atomic_lti 1.7.0 → 1.8.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/app/lib/atomic_lti/lti.rb +14 -1
- data/lib/atomic_lti/open_id_middleware.rb +39 -3
- data/lib/atomic_lti/version.rb +1 -1
- data/lib/atomic_lti.rb +6 -0
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9657315417130b6c1e170190e55603fff1aa97f2285518fa47645b6586b63c64
|
4
|
+
data.tar.gz: 5cc81825d70b45eb8d2de538b60ead7ac77742bf57f974762e9ab199d9101004
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 32921bce5874ad6e3066c14f2bc984747efc06fcfb229cb43c4e8fe13026823ff42b1d5582e677d27832b3d88735cdc1e0317e7d962020b6a2b380134bbf6802
|
7
|
+
data.tar.gz: e0255a4a3671f6ab6d56041179c28592f088d61f67d1c07632f374aba83657bb7831f94e6ba241fc4467ae0c0122885dd8d22a7578365e49714b432fb7ce5b00
|
data/app/lib/atomic_lti/lti.rb
CHANGED
@@ -83,7 +83,9 @@ module AtomicLti
|
|
83
83
|
|
84
84
|
# Validate that we are at the target_link_uri
|
85
85
|
target_link_uri = decoded_token[AtomicLti::Definitions::TARGET_LINK_URI_CLAIM]
|
86
|
-
|
86
|
+
|
87
|
+
if validate_target_link_url &&
|
88
|
+
!matching_uri?(target_link_uri, requested_target_link_uri, ignore_host: AtomicLti.update_target_link_host)
|
87
89
|
errors.push(
|
88
90
|
"LTI token target link uri '#{target_link_uri}' doesn't match url '#{requested_target_link_uri}'",
|
89
91
|
)
|
@@ -123,5 +125,16 @@ module AtomicLti
|
|
123
125
|
decoded_token["aud"]
|
124
126
|
end
|
125
127
|
end
|
128
|
+
|
129
|
+
def self.matching_uri?(target, actual, ignore_host:)
|
130
|
+
t = URI.parse(target)
|
131
|
+
a = URI.parse(actual)
|
132
|
+
|
133
|
+
t.scheme == a.scheme &&
|
134
|
+
t.path == a.path &&
|
135
|
+
t.query == a.query &&
|
136
|
+
t.fragment == a.fragment &&
|
137
|
+
(ignore_host || t.host == a.host)
|
138
|
+
end
|
126
139
|
end
|
127
140
|
end
|
@@ -31,13 +31,17 @@ module AtomicLti
|
|
31
31
|
headers = { "Content-Type" => "text/html" }
|
32
32
|
Rack::Utils.set_cookie_header!(
|
33
33
|
headers, "#{OPEN_ID_COOKIE_PREFIX}storage",
|
34
|
-
{ value: "1", path: "/", max_age: 365.days, http_only: false, secure: true, same_site: "None" }
|
34
|
+
{ value: "1", path: "/", max_age: 365.days, http_only: false, secure: true, same_site: "None", partitioned: true }
|
35
35
|
)
|
36
36
|
Rack::Utils.set_cookie_header!(
|
37
37
|
headers, "#{OPEN_ID_COOKIE_PREFIX}#{state}",
|
38
|
-
{ value: 1, path: "/", max_age: 1.minute, http_only: false, secure: true, same_site: "None" }
|
38
|
+
{ value: 1, path: "/", max_age: 1.minute, http_only: false, secure: true, same_site: "None", partitioned: true }
|
39
39
|
)
