diff options
author | Azul <azul@riseup.net> | 2013-03-20 12:51:56 +0100 |
---|---|---|
committer | Azul <azul@riseup.net> | 2013-03-20 12:51:56 +0100 |
commit | 3328b20621265b0c50ed395ea890b267ab89109b (patch) | |
tree | 5afee96076bd922653231af818e98d5147457dff | |
parent | 527eb51ad4b943bde7e2ba411f5772611a80463c (diff) | |
parent | d29d1146865d36e9d9789d3936e7a9163511be0a (diff) |
Merge branch 'release/0.3.0'
-rw-r--r-- | Version | 1 | ||||
-rw-r--r-- | spec/helper.js | 4 | ||||
-rw-r--r-- | spec/login_spec.js | 55 | ||||
-rw-r--r-- | spec/session_spec.js | 1 | ||||
-rw-r--r-- | spec/signup_spec.js | 34 | ||||
-rw-r--r-- | src/jqueryRest.js | 127 | ||||
-rw-r--r-- | src/srp.js | 86 | ||||
-rw-r--r-- | src/srp_session.js | 38 |
8 files changed, 189 insertions, 157 deletions
@@ -0,0 +1 @@ +0.3.0 diff --git a/spec/helper.js b/spec/helper.js index 11327af..8bae2c6 100644 --- a/spec/helper.js +++ b/spec/helper.js @@ -30,11 +30,11 @@ var specHelper = (function() { request.respond(200, header, body); } - function respondJSON(object) { + function respondJSON(object, responseCode) { var request = this.requests.pop(); header = { "Content-Type": "application/json;charset=utf-8" }; body = JSON.stringify(object); - request.respond(200, header, body); + request.respond(responseCode || 200, header, body); } return { diff --git a/spec/login_spec.js b/spec/login_spec.js index 4df62a8..e806cff 100644 --- a/spec/login_spec.js +++ b/spec/login_spec.js @@ -1,9 +1,4 @@ -describe("Login", function() { - - it("has an identify function", function() { - var srp = new SRP(jqueryRest()); - expect(typeof srp.identify).toBe('function'); - }); +describe("Login with srp var", function() { describe("(Compatibility with py-srp)", function (){ // these need to be the same as in the spec runner: @@ -24,11 +19,9 @@ describe("Login", function() { beforeEach(function() { - this.srp = new SRP(jqueryRest()); - specHelper.setupFakeXHR.apply(this); - A_ = this.srp.session.calculateAndSetA(a) + A_ = srp.session.calculateAndSetA(a) }); afterEach(function() { @@ -40,37 +33,51 @@ describe("Login", function() { }); it("calculates the same verifier", function(){ - expect(this.srp.session.getV().toString(16)).toBe(V); + expect(srp.session.getV().toString(16)).toBe(V); }); it("calculates the same key", function(){ - this.srp.session.calculations(salt, B); - expect(this.srp.session.key()).toBe(K); + srp.session.calculations(salt, B); + expect(srp.session.key()).toBe(K); }); - it("works with JSON responses", function(){ - var success = sinon.spy(); - this.srp.identify(success); + it("authenticates successfully", function(){ + srp.loggedIn = sinon.spy(); + srp.login(); - this.expectRequest('sessions.json', 'login=' +login+ '&A=' +A, 'POST'); + this.expectRequest('/sessions.json', 'login=' +login+ '&A=' +A, 'POST'); this.respondJSON({salt: salt, B: B}); - this.expectRequest('sessions/'+login+'.json', 'client_auth='+M, 'PUT'); + this.expectRequest('/sessions/'+login+'.json', 'client_auth='+M, 'PUT'); this.respondJSON({M2: M2}); - expect(success).toHaveBeenCalled(); + expect(srp.loggedIn).toHaveBeenCalled(); + }); + + it("reports errors during handshake", function(){ + srp.error = sinon.spy(); + var error = {login: "something went wrong on the server side"}; + srp.login(); + + this.expectRequest('/sessions.json', 'login=' +login+ '&A=' +A, 'POST'); + this.respondJSON(error, 422); + //this.expectNoMoreRequests(); + + expect(srp.error).toHaveBeenCalled; + var args = srp.error.args[0]; + expect(args[0]).toEqual(error); }); it("rejects B = 0", function(){ - var success = sinon.spy(); - var error = sinon.spy(); - this.srp.identify(success, error); + srp.loggedIn = sinon.spy(); + srp.error = sinon.spy(); + srp.login(); - this.expectRequest('sessions.json', 'login=' +login+ '&A=' +A, 'POST'); + this.expectRequest('/sessions.json', 'login=' +login+ '&A=' +A, 'POST'); this.respondJSON({salt: salt, B: 0}); // aborting if B=0 expect(this.requests).toEqual([]); - expect(error).toHaveBeenCalled(); - expect(success).not.toHaveBeenCalled(); + expect(srp.error).toHaveBeenCalledWith("Server send random number 0 - could not login."); + expect(srp.loggedIn).not.toHaveBeenCalled(); }); }); diff --git a/spec/session_spec.js b/spec/session_spec.js index b7f16f0..643a717 100644 --- a/spec/session_spec.js +++ b/spec/session_spec.js @@ -15,7 +15,6 @@ describe("Session", function() { var session; beforeEach(function() { - var srp = new SRP(jqueryRest()); session = new srp.Session(compare.username, compare.password); }); diff --git a/spec/signup_spec.js b/spec/signup_spec.js index e4d70df..72689b1 100644 --- a/spec/signup_spec.js +++ b/spec/signup_spec.js @@ -1,32 +1,34 @@ -describe("Signup", function() { +describe("Loading SRP", function() { + it("provides a signup function", function() { + expect(typeof srp.signup).toBe('function'); + }); + it("provides session which calculates the right x", function(){ + srp.session = new srp.Session(); + expect(srp.session.calcX("7686acb8").toString(16)).toBe('84d6bb567ddf584b1d8c8728289644d45dbfbb02deedd05c0f64db96740f0398'); + }); +}); + +describe("Signup with srp var", function() { + beforeEach(function() { - this.srp = new SRP(jqueryRest()); specHelper.setupFakeXHR.apply(this); + srp.session = new srp.Session(); }); afterEach(function() { this.xhr.restore(); }); - - it("has a register function", function() { - expect(typeof this.srp.register).toBe('function'); - }); - - it("calculates the right x", function(){ - expect(this.srp.session.calcX("7686acb8").toString(16)).toBe('84d6bb567ddf584b1d8c8728289644d45dbfbb02deedd05c0f64db96740f0398'); - }); - + it("identifies after successful registration (INTEGRATION)", function(){ var callback = sinon.spy(); - this.srp.identify = callback; - this.srp.session.getSalt = function() {return "4c78c3f8"}; - this.srp.register(); - this.expectRequest('users.json', "user[login]=testuser&user[password_salt]=4c78c3f8&user[password_verifier]=474c26aa42d11f20544a00f7bf9711c4b5cf7aab95ed448df82b95521b96668e7480b16efce81c861870302560ddf6604c67df54f1d04b99d5bb9d0f02c6051ada5dc9d594f0d4314e12f876cfca3dcd99fc9c98c2e6a5e04298b11061fb8549a22cde0564e91514080df79bca1c38c682214d65d590f66b3719f954b078b83c", 'POST') + srp.signedUp = callback; + srp.session.getSalt = function() {return "4c78c3f8"}; + srp.signup(); + this.expectRequest('/users.json', "user[login]=testuser&user[password_salt]=4c78c3f8&user[password_verifier]=474c26aa42d11f20544a00f7bf9711c4b5cf7aab95ed448df82b95521b96668e7480b16efce81c861870302560ddf6604c67df54f1d04b99d5bb9d0f02c6051ada5dc9d594f0d4314e12f876cfca3dcd99fc9c98c2e6a5e04298b11061fb8549a22cde0564e91514080df79bca1c38c682214d65d590f66b3719f954b078b83c", 'POST') this.respondJSON({password_salt: "4c78c3f8", login: "testuser", ok: "true"}); expect(callback).toHaveBeenCalled(); }); }); - diff --git a/src/jqueryRest.js b/src/jqueryRest.js index 54a0908..bfa4592 100644 --- a/src/jqueryRest.js +++ b/src/jqueryRest.js @@ -1,38 +1,101 @@ -jqueryRest = function() { +srp.remote = (function(){ + var jqueryRest = (function() { - // we do not fetch the salt from the server - function register(session, callback) - { - sendVerifier(session, callback); - } + // TODO: Do we need to differentiate between PUT and POST? + function register(session) { + return $.post("/users.json", {user: session.signup() }); + } - function sendVerifier(session, callback) { - var salt = session.getSalt(); - $.post("users.json", { user: - { login: