UNPKG

@quarks/quarks-iam

Version:

A modern authorization server built to authenticate your users and protect your APIs

github.com/anvilresearch/connect

anvilresearch/connect

119 lines (91 loc) 2.83 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
;(function () { var source, origin /** * Initialize browser state */ var re = /\banvil\.connect\.op\.state=([^\s;]*)/ var stateCookie = document.cookie.match(re) var opbs = stateCookie && stateCookie.pop() var localStorage = window.localStorage var EventSource = window.EventSource var CryptoJS = window.CryptoJS localStorage['anvil.connect.op.state'] = opbs /** * Get browser state */ function getOPBrowserState () { return localStorage['anvil.connect.op.state'] } /** * Set browser state */ function setOPBrowserState (event) { var key = 'anvil.connect.op.state' var current = localStorage[key] var update = event.data if (current !== update) { document.cookie = 'anvil.connect.op.state=' + update localStorage['anvil.connect.op.state'] = update } } /** * Server Sent Events */ var updates = new EventSource('/session/events') updates.addEventListener('update', setOPBrowserState, false) /** * Watch localStorage and keep the RP updated */ function pushToRP (event) { if (source) { console.log('updating RP: changed') source.postMessage('changed', origin) } else { console.log('updateRP called but source undefined') } } window.addEventListener('storage', pushToRP, false) /** * Compare session state */ function compareSessionState (rpss, opss) { return (rpss === opss) ? 'unchanged' : 'changed' } /** * Respond to RP postMessage */ function respondToRPMessage (event) { var parser, messenger, clientId, rpss, salt, opbs, input, opss, comparison // Parse message origin origin = event.origin parser = document.createElement('a') parser.href = document.referrer messenger = parser.protocol + '//' + parser.host // Ignore the message if origin doesn't match if (origin !== messenger) { return } // get a reference to the source so we can message it // immediately in response to a change in sessionState source = event.source // Parse the message clientId = event.data.split(' ')[0] rpss = event.data.split(' ')[1] salt = rpss.split('.')[1] // Validate message syntax if (!clientId || !rpss || !salt) { event.source.postMessage('error', origin) } // Get the OP browser state opbs = getOPBrowserState() // Recalculate session state for comparison input = [clientId, origin, opbs, salt].join(' ') opss = [CryptoJS.SHA256(input), salt].join('.') // Compare the RP session state with the OP session state comparison = compareSessionState(rpss, opss) // Compare session state and reply to RP event.source.postMessage(comparison, origin) } window.addEventListener('message', respondToRPMessage, false) })()