canvas_lti_third_party_cookies 0.2.0 → 0.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 18685ffb4c05fd45f61a6e2e739fe93b4b2e9e8573e72eb07bb8d026cdb7889d
-  data.tar.gz: 1cf0160c9d86c39975abb6b64f24ca518ea052625738c904876103ad565a6e01
+  metadata.gz: 8d622f96431568706549721c48a8cab10edd7f21790f739d612f2af1e649a686
+  data.tar.gz: b0a008358a161f117a9c828975ac40e642a93af253cbd34b4ae3f2abf4890efb
 SHA512:
-  metadata.gz: e770cba91ab52316550435e6f1bac4708b292b834f73ea5028da56ec92f6d86d7107f7f0f77c6c0e8da9bc8624b59cc40c837ca32cf0cc19e4215ff164dad249
-  data.tar.gz: 3a3f448a4ed8ff5e401d913c913207943576c5335c10299d29aad5c08859f581f5e58f2e42bb98cc0aa44ad080f5f41b99d58971ba0546e41c70ba0eeb8653b3
+  metadata.gz: 076670fa98327844ceee397d68e346179d326839b831454b80c94e68a1866c43a58873d9b1c1d6032258c21e0be38d44164bd831f7a4287d7a8d9daf519688ee
+  data.tar.gz: 4d70af2daa01fc4fb262c01c186f581c81db4fe32c3bf7c025050fe4d9e149bd70c3430e7ce1f8f05cfaab245e3a4df4adae7a09b5b42ba6a13370dca237ed74

data/README.md

@@ -25,19 +25,29 @@ below to run on that action, and pass the data needed.
 Usually, only query parameters *or* form data is needed, not both.
 
 ```ruby
-include LtiThirdPartyCookies::SafariLaunch
+include CanvasLtiThirdPartyCookies::SafariLaunch
 #...
 before_action -> { 
   handle_safari_launch(launch_url: action_url, launch_params: { foo: bar }, launch_data: { foo: baz })
 }
 ```
 
+This will launch the tool multiple times, and also redirect the user back to Canvas when needed. For more information on the detailed tool
+launches, see the comments in `app/controllers/concerns/canvas_lti_third_party_cookies/safari_launch.rb`.
+
+Note that the tool will be relaunched from within this method once Storage Access is granted and pass all parameters from the previous
+Canvas launch, which will break JWT nonce verification since it will detect the nonce has already been used. 
+
+To combat this, this gem provides the `should_ignore_nonce?` method so that your tool can ignore the nonce verification for that
+specific launch. Normally, ignoring a duplicate nonce can lead to replay attacks. This method will only return true if the request's
+`Referer` header matches the tool's domain, which only happens in this last internal redirect.
+
 ## Installation
 Add this line to your application's Gemfile:
 
 ```ruby
 # Set 3rd party cookies in Safari
-gem 'canvas_lti_third_party_cookies', '~> 0.2.0'
+gem 'canvas_lti_third_party_cookies'
 ```
 
