atomic_lti 1.3.1 → 1.5.1

data/app/views/atomic_lti/shared/redirect.html.erb

@@ -1,15 +1,28 @@
 <!DOCTYPE html>
 <html lang="en">
   <head>
-    <script type="text/javascript">
-      window.onload=function(){document.forms[0].submit();};
-    </script>
+    <link href="https://fonts.googleapis.com/icon?family=Material+Icons+Outlined" rel="stylesheet">
+    <%= stylesheet_link_tag "atomic_lti/launch" %>
   </head>
   <body>
-    <form action="<%= @launch_url -%>" method="POST">
-      <% @launch_params.each do |name, value| -%>
-        <%= hidden_field_tag(name, value) %>
-      <% end -%>
-    </form>
+      <noscript>
+        <div class="u-flex aj-centered-message">
+          <i class="material-icons-outlined aj-icon" aria-hidden="true">warning</i>
+          <p class="aj-text">
+            You must have javascript enabled to use this application.
+          </p>
+        </div>
+      </noscript>
+      <form action="<%= @launch_url -%>" method="POST">
+        <% @launch_params.each do |name, value| -%>
+          <%= hidden_field_tag(name, value) %>
+        <% end -%>
+      </form>
+    </div>
+    <script>
+      window.addEventListener("load", () => {
+        document.forms[0].submit();
+      });
+    </script>
   </body>
 </html>

data/db/migrate/20230726040941_add_state_to_open_id_state.rb

@@ -0,0 +1,6 @@
+class AddStateToOpenIdState < ActiveRecord::Migration[7.0]
+  def change
+    add_column :atomic_lti_open_id_states, :state, :string
+    add_index :atomic_lti_open_id_states, :state, unique: true
+  end
+end

data/db/seeds.rb

@@ -2,16 +2,16 @@
 AtomicLti::Jwk.find_or_create_by(domain: nil)
 
 # Add some platforms
-AtomicLti::Platform.create_with( 
-  jwks_url: "https://canvas.instructure.com/api/lti/security/jwks", 
-  token_url: "https://canvas.instructure.com/login/oauth2/token", 
-  oidc_url: "https://canvas.instructure.com/api/lti/authorize_redirect"
+AtomicLti::Platform.create_with(
+  jwks_url: AtomicLti::Definitions::CANVAS_PUBLIC_LTI_KEYS_URL,
+  token_url: AtomicLti::Definitions::CANVAS_AUTH_TOKEN_URL,
+  oidc_url: AtomicLti::Definitions::CANVAS_OIDC_URL,
 ).find_or_create_by(iss: "https://canvas.instructure.com")
 
 AtomicLti::Platform.create_with(
-  jwks_url: "https://canvas-beta.instructure.com/api/lti/security/jwks",
-  token_url: "https://canvas-beta.instructure.com/login/oauth2/token",
-  oidc_url: "https://canvas-beta.instructure.com/api/lti/authorize_redirect",
+  jwks_url: AtomicLti::Definitions::CANVAS_BETA_PUBLIC_LTI_KEYS_URL,
+  token_url: AtomicLti::Definitions::CANVAS_BETA_AUTH_TOKEN_URL,
+  oidc_url: AtomicLti::Definitions::CANVAS_BETA_OIDC_URL,
 ).find_or_create_by(iss: "https://canvas-beta.instructure.com")
 
 
@@ -26,4 +26,4 @@ AtomicTenant::PinnedPlatformGuid.create(iss: "https://canvas.instructure.com", p
 #  deployment_id: "21089:1f5e1ee417cb2b17f86a1232122452ab3f6188f7",
 #  application_instance_id: 5,
 #  created_at: Tue, 16 Aug 2022 16:05:20.848365000 UTC +00:00,
-#  updated_at: Tue, 16 Aug 2022 16:05:20.848365000 UTC +00:00>
+#  updated_at: Tue, 16 Aug 2022 16:05:20.848365000 UTC +00:00>

data/lib/atomic_lti/error_handling_middleware.rb

@@ -4,7 +4,7 @@ module AtomicLti
       @app = app
     end
 
-    def render_error(env, status, message)
+    def render_error(status, message)
       format = "text/plain"
       body = message
 
@@ -12,22 +12,30 @@ module AtomicLti
     end
 
     def render(status, body, format)
-      [status,
-      {
-        "Content-Type" => "#{format}; charset=\"UTF-8\"",
-        "Content-Length" => body.bytesize.to_s,
-      },
-      [body]]
+      [
+        status,
+        {
+          "Content-Type" => "#{format}; charset=\"UTF-8\"",
+          "Content-Length" => body.bytesize.to_s,
+        },
+        [body],
+      ]
     end
 
     def call(env)
       @app.call(env)
-
+    rescue JWT::ExpiredSignature
+      render_error(401, "The launch has expired. Please launch the application again.")
+    rescue JWT::DecodeError
+      render_error(401, "The launch token is invalid.")
+    rescue AtomicLti::Exceptions::NoLTIToken
+      render_error(401, "Invalid launch. Please launch the application again.")
+    rescue AtomicLti::Exceptions::AtomicLtiAuthException => e
+      render_error(401, "Invalid LTI launch. Please launch the application again. #{e.message}")
     rescue AtomicLti::Exceptions::AtomicLtiNotFoundException => e
-      render_error(env, 404, e.message)
-
+      render_error(404, e.message)
     rescue AtomicLti::Exceptions::AtomicLtiException => e
-      render_error(env, 500, e.message)
+      render_error(500, "Invalid LTI launch. Please launch the application again. #{e.message}")
     end
   end
 end

data/lib/atomic_lti/open_id_middleware.rb

@@ -1,4 +1,8 @@
 module AtomicLti
+  # This is the same prefix used in the npm package. There's not a great way to share constants between ruby and npm.
+  # Don't change it unless you change it in the Javascript as well.
+  OPEN_ID_COOKIE_PREFIX = "open_id_".freeze
+
   class OpenIdMiddleware
     def initialize(app)
       @app = app
@@ -17,26 +21,86 @@ module AtomicLti
     end
 
     def handle_init(request)
-      nonce = SecureRandom.hex(64)
+      platform = AtomicLti::Platform.find_by(iss: request.params["iss"])
+      if !platform
+        raise AtomicLti::Exceptions::NoLTIPlatform.new(iss: request.params["iss"])
+      end
+
+      nonce, state = AtomicLti::OpenId.generate_state
+
+      headers = { "Content-Type" => "text/html" }
+      Rack::Utils.set_cookie_header!(
+        headers, "#{OPEN_ID_COOKIE_PREFIX}storage",
+        { value: "1", path: "/", max_age: 365.days, http_only: false, secure: true, same_site: "None" }
+      )
+      Rack::Utils.set_cookie_header!(
+        headers, "#{OPEN_ID_COOKIE_PREFIX}#{state}",
+        { value: 1, path: "/", max_age: 1.minute, http_only: false, secure: true, same_site: "None" }
+      )
 
       redirect_uri = [request.base_url, AtomicLti.oidc_redirect_path].join
+      response_url = build_oidc_response(request, state, nonce, redirect_uri)
+
+      if request.cookies.present? || !AtomicLti.enforce_csrf_protection
+        # we know cookies will work, so redirect
+        headers["Location"] = response_url
 
-      state = AtomicLti::OpenId.state
-      url = build_oidc_response(request, state, nonce, redirect_uri)
+        [302, headers, ["Found"]]
+      else
+        # cookies might not work, so render our javascript form
+        if request.params["lti_storage_target"].present? && AtomicLti.use_post_message_storage
+          lti_storage_params = build_lti_storage_params(request, platform)
+        end
 
-      headers = { "Location" => url, "Content-Type" => "text/html" }
-      Rack::Utils.set_cookie_header!(headers, "open_id_state", state)
-      [302, headers, ["Found"]]
+        html = ApplicationController.renderer.render(
+          :html,
+          layout: false,
+          template: "atomic_lti/shared/init",
+          assigns: {
+            settings: {
+              state: state,
+              responseUrl: response_url,
+              ltiStorageParams: lti_storage_params,
+              relaunchInitUrl: relaunch_init_url(request),
+              privacyPolicyUrl: AtomicLti.privacy_policy_url,
+              privacyPolicyMessage: AtomicLti.privacy_policy_message,
+              openIdCookiePrefix: OPEN_ID_COOKIE_PREFIX,
+            },
+          },
+        )
+
+        [200, headers, [html]]
+      end
     end
 
-    def handle_redirect(request)
+    def validate_launch(request, validate_target_link_url)
+      # Validate and decode id_token
       raise AtomicLti::Exceptions::NoLTIToken if request.params["id_token"].blank?
 
-      lti_token = AtomicLti::Authorization.validate_token(
-        request.params["id_token"],
-      )
+      id_token_decoded = AtomicLti::Authorization.validate_token(request.params["id_token"])
+
+      raise AtomicLti::Exceptions::InvalidLTIToken.new if id_token_decoded.nil?
+
+      # Validate id token contents
+      AtomicLti::Lti.validate!(id_token_decoded, request.url, validate_target_link_url)
+
+      # Check for the state cookie
+      state_verified = false
+      state = request.params["state"]
+      if request.cookies["open_id_#{state}"]
+        state_verified = true
+      end
 
-      AtomicLti::Lti.validate!(lti_token)
+      # Validate the state and nonce
+      if !AtomicLti::OpenId.validate_state(id_token_decoded["nonce"], state)
+        raise AtomicLti::Exceptions::OpenIDStateError.new("Invalid OIDC state.")
+      end
+
+      [id_token_decoded, state, state_verified]
+    end
+
+    def handle_redirect(request)
+      id_token_decoded, _state, _state_verified = validate_launch(request, false)
 
       uri = URI(request.url)
       # Technically the target_link_uri is not required and the certification suite
@@ -44,25 +108,26 @@ module AtomicLti
       # but at least for the certification suite we have to have a backup default
       # value that can be set in the configuration of Atomic LTI using
       # the default_deep_link_path
-      target_link_uri = lti_token[AtomicLti::Definitions::TARGET_LINK_URI_CLAIM] ||
+      target_link_uri = id_token_decoded[AtomicLti::Definitions::TARGET_LINK_URI_CLAIM] ||
         File.join("#{uri.scheme}://#{uri.host}", AtomicLti.default_deep_link_path)
 
-      redirect_params = {
-        state: request.params["state"],
-        id_token: request.params["id_token"],
-      }
       html = ApplicationController.renderer.render(
         :html,
         layout: false,
         template: "atomic_lti/shared/redirect",
-        assigns: { launch_params: redirect_params, launch_url: target_link_uri },
+        assigns: {
+          launch_params: request.params,
+          launch_url: target_link_uri,
+        },
       )
 
       [200, { "Content-Type" => "text/html" }, [html]]
     end
 
     def matches_redirect?(request)
-      raise AtomicLti::Exceptions::ConfigurationError.new("AtomicLti.oidc_redirect_path is not configured") if AtomicLti.oidc_redirect_path.blank?
+      if AtomicLti.oidc_redirect_path.blank?
+        raise AtomicLti::Exceptions::ConfigurationError.new("AtomicLti.oidc_redirect_path is not configured")
+      end
 
       redirect_uri = URI.parse(AtomicLti.oidc_redirect_path)
       redirect_path_params = if redirect_uri.query
@@ -87,35 +152,42 @@ module AtomicLti
     end
 
     def handle_lti_launch(env, request)
-      id_token = request.params["id_token"]
-      state = request.params["state"]
-      url = request.url
+      id_token_decoded, state, state_verified = validate_launch(request, true)
 
-      payload = valid_token(state: state, id_token: id_token, url: url)
-      if payload
-        decoded_jwt = payload
-
-        update_install(id_token: decoded_jwt)
-        update_platform_instance(id_token: decoded_jwt)
-        update_deployment(id_token: decoded_jwt)
-        update_lti_context(id_token: decoded_jwt)
+      id_token = request.params["id_token"]
+      update_install(id_token: id_token_decoded)
+      update_platform_instance(id_token: id_token_decoded)
+      update_deployment(id_token: id_token_decoded)
+      update_lti_context(id_token: id_token_decoded)
+
+      errors = id_token_decoded.dig(AtomicLti::Definitions::TOOL_PLATFORM_CLAIM, "errors")
+      if errors.present? && !errors["errors"].empty?
+        Rails.logger.error("Detected errors in lti launch: #{errors}, id_token: #{id_token}")
+      end
 
-        errors = decoded_jwt.dig(AtomicLti::Definitions::TOOL_PLATFORM_CLAIM, "errors")
-        if errors.present? && !errors["errors"].empty?
-          Rails.logger.error("Detected errors in lti launch: #{errors}, id_token: #{id_token}")
-        end
+      env["atomic.validated.decoded_id_token"] = id_token_decoded
+      env["atomic.validated.id_token"] = id_token
+
+      platform = AtomicLti::Platform.find_by!(iss: id_token_decoded["iss"])
+      if request.params["lti_storage_target"].present? && AtomicLti.use_post_message_storage
+        lti_storage_params = build_lti_storage_params(request, platform)
+        # Add the values needed to do client side validate to the environment
+        env["atomic.validated.state_validation"] = {
+          state: state,
+          lti_storage_params: lti_storage_params,
+          verified_by_cookie: state_verified,
+        }
+      end
 
-        env["atomic.validated.decoded_id_token"] = decoded_jwt
-        env["atomic.validated.id_token"] = id_token
+      @app.call(env)
 
-        @app.call(env)
-      else
-        Rails.logger.info("Invalid lti launch: id_token: #{payload} - id_token: #{id_token} - state: #{state} - url: #{url}")
-        [401, {}, ["Invalid Lti Launch"]]
-      end
+      # Delete the state cookie
+      status, headers, body = @app.call(env)
+      # Rack::Utils.delete_cookie_header(headers, "#{OPEN_ID_COOKIE_PREFIX}#{state}")
+      [status, headers, body]
     end
 
-    def error!(body = "Error", status = 500, headers = {"Content-Type" => "text/html"})
+    def error!(body = "Error", status = 500, headers = { "Content-Type" => "text/html" })
       [status, headers, [body]]
     end
 
@@ -134,6 +206,19 @@ module AtomicLti
 
     protected
 
+    def render_error(status, message)
+      html = ApplicationController.renderer.render(
+        :html,
+        layout: false,
+        template: "atomic_lti/shared/error",
+        assigns: {
+          message: message || "There was an error during the launch. Please try again.",
+        },
+      )
+
+      [status || 404, { "Content-Type" => "text/html" }, [html]]
+    end
+
     def update_platform_instance(id_token:)
       if id_token[AtomicLti::Definitions::TOOL_PLATFORM_CLAIM].present? &&
           id_token.dig(AtomicLti::Definitions::TOOL_PLATFORM_CLAIM, "guid").present?
@@ -222,32 +307,18 @@ module AtomicLti
         )
     end
 
-    def valid_token(state:, id_token:, url:)
-      # Validate the state by checking the database for the nonce
-      valid_state = AtomicLti::OpenId.validate_open_id_state(state)
-
-      return false if !valid_state
-
-      token = false
-
-      begin
-        token = AtomicLti::Authorization.validate_token(id_token)
-      rescue JWT::DecodeError => e
-        Rails.logger.error("Unable to decode jwt: #{e}, #{e.backtrace}")
-        return false
-      end
-
-      return false if token.nil?
-
-      AtomicLti::Lti.validate!(token, url, true)
-
-      token
+    def relaunch_init_url(request)
+      uri = URI.parse(request.url)
+      uri.fragment = uri.query = nil
+      params = request.params
+      params.delete("lti_storage_target")
+      [uri.to_s, "?", params.to_query].join
     end
 
     def build_oidc_response(request, state, nonce, redirect_uri)
       platform = AtomicLti::Platform.find_by(iss: request.params["iss"])
       if !platform
-        raise AtomicLti::Exceptions::NoLTIPlatform.new(iss: request.params["iss"])
+        raise AtomicLti::Exceptions::NoLTIPlatform.new("No platform was found for iss: #{request.params['iss']}")
       end
 
       uri = URI.parse(platform.oidc_url)
@@ -268,5 +339,13 @@ module AtomicLti
 
       [uri.to_s, "?", auth_params.to_query].join
     end
+
+    def build_lti_storage_params(request, platform)
+      {
+        target: request.params["lti_storage_target"],
+        originSupportBroken: !AtomicLti.set_post_message_origin,
+        platformOIDCUrl: platform.oidc_url,
+      }
+    end
   end
 end

data/lib/atomic_lti/version.rb

@@ -1,3 +1,3 @@
 module AtomicLti
-  VERSION = '1.3.1'
+  VERSION = "1.5.1".freeze
 end

data/lib/atomic_lti.rb

@@ -4,6 +4,7 @@ require "atomic_lti/open_id_middleware"
 require "atomic_lti/error_handling_middleware"
 require_relative "../app/lib/atomic_lti/definitions"
 require_relative "../app/lib/atomic_lti/exceptions"
+require_relative "../app/lib/atomic_lti/role_enforcement_mode"
 module AtomicLti
 
   # Set this to true to scope context_id's to the ISS rather than
@@ -18,7 +19,33 @@ module AtomicLti
   mattr_accessor :target_link_path_prefixes
   mattr_accessor :default_deep_link_path
   mattr_accessor :jwt_secret
-  mattr_accessor :scopes
+  mattr_accessor :scopes, default: AtomicLti::Definitions.scopes.join(" ")
+
+  # Set to true to enforce CSRF protection, either via cookies or postMessage
+  mattr_accessor :enforce_csrf_protection, default: true
+
+  # Set to true to use LTI postMessage storage for csrf token storage
+  # with this enabled we can operate without cookies
+  mattr_accessor :use_post_message_storage, default: true
+
+  # Set to true to set the targetOrigin on postMessage calls. The LTI spec
+  # requires this, but Canvas doesn't currently support it.
+  mattr_accessor :set_post_message_origin, default: false
+
+  mattr_accessor :privacy_policy_url, default: "#"
+  mattr_accessor :privacy_policy_message, default: nil
+
+  # https://www.imsglobal.org/spec/lti/v1p3#anonymous-launch-case
+  # 'anonymous' here means that the launch does not include a 'sub' field. In
+  # Canvas, this means the user is not logged in at all. If you enable this
+  # option, you will likely have to adjust application code to accommodate
+  mattr_accessor :allow_anonymous_user, default: false
+
+  # https://www.imsglobal.org/spec/lti/v1p3#role-vocabularies
+  # Determines how strictly to enforce the role vocabulary. The options are:
+  # - "DEFAULT" which means that unknown roles are allowed to be the only roles in the token.
+  # - "STRICT" which means that unknown roles are not allowed to be the only roles in the token.
+  mattr_accessor :role_enforcement_mode, default: AtomicLti::RoleEnforcementMode::DEFAULT
 
   def self.get_deployments(iss:, deployment_ids:)
     AtomicLti::Deployment.where(iss: iss, deployment_id: deployment_ids)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: atomic_lti
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 1.5.1
 platform: ruby
 authors:
 - Matt Petro
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-28 00:00:00.000000000 Z
+date: 2023-08-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pg
@@ -53,11 +53,15 @@ files:
 - MIT-LICENSE
 - README.md
 - Rakefile
+- app/assets/builds/atomic_lti/init_app.js
+- app/assets/builds/atomic_lti/init_app.js.map
 - app/assets/config/atomic_lti_manifest.js
 - app/assets/stylesheets/atomic_lti/application.css
 - app/assets/stylesheets/atomic_lti/jwks.css
+- app/assets/stylesheets/atomic_lti/launch.css
 - app/controllers/atomic_lti/jwks_controller.rb
 - app/helpers/atomic_lti/launch_helper.rb
+- app/javascript/atomic_lti/init_app.js
 - app/jobs/atomic_lti/application_job.rb
 - app/lib/atomic_lti/auth_token.rb
 - app/lib/atomic_lti/authorization.rb
@@ -68,6 +72,7 @@ files:
 - app/lib/atomic_lti/lti.rb
 - app/lib/atomic_lti/open_id.rb
 - app/lib/atomic_lti/params.rb
+- app/lib/atomic_lti/role_enforcement_mode.rb
 - app/lib/atomic_lti/services/base.rb
 - app/lib/atomic_lti/services/line_items.rb
 - app/lib/atomic_lti/services/names_and_roles.rb
@@ -85,6 +90,8 @@ files:
 - app/models/atomic_lti/platform.rb
 - app/models/atomic_lti/platform_instance.rb
 - app/views/atomic_lti/launches/index.html.erb
+- app/views/atomic_lti/shared/error.html.erb
+- app/views/atomic_lti/shared/init.html.erb
 - app/views/atomic_lti/shared/redirect.html.erb
 - app/views/layouts/atomic_lti/application.html.erb
 - config/routes.rb
@@ -96,6 +103,7 @@ files:
 - db/migrate/20220428175423_create_atomic_lti_oauth_states.rb
 - db/migrate/20220503003528_create_atomic_lti_jwks.rb
 - db/migrate/20221010140920_create_open_id_state.rb
+- db/migrate/20230726040941_add_state_to_open_id_state.rb
 - db/seeds.rb
 - lib/atomic_lti.rb
 - lib/atomic_lti/engine.rb
@@ -124,7 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.4.15
 signing_key:
 specification_version: 4
 summary: AtomicLti implements the LTI Advantage specification.