  end
+
+  def test_get_root
+    get "/"
+    assert last_response.status == 404, "BrowserID Provider should not respond to root"
+  end
+
+  def test_get_well_known_browserid
+    get "/.well-known/browserid"
+
+    assert last_response.ok?
+    assert_json_response
+
+    # Test the JSON output
+    json = JSON.parse(last_response.body)
+    assert json.keys == ["public-key", "authentication", "provisioning"], "Malformed JSON response, see https://eyedee.me/.well-known/browserid for example data"
+    assert json["public-key"].keys == ["algorithm","n","e"], "Invalid public key provided, see https://wiki.mozilla.org/Identity/BrowserID"
+  end
+
+  def test_get_whoami
+    fake_user "mormor@example.org"
+    get "/browserid/whoami"
+    assert last_response.ok?
+    assert_json_response
+    assert last_response.body == '{"user":"mormor"}', "The whoami_path should return JSON with user name only, without domain"
+  end
+
+  def test_get_provision
+    get "/browserid/provision"
+    assert last_response.ok?
+    assert last_response.body.include?("https://dev.diresworb.org/provisioning_api.js"), "The default provisions_api.js must be provided, see https://developer.mozilla.org/en/BrowserID/Primary/Developer_tips"
+  end
+
+  def test_post_certify
+    get "/browserid/certify"
+    assert last_response.status == 404, "Should only allow POST to /browserid/certify"
+
+    fake_user "mormor@example.org"
+    post "/browserid/certify", params = { "duration" => 2500, "pubkey" => "aasdcasd" }
+    assert_json_response
+    assert last_response.body =~ /\{"cert":.*\}/, "The certify_path should return JSON with a signed certificate"
+  end
+
+  private
+  def fake_user(email)
+    Warden.on_next_request do |proxy|
+      u = mock()
+      u.stubs(:email).returns(email).at_least_once
+      proxy.set_user(u)
+    end
+  end
+
+  def assert_json_response
+    assert last_response.content_type == "application/json", "Content type was #{last_response.content_type} but must be application/json"
+  end
+end
+

metadata

@@ -0,0 +1,129 @@
+--- !ruby/object:Gem::Specification
+name: browserid-provider
+version: !ruby/object:Gem::Version
+  version: 0.4.3
+  prerelease: 
+platform: ruby
+authors:
+- ringe
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-04-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: warden
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: With the BrowserID provider you enable your users to authenticate themselves
+  across the web using a single authority.
+email:
+- runar@rin.no
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- README.md
+- Rakefile
+- app/assets/browserid/404.html.erb
+- app/assets/browserid/bootstrap.css
+- app/assets/browserid/bootstrap.min.css
+- app/assets/browserid/provision.html.erb
+- browserid-provider.gemspec
+- lib/browserid-provider.rb
+- lib/browserid-provider/config.rb
+- lib/browserid-provider/engine.rb
+- lib/browserid-provider/identity.rb
+- lib/browserid-provider/provider.rb
+- lib/browserid-provider/railtie.rb
+- lib/browserid-provider/template.rb
+- lib/browserid-provider/version.rb
+- lib/browserid-provider/view_helpers.rb
+- test/browserid-provider.rb
+homepage: https://github.com/ringe/browserid-provider
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.22
+signing_key: 
+specification_version: 3
+summary: Rack-based Mozilla BrowserID Provider
+test_files: []