session state calculation

Author: christiansmith

.bowerrc

@@ -0,0 +1,3 @@
+{
+  "directory": "public/vendor"
+}

.gitignore

@@ -1,4 +1,5 @@
 config
 hooks
 node_modules
+public/vendor
 *.swp

bower.json

@@ -0,0 +1,20 @@
+{
+  "name": "anvil-connect",
+  "version": "0.1.28",
+  "homepage": "https://github.com/christiansmith/anvil-connect",
+  "authors": [
+    "Christian Smith <smith@anvil.io>"
+  ],
+  "license": "MIT",
+  "private": true,
+  "ignore": [
+    "**/.*",
+    "node_modules",
+    "bower_components",
+    "test",
+    "tests"
+  ],
+  "dependencies": {
+    "bcryptjs": "~2.1.0"
+  }
+}

oidc/authorize.js

@@ -10,6 +10,7 @@ var crypto            = require('crypto')
   , AccessToken       = require('../models/AccessToken')
   , AuthorizationCode = require('../models/AuthorizationCode')
   , nowSeconds        = require('../lib/time-utils').nowSeconds
+  , sessionState      = require('../oidc/sessionState')
   ;
 
 
@@ -110,6 +111,14 @@ function authorize (req, res, next) {
           response.state = params.state;
         }
 
+        // if responseTypes includes id_token or token
+        // calculate session_state and add to response
+        if (responseTypes.indexOf('id_token') !== -1
+         || responseTypes.indexOf('token') !== -1) {
+          var session= sessionState(req.client, req.client.client_uri, 'authenticated');
+          response.session_state = session;
+        }
+
         res.redirect(
           params.redirect_uri + responseMode + qs.stringify(response)
         );

oidc/index.js

@@ -22,6 +22,7 @@ var oidc = {
   promptToAuthorize:            require('./promptToAuthorize'),
   requireSignin:                require('./requireSignin'),
   selectConnectParams:          require('./selectConnectParams'),
+  sessionState:                 require('./sessionState'),
   stashParams:                  require('./stashParams'),
   token:                        require('./token'),
   unstashParams:                require('./unstashParams'),

oidc/sessionState.js

@@ -0,0 +1,24 @@
+/**
+ * Module dependencies
+ */
+
+var bcrypt = require('bcrypt');
+
+
+/**
+ * Session State
+ */
+
+function sessionState (client, origin, state) {
+  var salt  = bcrypt.genSaltSync(10);
+  var value = [client._id, client.client_uri, state, salt].join(' ');
+  var hash  = bcrypt.hashSync(value, salt);
+  return [hash, salt].join(' ');
+}
+
+
+/**
+ * Exports
+ */
+
+module.exports = sessionState;

public/javascript/session.js

@@ -1,31 +1,57 @@
-window.addEventListener("message", receiveMessage, false);
+/**
+ * bcrypt
+ */
+
+var bcrypt = dcodeIO.bcrypt;
+
+
+/**
+ * Handle RP Message
+ */
 
-function receiveMessage(e){ // e has client_id and session_state
+function receiveMessage (e) {
 
   // Validate message origin
-  client_id = e.data.split(' ')[0];
-  session_state = e.data.split(' ')[1];
-  var salt = session_state.split('.')[1];
+  var origin = e.origin;
+  var parser = document.createElement('a');
+  parser.href = document.referrer;
+  messenger = parser.protocol + '//' + parser.host;
+  if (origin !== messenger) {
+    return; // Ignore the message
+  }
+
+  // Validate message syntax
+  var parts         = e.data.split(' ');
+  var client_id     = parts[0];
+  var session_state = parts[1];
+  var salt          = parts[2];
 
-  // if message syntactically invalid
-  //     postMessage('error', e.origin) and return
+  if (parts.length !== 3) {
+    e.source.postMessage('error', origin);
+  }
 
   // get_op_browser_state() is an OP defined function
   // that returns the browser's login status at the OP.
   // How it is done is entirely up to the OP.
-  var opbs = get_op_browser_state();
+  //var opbs = get_op_browser_state();
+  var opbs = 'authenticated';
 
   // Here, the session_state is calculated in this particular way,
   // but it is entirely up to the OP how to do it under the
   // requirements defined in this specification.
-  var ss = CryptoJS.SHA256(client_id + ' ' + e.origin + ' ' +
-    opbs + [' ' + salt]) [+ "." + salt];
+  //var ss = CryptoJS.SHA256(client_id + ' ' + e.origin + ' ' +
+  //  opbs + [' ' + salt]) [+ "." + salt];
+  var value = [client_id, origin, opbs, salt].join(' ')
+  var hash = bcrypt.hashSync(value, salt);
 
-  if (e.session_state == ss) {
-    stat = 'unchanged';
-  } else {
-    stat = 'changed';
-  }
-
-  e.source.postMessage(stat, e.origin);
+  e.source.postMessage(
+    (hash === session_state) ? 'unchanged' : 'changed' , origin
+  );
 };
+
+
+/**
+ * Register Listener
+ */
+
+window.addEventListener("message", receiveMessage, false);

views/session.jade

@@ -3,6 +3,7 @@ html(lang="en")
     title
       | Session
 
+    script(src="/vendor/bcryptjs/dist/bcrypt.js")
     script(src="/javascript/session.js")
   body
     h1 Session