BrowserId bug number: 1605790

README.txt

Welcome to BrowserId.


This module provides a 'Login' button inside login form and a configurable block.
It also defines a Permission called 'log in using browserid', which needs to be enabled for anonymous role in order to show the Login buttons.

patch.diff

231,260d230
<  * Return current site url
<  * User could override it inside $conf['browserid_audience'] on settings.php
<  * for best security
<  * 
<  * @return string
<  */
< function _browserid_get_audience() {
<     $audience = variable_get('browserid_audience', null);
<     if(!empty($audience)) {
<         return $audience;
<     }
<     
<     $proto = 'http';
<     
<     if(!empty($_SERVER['HTTPS']) || 
<         ((isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https')) {
<         $proto = 'https';    
<     }
<     
<     $audience = $proto . '://' . $_SERVER['SERVER_NAME'];
<     
<     $std_ports = array('80', '443');
<     if(!in_array($_SERVER['SERVER_PORT'], $std_ports)) {
<         $audience .= ':' . $_SERVER['SERVER_PORT'];
<     }
<     
<     return $audience;
< }
< 
< /**
264d233
<   global $base_root;
266,269c235,238
<           !isset($_REQUEST['assertion']) ||
<           !isset($_REQUEST['token']) ||
<           $_REQUEST['token'] != browserid_get_token('browserid-login-csrf')
<   ) {
---
>       !isset($_REQUEST['assertion']) ||
>       !isset($_REQUEST['token']) ||
>       $_REQUEST['token'] != browserid_get_token('browserid-login-csrf')
>       ) {
272,273c241,242
<   // The audience (hostname+port) should also be in $_SERVER['HTTP_HOST'] but that is not safe.  
<   $audience = _browserid_get_audience();
---
>   // The audience (hostname+port) should also be in $_SERVER['HTTP_HOST'] but that is not safe.
>   $audience = $_SERVER['SERVER_NAME'] . ':' . $_SERVER['SERVER_PORT'];
275c244,245
<       'https://browserid.org/verify', array(
---
>     'https://browserid.org/verify',
>     array(
278,279c248
<       'headers' => array('Content-Type' => 'application/x-www-form-urlencoded')
<       )
---
>     )
283,303c252,271
<     if ($data !== NULL && $data->status === 'okay') {
<       $account = user_load_by_mail($data->email);
<       if (!empty($account) && !empty($account->uid)) {
<         $form_state = array('uid' => $account->uid);
<         user_login_submit(array(), $form_state);
<         return array(
<             'code' => BROWSERID_LOGIN,
<             'account' => $account,
<             'assertion' => $_REQUEST['assertion'],
<             'audience' => $audience,
<             'token' => $_REQUEST['token'], // no need to regenerate it, we've already checked it's safe
<         );
<       } else {
<         return array(
<             'code' => BROWSERID_REGISTER,
<             'email' => $data->email,
<             'assertion' => $_REQUEST['assertion'],
<             'audience' => $audience,
<             'token' => $_REQUEST['token'], // no need to regenerate it, we've already checked it's safe
<         );
<       }
---
>     $account = user_load_by_mail($data->email);
>     if (!empty($account) && !empty($account->uid)) {
>       $form_state = array('uid' => $account->uid);
>       user_login_submit(array(), $form_state);
>       return array(
>         'code' => BROWSERID_LOGIN,
>         'account' => $account,
>         'assertion' => $_REQUEST['assertion'],
>         'audience' => $audience,
>         'token' => $_REQUEST['token'], // no need to regenerate it, we've already checked it's safe
>       );
>     }
>     else {
>       return array(
>         'code' => BROWSERID_REGISTER,
>         'email' => $data->email,
>         'assertion' => $_REQUEST['assertion'],
>         'audience' => $audience,
>         'token' => $_REQUEST['token'], // no need to regenerate it, we've already checked it's safe
>       );
306,311d273
<   watchdog(
<     'browserid', 
<     'There was an error on request to verifier: {%response}', 
<     array('%response' => print_r($response, 1)),
<     WATCHDOG_ERROR
<   );