session.getI(), - password_salt: salt, - password_verifier: session.getV(salt).toString(16)} - }, callback); - } + function update(url, session) { + return $.ajax({ + url: url, + type: 'PUT', + data: {user: session.signup() } + }); + } - function handshake(session, callback) { - $.post("sessions.json", { login: session.getI(), - A: session.getAstr()}, callback); - } + function handshake(session) { + return $.post("/sessions.json", session.handshake()); + } - function authenticate(session, success) { - $.ajax({ - url: "sessions/" + session.getI() + ".json", - type: 'PUT', - data: {client_auth: session.getM()}, - success: success - }); - } + function authenticate(session) { + return $.ajax({ + url: "/sessions/" + session.getI() + ".json", + type: 'PUT', + data: {client_auth: session.getM()} + }); + } - return { - register: register, - register_send_verifier: sendVerifier, - handshake: handshake, - authenticate: authenticate + return { + register: register, + update: update, + handshake: handshake, + authenticate: authenticate + }; + }()); + + + function signup(){ + jqueryRest.register(srp.session) + .done(srp.signedUp) + .fail(error) + }; + + function update(submitEvent){ + var form = submitEvent.target; + jqueryRest.update(form.action, srp.session) + .done(srp.updated) + .fail(error) + }; + + function login(){ + jqueryRest.handshake(srp.session) + .done(receiveSalts) + .fail(error) }; -}; + + function receiveSalts(response){ + // B = 0 will make the algorithm always succeed + // -> refuse such a server answer + if(response.B === 0) { + srp.error("Server send random number 0 - could not login."); + } + else if(! response.salt || response.salt === 0) { + srp.error("Server failed to send salt - could not login."); + } + else + { + srp.session.calculations(response.salt, response.B); + jqueryRest.authenticate(srp.session) + .done(confirmAuthentication) + .fail(error); + } + }; + + // Receive M2 from the server and verify it + // If an error occurs, raise it as an alert. + function confirmAuthentication(response) + { + if (srp.session.validate(response.M2)) + srp.loggedIn(); + else + srp.error("Server key does not match"); + }; + + // The server will send error messages as json alongside + // the http error response. + function error(xhr, text, thrown) + { + if (xhr.responseText && xhr.responseText != "") + srp.error($.parseJSON(xhr.responseText)); + else + srp.error("Server did not respond."); + }; + + return { + signup: signup, + update: update, + login: login + } + +}()); @@ -1,86 +1,24 @@ -function SRP(remote, session) -{ - var srp = this; - session = session || new this.Session(); - remote = remote || new this.Remote(); - remote.onError = remote.onError || this.error; - session.onError = session.onError || this.error; - this.remote = remote; - this.session = session; +var srp = (function(){ - // Start the login process by identifying the user - this.identify = function(success, error) + function signup() { - store_callbacks(success, error); - remote.handshake(session, receive_salts); - - // Receive login salts from the server, start calculations - function receive_salts(response) - { - // B = 0 will make the algorithm always succeed - // -> refuse such a server answer - if(response.B === 0) { - srp.error("Server send random number 0 - could not login."); - } - else if(! response.salt || response.salt === 0) { - srp.error("Server failed to send salt - could not login."); - } - else - { - session.calculations(response.salt, response.B); - remote.authenticate(session, confirm_authentication); - } - } - - // Receive M2 from the server and verify it - // If an error occurs, raise it as an alert. - function confirm_authentication(response) - { - if (session.validate(response.M2)) - srp.success(); - else - srp.error("Server key does not match"); - }; + srp.remote.signup(); }; - // Initiate the registration process - this.register = function(success, error) - { - store_callbacks(success, error); - remote.register(session, srp.registered_user); - }; - - // The user has been registered successfully, now login - this.registered_user = function(response) - { - if(response.errors) { - srp.error(response.errors) - } - else { - srp.identify(); - } - }; - - // Minimal error handling - set remote.onError to sth better to overwrite. - this.error = function(text) + function login() { - alert(text); + srp.remote.login(); }; - // This function is called when authentication is successful. - // It's a dummy. Please hand the real thing to the call to identify. - this.success = function() + function update(submitEvent) { - alert("Login successful."); + srp.remote.update(submitEvent); }; - function store_callbacks(success, error) { - if (typeof success == "function") { - srp.success = success; - } - if (typeof error == "function") { - srp.error = error; - } + return { + signup: signup, + update: update, + login: login } -}; +}()); diff --git a/src/srp_session.js b/src/srp_session.js index 8f45a44..b1b6014 100644 --- a/src/srp_session.js +++ b/src/srp_session.js @@ -1,4 +1,4 @@ -SRP.prototype.Session = function(login, password) { +srp.Session = function(login, password) { // Variables session will be used in the SRP protocol var Nstr = "eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c256576d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089dad15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e57ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb06e3"; @@ -7,8 +7,7 @@ SRP.prototype.Session = function(login, password) { var k = new BigInteger("bf66c44a428916cad64aa7c679f3fd897ad4c375e9bbb4cbf2f5de241d618ef0", 16); var rng = new SecureRandom(); -// var a = new BigInteger(32, rng); - var a = new BigInteger("d498c3d024ec17689b5320e33fc349a3f3f91320384155b3043fa410c90eab71", 16); + var a = new BigInteger(32, rng); var A = g.modPow(a, N); while(A.mod(N) == 0) { @@ -21,8 +20,8 @@ SRP.prototype.Session = function(login, password) { var M = null; var M2 = null; var authenticated = false; - var I = login || document.getElementById("srp_username").value; - var pass = password || document.getElementById("srp_password").value; + var I = login; + var pass = password; // *** Accessor methods *** @@ -35,15 +34,38 @@ SRP.prototype.Session = function(login, password) { return Astr; }; + this.signup = function() { + var salt = this.getSalt(); + return { + login: this.getI(), + password_salt: salt, + password_verifier: this.getV(salt).toString(16) + }; + }; + + this.handshake = function() { + return { + login: this.getI(), + A: this.getAstr() + }; + }; + this.getAstr = function() { return Astr; } // Returns the user's identity this.getI = function() { + I = login || document.getElementById("srp_username").value; return I; }; + // Returns the password currently typed in + this.getPass = function() { + pass = password || document.getElementById("srp_password").value; + return pass; + }; + // some 16 byte random number this.getSalt = function() { return new BigInteger(64, rng).toString(16); @@ -61,7 +83,8 @@ SRP.prototype.Session = function(login, password) { // Calculates the X value and return it as a BigInteger this.calcX = function(salt) { - return new BigInteger(SHA256(hex2a(salt + SHA256(I + ":" + pass))), 16); + var inner = salt + SHA256(this.getI() + ":" + this.getPass()) + return new BigInteger(SHA256(hex2a(inner)), 16); }; this.getV = function(salt) @@ -154,6 +177,5 @@ SRP.prototype.Session = function(login, password) { } return str; } +}; - -} |