add support for client_id as JSON URL as described in indieweb/indiea…

…uth#133
aaronpk · May 23, 2024 · 1d2b897 · 1d2b897
1 parent 270a69d
commit 1d2b897
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 7 deletions.
diff --git a/controllers/auth.rb b/controllers/auth.rb
@@ -1,12 +1,22 @@
 class Controller < Sinatra::Base
 
   def get_client_id
-    SiteConfig.base_url+"/"
+    SiteConfig.base_url+"/id"
   end
 
   def get_redirect_uri
     "#{SiteConfig.base_url}/auth/callback"
   end
+
+  get '/id' do
+    json_response( 200, {
+      client_id: get_client_id,
+      client_name: "webmention.io",
+      client_uri: SiteConfig.base_url,
+      logo_uri: "#{SiteConfig.base_url}/img/webmention-logo-380.png",
+      redirect_uris: [get_redirect_uri],
+    })
+  end
 
   get '/auth/start' do
     session[:state] = SecureRandom.urlsafe_base64 16
@@ -87,14 +97,15 @@ def create_user_and_log_in(signed_in_uri)
     session[:code_verifier] = SecureRandom.urlsafe_base64 30
     base64_str = Digest::SHA256.base64digest(session[:code_verifier])
     code_challenge = base64_str.tr("+/", "-_").tr("=", "")
-    json_response(200, {:code_challenge => code_challenge})
+    json_response(200, {
+      :code_challenge => code_challenge,
+      :client_id => get_client_id
+    })
   end
-  
+
   post '/auth/fedcm-login' do
     puts request.params.inspect
 
-    # TODO: check for Sec-Fetch-Dest header
-
     # Fetch the IndieAuth metadata
     response = HTTParty.get request.params['metadata_endpoint']
     config = response.parsed_response
@@ -124,6 +135,8 @@ def create_user_and_log_in(signed_in_uri)
     if response.parsed_response && response.parsed_response['me']
       signed_in_uri = URI.parse response.parsed_response['me']
 
+      # TODO: if the hostname of the 'me' is the same as the hostname of the token endpoint, skip the next validation
+
       # Fetch the user's profile URL and look for this FedCM configURL
       # to confirm that this FedCM server is allowed to make claims about this user
       rels = XRay.rels signed_in_uri.to_s

diff --git a/public/js/fedcm.js b/public/js/fedcm.js
@@ -11,14 +11,14 @@ async function signIn() {
         providers: [
           {
             configURL: "any",
-            clientId: window.location.origin+"/",
+            clientId: loginChallenge.client_id,
             nonce: loginChallenge.code_challenge, // this is probably going away https://github.com/fedidcg/FedCM/issues/556
           },
         ],
         // mode: "button"
       },
     }).catch(e => {
-      console.log("Error", e.message);
+      console.log("Error", e);
 
       document.getElementById("error-message").classList.remove("hidden");
       document.getElementById("error-message").innerText = "FedCM error: "+e.message;