From 993647d1e3b43f1f9b7dc2ebce889b475d156bb9 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Thu, 14 Jan 2016 12:54:47 +0100
Subject: [PATCH] Use Google's verifier

---
 release.nix                      |  1 -
 src/lib/Hydra/Controller/User.pm | 41 +++++++-------------------------
 2 files changed, 8 insertions(+), 34 deletions(-)

diff --git a/release.nix b/release.nix
index 0493a9e5..70f3505b 100644
--- a/release.nix
+++ b/release.nix
@@ -117,7 +117,6 @@ rec {
             CatalystViewJSON
             CatalystViewTT
             CatalystXScriptServerStarman
-            CryptJWT
             CryptRandPasswd
             DBDPg
             DBDSQLite
diff --git a/src/lib/Hydra/Controller/User.pm b/src/lib/Hydra/Controller/User.pm
index 4d8d0b70..95d38599 100644
--- a/src/lib/Hydra/Controller/User.pm
+++ b/src/lib/Hydra/Controller/User.pm
@@ -4,7 +4,6 @@ use utf8;
 use strict;
 use warnings;
 use base 'Hydra::Base::Controller::REST';
-use Crypt::JWT qw(decode_jwt);
 use Crypt::RandPasswd;
 use Digest::SHA1 qw(sha1_hex);
 use Hydra::Helper::Nix;
@@ -121,46 +120,22 @@ sub persona_login :Path('/persona-login') Args(0) {
 }
 
 
-# From https://www.googleapis.com/oauth2/v3/certs. Should probably not
-# hard-code this.
-my $googleKeys = <<'EOF';
-{
- "keys": [
-  {
-   "kty": "RSA",
-   "alg": "RS256",
-   "use": "sig",
-   "kid": "10685afd5291883ce668345afd77201390406f82",
-   "n": "xeNopuszp35W6H1w2Tw4OrSwT8BZ9f7-2PoOyWZmfMmUDmYT2uxrZezDK0YLap5LVmpLNcpZP5Hj67_32NU3my4qfA-SlxuJMUxHWJF7Dqr-QNAqld0SZ_po4qz5ZTHDxNxoZ4iw_T-4lhIBGm0RIZprDDGPI7Vo8qIeIMjZywoh_nq32zB6tnjEUBvHcgay0qXEnQkKkavzHO_c5sLc1qXM0jDQVqyO1enevW2yA_8gP0Qb7014ycN5umCvEHc66c2_iNT-R4zgw8gd1g05n2xwyET8qb_3wi5LqUV-Cri4mJ2xwGY8uynlD2I4jVtOYJusBgNs6AfwyehzsLdwSQ",
-   "e": "AQAB"
-  },
-  {
-   "kty": "RSA",
-   "alg": "RS256",
-   "use": "sig",
-   "kid": "5a68fc8a3ec0c30e0be95aa08db99a68a725467f",
-   "n": "zmXvUwXYSo8VouhnkURp-3xywch-jPrk7q0gugqC7QIchBPnvdXdS-bj6sr1AqDl_hEDtiLGfiVr3Ft_U022rtHAl5n5NxyybUtZXWyT5yQZM4jopGBajavEUdCl9b4pqb-q_3fVaxUXe7re23sVjI5Bntd-8RYZ70tq-ZvCWBqsnz6lHi9Ditp3CZGWLMMBZlIv3nKnClOrZXL98Jmt7AAod-Gtk65saqnrMwWtBcI_Q-3u23ytywbMLanCeFFNUWlIOgZqyYYkOm-ylLRJzVaZ1THtcWILWCYUgxXjyF9DtXO3a8nct2JhdacD3LzRiPv3sXr31cg4arwUk19JoQ",
-   "e": "AQAB"
-  }
- ]
-}
-EOF
-
-
 sub google_login :Path('/google-login') Args(0) {
     my ($self, $c) = @_;
     requirePost($c);
 
     error($c, "Logging in via Google is not enabled.") unless $c->config->{enable_google_login};
 
-    my $data = decode_jwt(
-        token => ($c->stash->{params}->{id_token} // die "No token."),
-        kid_keys => $googleKeys,
-        verify_exp => 1,
-    );
+    my $ua = new LWP::UserAgent;
+    my $response = $ua->post(
+        'https://www.googleapis.com/oauth2/v3/tokeninfo',
+        { id_token => ($c->stash->{params}->{id_token} // die "No token."),
+        });
+    error($c, "Did not get a response from Google.") unless $response->is_success;
+
+    my $data = decode_json($response->decoded_content) or die;
 
     die unless $data->{aud} eq $c->config->{google_client_id};
-    die unless $data->{iss} eq "accounts.google.com" || $data->{iss} eq "https://accounts.google.com";
     die "Email address is not verified" unless $data->{email_verified};
     # FIXME: verify hosted domain claim?