Closed Bug 1023296 Opened 11 years ago Closed 11 years ago

Use app:// scheme as audience for verification of assertions coming from the FxOS client

Categories

(Hello (Loop) :: Server, defect)

Product:
Hello (Loop)
Component:
Server
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: ferjm, Assigned: alexis+bugs)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file)

link to github PR
55 bytes, text/x-github-pull-request
rhubscher
: review+
ckarlof
: feedback-
jaoo
: feedback+
Details | Review
FxOS privileged apps are able to set a custom origin in their manifest, however they are still tied to the app:// scheme. On the other hand, FxAccounts and MobileID assertions has their audience set to the origin of the requester app by default. If the Loop server verifies an assertion coming from the FxOS client with the https URL, it will fail. So we need to make the scheme change in the server iff only the scheme defers from the expected origin.
Assignee: nobody → alexis+bugs
Attached file link to github PR
Attachment #8438292 - Flags: review?(rhubscher)
Attachment #8438292 - Flags: feedback?(josea.olivera)
Attachment #8438292 - Flags: feedback?(ckarlof)
Attachment #8438292 - Flags: review?(rhubscher) → review+
Comment on attachment 8438292 [details] [review] link to github PR Works like a charm. Thanks for adding this.
Attachment #8438292 - Flags: feedback?(josea.olivera) → feedback+
https://github.com/mozilla-services/loop-server/commit/9d915967a9f6b4a19c655b76fc79379aa2343b6c
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: [qa-]
Comment on attachment 8438292 [details] [review] link to github PR I'd prefer a different approach to allow app:// audiences for the loop server. At the least, it would be nice if it uses a URL parsing library as opposed to a regex. Even better would be to restructure the code to pass in the specific app:// audience when you know it's being used. Manually parsing the assertion for these purposes is a bit of an anti-pattern and I would avoid it if you could. A bug in this logic could cause you to accept whatever audience is specified by the assertion. https://github.com/mozilla-services/loop-server/pull/99#discussion-diff-13664348
Attachment #8438292 - Flags: feedback?(ckarlof) → feedback-
Thanks for the feedback! See https://github.com/mozilla-services/loop-server/pull/105 for a different approach.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
https://github.com/mozilla-services/loop-server/commit/01abec3f24c407238d3746f9380298cc2d7b9da2
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Verified in code in through unit tests.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: