mozilla / browserid-local-verify Goto Github PK
View Code? Open in Web Editor NEWBrowserID library used by the Firefox Accounts verifier
License: Other
BrowserID library used by the Firefox Accounts verifier
License: Other
current persona fallback likes to serve a support document without authenticate
and provisioning
keys. We support this to allow zero-knowledge local verification external to the persona deployment. allowURLOmission
is the parameter that implements this.
As of January 1 2019, Mozilla requires that all GitHub projects include this CODE_OF_CONDUCT.md file in the project root. The file has two parts:
If you have any questions about this file, or Code of Conduct policies and procedures, please reach out to [email protected].
(Message COC001)
If a user agent has enough power to generate and use larger DSA keys (e.g. native Persona support in Firefox desktop), then the verifier should honour them.
What needs to happen:
/cc @warner
trustedIssuers
)unverified-email
If an IdP wanted to DoS a verifier, it could for example provide 1000 pubkeys and therefore significantly increase the time it takes a verifier to check the signature on an assertion.
I suggest we defend against these attacks by only looking at the first 10 keys.
We should write an automated test to ensure we don't regress on events emitted, especially the important ones (metrics).
this should be implemented in jwcrypto, and once complete, we should expose and test it in this library
Should we allow IdPs to serve an HTTP redirect as the support document as long as the whole chain is on HTTPS
It currently says "nothing to see here, yet" but there are definitely things to see here :-)
@rfk I don't have access to publish https://www.npmjs.com/package/browserid-local-verify
mozilla/persona#78 has seen no attention, at all... This seems like an opportune moment to make sure it works?
When verifying an assertion issued by login.persona.org
for an @fmarier.org
email address (which has disabled: true
in its support document), I get the following error message:
untrusted issuer, expected 'fmarier.org', got 'login.persona.org'
Seeing this in our fxa browserid-verifier package npm audit
results today:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ acorn │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=7.1.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browserid-local-verify │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ browserid-local-verify > browserid-crypto > browserify > │
│ │ module-deps > detective > acorn │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1488 │
└───────────────┴──────────────────────────────────────────────────────────────┘
@lloyd appears to be the only maintainer listed on https://www.npmjs.org/package/browserid-local-verify. Lloyd, can you please add the usual Identity team suspects for ongoing maintenance?
distinguis between config
and arguments
. Allow a single library instance to have over-ridden configuration parameters. verify all required paramters are present.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.