|
40
40
|
|
41
|
+
# Ensure our cookies are partitioned. This can be removed once our Rack version
|
42
|
+
# understands the partitioned: argument above.
|
43
|
+
headers[Rack::SET_COOKIE] = partition_cookies(headers[Rack::SET_COOKIE])
|
44
|
+
|
41
45
|
redirect_uri = [request.base_url, AtomicLti.oidc_redirect_path].join
|
42
46
|
response_url = build_oidc_response(request, state, nonce, redirect_uri)
|
43
47
|
|
@@ -111,6 +115,13 @@ module AtomicLti
|
|
111
115
|
target_link_uri = id_token_decoded[AtomicLti::Definitions::TARGET_LINK_URI_CLAIM] ||
|
112
116
|
File.join("#{uri.scheme}://#{uri.host}", AtomicLti.default_deep_link_path)
|
113
117
|
|
118
|
+
target = URI.parse(target_link_uri)
|
119
|
+
|
120
|
+
# Optionally update the target link host to match the redirect host
|
121
|
+
if AtomicLti.update_target_link_host && target.host != uri.host
|
122
|
+
target.host = uri.host
|
123
|
+
end
|
124
|
+
|
114
125
|
# We want to strip out the redirect path params from the request params
|
115
126
|
# so that we can support having the redirect path be the same as the
|
116
127
|
# launch path, only differentiated by a query parameter. This is needed
|
@@ -131,7 +142,7 @@ module AtomicLti
|
|
131
142
|
template: "atomic_lti/shared/redirect",
|
132
143
|
assigns: {
|
133
144
|
launch_params: launch_params,
|
134
|
-
launch_url:
|
145
|
+
launch_url: target,
|
135
146
|
},
|
136
147
|
)
|
137
148
|
|
@@ -363,5 +374,30 @@ module AtomicLti
|
|
363
374
|
platformOIDCUrl: platform.oidc_url,
|
364
375
|
}.compact
|
365
376
|
end
|
377
|
+
|
378
|
+
def partition_cookies(header)
|
379
|
+
# Some versions of rack add multiple cookies as a newline-separated string, and others
|
380
|
+
# as an array of strings.
|
381
|
+
case header
|
382
|
+
when String
|
383
|
+
header.split("\n").map do |cookie|
|
384
|
+
if !cookie.match? /partitioned/i
|
385
|
+
"#{cookie}; partitioned"
|
386
|
+
else
|
387
|
+
cookie
|
388
|
+
end
|
389
|
+
end.join("\n")
|
390
|
+
when Array
|
391
|
+
header.map do |cookie|
|
392
|
+
if !cookie.match? /partitioned/i
|
393
|
+
"#{cookie}; partitioned"
|
394
|
+
else
|
395
|
+
cookie
|
396
|
+
end
|
397
|
+
end
|
398
|
+
else
|
399
|
+
header
|
400
|
+
end
|
401
|
+
end
|
366
402
|
end
|
367
403
|
end
|
data/lib/atomic_lti/version.rb
CHANGED
data/lib/atomic_lti.rb
CHANGED
@@ -32,6 +32,12 @@ module AtomicLti
|
|
32
32
|
# requires this, but Canvas doesn't currently support it.
|
33
33
|
mattr_accessor :set_post_message_origin, default: false
|
34
34
|
|
35
|
+
# Set to true to update the target link uri host to match the oidc redirect host.
|
36
|
+
# Enable this when a single LTI install needs to support launches across multiple hosts.
|
37
|
+
# Setting this avoids state validation problems on launch since state cookies and
|
38
|
+
# postMessage storage won't work across different hosts.
|
39
|
+
mattr_accessor :update_target_link_host, default: false
|
40
|
+
|
35
41
|
mattr_accessor :privacy_policy_url, default: "#"
|
36
42
|
mattr_accessor :privacy_policy_message, default: nil
|
37
43
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: atomic_lti
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.8.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Matt Petro
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date:
|
13
|
+
date: 2024-01-26 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: pg
|
@@ -133,7 +133,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
133
133
|
- !ruby/object:Gem::Version
|
134
134
|
version: '0'
|
135
135
|
requirements: []
|
136
|
-
rubygems_version: 3.4.
|
136
|
+
rubygems_version: 3.4.10
|
137
137
|
signing_key:
|
138
138
|
specification_version: 4
|
139
139
|
summary: AtomicLti implements the LTI Advantage specification.
|