[xauth] XAuth source code available on github
262 views
Skip to first unread message
js
Apr 29, 2010, 4:06:22 PM4/29/10
to xAuth
Hi guys,
The source code to xauth is available here: http://github.com/xauth/xauth
I've spent some time documenting how it all works in the README and
I've commented just about everything in the code to be as explicit as
possible.
I'm looking forward to hearing feedback and criticism. :)
-Jian
Just for detail, I've copied a part of the README here:
### How does XAuth work? ###
XAuth relies on three features available only in modern browsers
(HTML5) and is 100% front end technology (meaning it could one day
just be a feature of the browser ;)
* [`localStorage`](http://dev.w3.org/html5/webstorage/#the-
localstorage-attribute) - persistent storage mechanism to store the
tokens completely client-side
* [`postMessage`](http://www.whatwg.org/specs/web-apps/current-work/
multipage/comms.html) - ability to send information between domains
and securely determine what domain information is coming from
* [`JSON`](http://wiki.ecmascript.org/doku.php?id=es3.1:json_support)
- safer methods than eval for serializing and deserializing JSON
strings into JavaScript objects when passed via postMessage
#### When you include the xauth.js script ####
An `XAuth` object is created in the global scope having three methods:
`extend`, `retrieve`, `expire` and one member flag `disabled` to tell
you if this browser has the capabilities to support XAuth. The code
sets up a listener for postMessage events on the window.
#### When you call an XAuth method (extend, expire or retrieve) ####
Your passed in parameters are cleaned and turned into a consumable
request object of the form:
{
cmd: 'xauth::methodname', // based on what you called
id: unique_numeric_id, // generated by xauth.js
... other key value parameters specific to this method ...
callback: yourCallbackFunctionReference
}
These request objects are cached, serialized into JSON strings and
then sent via postMessage to a hidden iframe (http://xauth.org/
server.html) that is created on demand, after the first XAuth method
call is made. Any XAuth method calls made prior to the iframe being
ready are automatically placed in a queue.
#### The xauth.org iframe and security ####
The xauth.org iframe code is the enforcer of the rules defined in the
XAuth spec, including deciding who has access to tokens in a retrieve
request, writing tokens to localStorage in an extend request and
deleting expired tokens.
After setting up a postMessage event listener, any incoming message
event is deserialized into a consumable request object (see above) or
is otherwise ignored. It is the browser's responsibility to properly
implement the window.postMessage security model and include an
immutable and unspoofable event.origin property on every incoming
postMessage event, telling the iframe exactly where an event
originated from. The iframe processes the request on behalf of the
retriever identified by event.origin and sends a postMessage back to
the calling retriever window with the results.
--
You received this message because you are subscribed to the xAuth group.
To post, send email to xa...@googlegroups.com
To unsubscribe from this group, send email to
xauth+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/xauth?hl=en
The source code to xauth is available here: http://github.com/xauth/xauth
I've spent some time documenting how it all works in the README and
I've commented just about everything in the code to be as explicit as
possible.
I'm looking forward to hearing feedback and criticism. :)
-Jian
Just for detail, I've copied a part of the README here:
### How does XAuth work? ###
XAuth relies on three features available only in modern browsers
(HTML5) and is 100% front end technology (meaning it could one day
just be a feature of the browser ;)
* [`localStorage`](http://dev.w3.org/html5/webstorage/#the-
localstorage-attribute) - persistent storage mechanism to store the
tokens completely client-side
* [`postMessage`](http://www.whatwg.org/specs/web-apps/current-work/
multipage/comms.html) - ability to send information between domains
and securely determine what domain information is coming from
* [`JSON`](http://wiki.ecmascript.org/doku.php?id=es3.1:json_support)
- safer methods than eval for serializing and deserializing JSON
strings into JavaScript objects when passed via postMessage
#### When you include the xauth.js script ####
An `XAuth` object is created in the global scope having three methods:
`extend`, `retrieve`, `expire` and one member flag `disabled` to tell
you if this browser has the capabilities to support XAuth. The code
sets up a listener for postMessage events on the window.
#### When you call an XAuth method (extend, expire or retrieve) ####
Your passed in parameters are cleaned and turned into a consumable
request object of the form:
{
cmd: 'xauth::methodname', // based on what you called
id: unique_numeric_id, // generated by xauth.js
... other key value parameters specific to this method ...
callback: yourCallbackFunctionReference
}
These request objects are cached, serialized into JSON strings and
then sent via postMessage to a hidden iframe (http://xauth.org/
server.html) that is created on demand, after the first XAuth method
call is made. Any XAuth method calls made prior to the iframe being
ready are automatically placed in a queue.
#### The xauth.org iframe and security ####
The xauth.org iframe code is the enforcer of the rules defined in the
XAuth spec, including deciding who has access to tokens in a retrieve
request, writing tokens to localStorage in an extend request and
deleting expired tokens.
After setting up a postMessage event listener, any incoming message
event is deserialized into a consumable request object (see above) or
is otherwise ignored. It is the browser's responsibility to properly
implement the window.postMessage security model and include an
immutable and unspoofable event.origin property on every incoming
postMessage event, telling the iframe exactly where an event
originated from. The iframe processes the request on behalf of the
retriever identified by event.origin and sends a postMessage back to
the calling retriever window with the results.
--
You received this message because you are subscribed to the xAuth group.
To post, send email to xa...@googlegroups.com
To unsubscribe from this group, send email to
xauth+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/xauth?hl=en
Joseph Smarr
Apr 29, 2010, 7:00:47 PM4/29/10
to xa...@googlegroups.com
Looks great, thanks for all the extra work on documentation and comments! :)
One quick thing I noticed in the server.js code--in your error handling, you sometimes use "origin" and sometimes "originHostname"--some of those look like typos to me, unless I'm missing something.
Thanks, js
Jian Shen
Apr 29, 2010, 7:11:51 PM4/29/10
to xa...@googlegroups.com
Hey you're right!
They don't cause any errors because that parameter is ignored in the logError function so we're effectively passing in undefined's to something that doesn't reference them.
Thanks!
-Jian
Rabbit
Apr 29, 2010, 8:30:29 PM4/29/10
to xa...@googlegroups.com
Great job, this looks awesome.
=Rabbit
=Rabbit
John Panzer
Apr 29, 2010, 9:38:43 PM4/29/10
to xa...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages