Closed snej closed 11 years ago
Thanks, Jens.
Hello,
I think this is a correct implementation, but it really hurts my setup. I'm running several different sites using nginx as a proxy to a couchdb running on localhost. As this one server is serving pages for both http://example1.com/_browserid and http://example2.com/_browserid, the current solution does not work for me.
Another option would be to provide an object for audience: audience = {_default: 'http://example.com', // is used for /_browserid examplea: 'http://example1.com', // is used for /_browserid/examplea url exampleb: 'http://example2.com'} // /_browserid/exampleb
Would that work out? Thanks a lot!
The current code gets the "audience" parameter for verification from the "Host" header of the client's request:
This is insecure; the Audience string should be controlled only by server-side code. If the client is able to provide it, they can spoof the login, as described on Mozilla's security considerations page: