atomic_lti 1.7.0 → 1.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 265fc192cec38bb2a8dbac1f8fc4eaf3388f9240de43f5558ea28f52c3272047
-  data.tar.gz: cd5cbbb67fc5f2bed2cf959421321aae77a0a8a73504c6ff3a1729d7e78bc8e2
+  metadata.gz: c5a9ab9e61066b4cf5a463e83db17a6ffbded2fce44251b5506dbfb7a385d1df
+  data.tar.gz: 1922245e4850a6f2baa0cf7cd44a6ae05c3d2937ee957c8ddca46299fa10d302
 SHA512:
-  metadata.gz: 8b5c6de47055ebad0a7dfb6a8a8bfeb3f5fdf4598799bd0ed6805ae6c665282bf37130a6a8e37c31cacfdfb77bc10fd8971e85592e7eaca5ae9539015decfd05
-  data.tar.gz: 775b35f941fd47e529c68906fe47541b3c2736c0c4659179485e5e3da2492edcae02bd537d9bcd4cd621a5f99539f3b466d8f91e0584fa0f14b5fa5c381df9f9
+  metadata.gz: 8e1506ff8b48c8b65164be73cf73408a102af3235f6b1a241068ddca74c57bf8b5c7241e7f5308bf3152a2e6e3bb5288afc7c32aa36d2ef95f896e5ed62bf4ed
+  data.tar.gz: 6a114eefe55c0337690997eaa274685eb3025956a1ac82927c595cd6d716436a1ac2384a2155d568eece1fa002a96e0faa4c3226c9f0c6eb64bcb1328bdeaca7

data/app/lib/atomic_lti/authorization.rb

@@ -119,6 +119,7 @@ module AtomicLti
     def self.request_token_uncached(iss:, deployment_id:, scopes:)
       # Details here:
       # https://www.imsglobal.org/spec/security/v1p0/#using-json-web-tokens-with-oauth-2-0-client-credentials-grant
+      puts "GETTING TOKEN"
       body = {
         grant_type: "client_credentials",
         client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",

data/app/lib/atomic_lti/lti.rb

@@ -83,7 +83,9 @@ module AtomicLti
 
       # Validate that we are at the target_link_uri
       target_link_uri = decoded_token[AtomicLti::Definitions::TARGET_LINK_URI_CLAIM]
-      if validate_target_link_url && target_link_uri != requested_target_link_uri
+
+      if validate_target_link_url &&
+          !matching_uri?(target_link_uri, requested_target_link_uri, ignore_host: AtomicLti.update_target_link_host)
         errors.push(
           "LTI token target link uri '#{target_link_uri}' doesn't match url '#{requested_target_link_uri}'",
         )
@@ -123,5 +125,16 @@ module AtomicLti
         decoded_token["aud"]
       end
     end
+
+    def self.matching_uri?(target, actual, ignore_host:)
+      t = URI.parse(target)
+      a = URI.parse(actual)
+
+      t.scheme == a.scheme &&
+        t.path == a.path &&
+        t.query == a.query &&
+        t.fragment == a.fragment &&
+        (ignore_host || t.host == a.host)
+    end
   end
 end

data/app/lib/atomic_lti/services/names_and_roles.rb

@@ -2,8 +2,9 @@ module AtomicLti
   module Services
     class NamesAndRoles < AtomicLti::Services::Base
 
-      def initialize(id_token_decoded:)
-        super(id_token_decoded: id_token_decoded)
+      def initialize(id_token_decoded: nil, iss: nil, deployment_id: nil, context_memberships_url: nil)
+        @context_memberships_url = context_memberships_url || id_token_decoded.dig(AtomicLti::Definitions::NAMES_AND_ROLES_CLAIM, "context_memberships_url")
+        super(id_token_decoded:, iss:, deployment_id:)
       end
 
       def scopes

data/app/views/atomic_lti/shared/redirect.html.erb

@@ -1,6 +1,7 @@
 <!DOCTYPE html>
 <html lang="en">
   <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
     <link href="https://fonts.googleapis.com/icon?family=Material+Icons+Outlined" rel="stylesheet">
     <%= stylesheet_link_tag "atomic_lti/launch" %>
   </head>
@@ -13,7 +14,7 @@
           </p>
         </div>
       </noscript>
-      <form action="<%= @launch_url -%>" method="POST">
+      <form action="<%= @launch_url -%>" method="POST" accept-charset="UTF-8">
         <% @launch_params.each do |name, value| -%>
           <%= hidden_field_tag(name, value) %>
         <% end -%>

data/lib/atomic_lti/open_id_middleware.rb

@@ -31,13 +31,17 @@ module AtomicLti
       headers = { "Content-Type" => "text/html" }
       Rack::Utils.set_cookie_header!(
         headers, "#{OPEN_ID_COOKIE_PREFIX}storage",
-        { value: "1", path: "/", max_age: 365.days, http_only: false, secure: true, same_site: "None" }
+        { value: "1", path: "/", max_age: 365.days, http_only: false, secure: true, same_site: "None", partitioned: true }
       )
       Rack::Utils.set_cookie_header!(
         headers, "#{OPEN_ID_COOKIE_PREFIX}#{state}",
-        { value: 1, path: "/", max_age: 1.minute, http_only: false, secure: true, same_site: "None" }
+        { value: 1, path: "/", max_age: 1.minute, http_only: false, secure: true, same_site: "None", partitioned: true }
       )
 
+      # Ensure our cookies are partitioned.  This can be removed once our Rack version
+      # understands the partitioned: argument above.
+      headers[Rack::SET_COOKIE] = partition_cookies(headers[Rack::SET_COOKIE])
+
       redirect_uri = [request.base_url, AtomicLti.oidc_redirect_path].join
       response_url = build_oidc_response(request, state, nonce, redirect_uri)
 
@@ -111,6 +115,13 @@ module AtomicLti
       target_link_uri = id_token_decoded[AtomicLti::Definitions::TARGET_LINK_URI_CLAIM] ||
         File.join("#{uri.scheme}://#{uri.host}", AtomicLti.default_deep_link_path)
 
+      target = URI.parse(target_link_uri)
+
+      # Optionally update the target link host to match the redirect host
+      if AtomicLti.update_target_link_host && target.host != uri.host
+        target.host = uri.host
+      end
+
       # We want to strip out the redirect path params from the request params
       # so that we can support having the redirect path be the same as the
       # launch path, only differentiated by a query parameter. This is needed
@@ -131,7 +142,7 @@ module AtomicLti
         template: "atomic_lti/shared/redirect",
         assigns: {
           launch_params: launch_params,
-          launch_url: target_link_uri,
+          launch_url: target,
         },
       )
 
@@ -363,5 +374,30 @@ module AtomicLti
         platformOIDCUrl: platform.oidc_url,
       }.compact
     end
+
+    def partition_cookies(header)
+      # Some versions of rack add multiple cookies as a newline-separated string, and others
+      # as an array of strings.
+      case header
+      when String
+        header.split("\n").map do |cookie|
+          if !cookie.match? /partitioned/i
+            "#{cookie}; partitioned"
+          else
+            cookie
+          end
+        end.join("\n")
+      when Array
+        header.map do |cookie|
+          if !cookie.match? /partitioned/i
+            "#{cookie}; partitioned"
+          else
+            cookie
+          end
+        end
+      else
+        header
+      end
+    end
   end
 end

data/lib/atomic_lti/version.rb

@@ -1,3 +1,3 @@
 module AtomicLti
-  VERSION = "1.7.0".freeze
+  VERSION = "1.8.1".freeze
 end

data/lib/atomic_lti.rb

@@ -32,6 +32,12 @@ module AtomicLti
   # requires this, but Canvas doesn't currently support it.
   mattr_accessor :set_post_message_origin, default: false
 
+  # Set to true to update the target link uri host to match the oidc redirect host.
+  # Enable this when a single LTI install needs to support launches across multiple hosts.
+  # Setting this avoids state validation problems on launch since state cookies and
+  # postMessage storage won't work across different hosts.
+  mattr_accessor :update_target_link_host, default: false
+
   mattr_accessor :privacy_policy_url, default: "#"
   mattr_accessor :privacy_policy_message, default: nil
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: atomic_lti
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 1.8.1
 platform: ruby
 authors:
 - Matt Petro
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-12-26 00:00:00.000000000 Z
+date: 2024-03-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pg
@@ -133,7 +133,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.19
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: AtomicLti implements the LTI Advantage specification.