 And then execute:
@@ -49,4 +59,12 @@ $ bundle install
 
 ```bash
 $ rails test
-```
+```
+
+## Publishing New Versions
+
+1. Bump the version in `lib/canvas_lti_third_party_cookies/version.rb`.
+2. Commit, push, and merge that change.
+3. `rake install`
+4. `gem push pkg/canvas_lti_third_party_cookies-<version>.gem`
+  - note that this will only work if you have access

data/app/controllers/concerns/{lti_third_party_cookies → canvas_lti_third_party_cookies}/safari_launch.rb

@@ -1,6 +1,6 @@
 require 'browser'
 
-module LtiThirdPartyCookies::SafariLaunch
+module CanvasLtiThirdPartyCookies::SafariLaunch
   extend ActiveSupport::Concern
 
   # this needs to be called as a before_action on the route that launches the tool
@@ -12,31 +12,25 @@ module LtiThirdPartyCookies::SafariLaunch
   # the `launch_data` parameter is optional, and should contain
   #   all needed form data that the tool requires to launch.
   # example:
-  # include LtiThirdPartyCookies::SafariLaunch
+  # include CanvasLtiThirdPartyCookies::SafariLaunch
   # ...
   # before_action -> { 
   #   handle_safari_launch(launch_url: action_url, launch_params: { foo: bar }, launch_data: { foo: baz })
   # }
   def handle_safari_launch(launch_url:, launch_params: {}, launch_data: {})
-    browser = Browser.new(request.headers["User-Agent"])
-    # detect both MacOS and iOS Safari
-    return unless browser.safari? || (browser.webkit? && browser.platform.ios?)
+    return unless is_safari?
 
     # Safari launch #4: Storage Access has been granted,
-    #   so launch the app normally.
-    if params[:storage_access_status].present?
-      # remove from request directly instead of only from `params` so that
-      # the tool *really* doesn't have to worry about this being present
-      request.request_parameters.delete(:storage_access_status)
-      return
-    end
+    #   so launch the app normally. Note that this is not an actual LTI launch, but
+    #   just opaquely passing on the data from launch #3.
+    return if params[:storage_access_status].present?
 
     # Safari launch #2: Full-window launch, solely for first-party user interaction.
     #   During a full-window launch, Canvas provides a :platform_redirect_url that
     #   will launch the tool again within an iframe in Canvas. (#3)
     if params[:platform_redirect_url].present?
       return render(
-        'lti_third_party_cookies/full_window_launch',
+        'canvas_lti_third_party_cookies/full_window_launch',
         locals: { platform_redirect_url: params[:platform_redirect_url] }
       )
     end
@@ -48,7 +42,7 @@ module LtiThirdPartyCookies::SafariLaunch
     # Pass along any parameters provided by the tool that are needed to launch correctly,
     # and tell the tool that it has Storage Access.
     render(
-      'lti_third_party_cookies/request_storage_access',
+      'canvas_lti_third_party_cookies/request_storage_access',
       locals: {
         launch_url: launch_url,
         relaunch_url: relaunch_url(launch_url, launch_params),
@@ -57,8 +51,24 @@ module LtiThirdPartyCookies::SafariLaunch
     )
   end
 
+  # Safari launch #4 (described above) is actually an internal opaque redirect of launch #3
+  # and not a real Canvas LTI launch, so the id_token (and specifically the nonce inside)
+  # is exactly the same. Normally, ignoring the nonce is a Bad Idea since it can allow
+  # replay attacks, but for this specific situation (the request is an internal redirect)
+  # it's a sufficient hack.
+  def should_ignore_nonce?
+    referer = URI.parse(request.referer)
+    is_safari? && params[:storage_access_status] == "granted" && referer.host == request.host && referer.port == request.port
+  end
+
   private
 
+  def is_safari?
+    browser = Browser.new(request.headers["User-Agent"])
+    # detect both MacOS and iOS Safari
+    browser.safari? || (browser.webkit? && browser.platform.ios?)
+  end
+
   def relaunch_url(launch_url, launch_params)
     return launch_url if launch_params.empty?
     "#{launch_url}?#{launch_params.to_query}"

data/app/views/{lti_third_party_cookies → canvas_lti_third_party_cookies}/full_window_launch.erb

@@ -70,6 +70,7 @@
   <div class="flex-item">
     <p>Occasionally, Safari requires you to launch this app outside of Canvas before logging in.</p>
     <p>This setup is now complete, and Canvas can now relaunch this app.</p>
+    <p>In some cases, you may need to relaunch this app yourself.</p>
   </div>
   
   <div class="flex-item">

data/app/views/{lti_third_party_cookies → canvas_lti_third_party_cookies}/request_storage_access.erb

@@ -99,6 +99,8 @@
     <p>Safari requires your interaction with this app before logging you in.</p>
     <p>A dialog may appear asking you to allow this app to use cookies while browsing Canvas.</p>
     <p>For the best experience, click Allow.</p>
+    <p>A dialog may also appear asking you to navigate somewhere else.</p>
+    <p>If it does, save your work first and then click Leave Page.</p>
   </div>
   
   <div class="flex-item">

data/lib/canvas_lti_third_party_cookies.rb

@@ -0,0 +1,4 @@
+require "canvas_lti_third_party_cookies/engine"
+
+module CanvasLtiThirdPartyCookies
+end

data/lib/canvas_lti_third_party_cookies/engine.rb

@@ -0,0 +1,5 @@
+module CanvasLtiThirdPartyCookies
+  class Engine < ::Rails::Engine
+    isolate_namespace CanvasLtiThirdPartyCookies
+  end
+end

data/lib/canvas_lti_third_party_cookies/version.rb

@@ -0,0 +1,3 @@
+module CanvasLtiThirdPartyCookies
+  VERSION = '0.3.3'
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: canvas_lti_third_party_cookies
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.3
 platform: ruby
 authors:
 - Xander Moffatt
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-12-15 00:00:00.000000000 Z
+date: 2021-03-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -75,19 +75,18 @@ files:
 - LICENSE
 - README.md
 - Rakefile
-- app/controllers/concerns/lti_third_party_cookies/safari_launch.rb
+- app/controllers/concerns/canvas_lti_third_party_cookies/safari_launch.rb
+- app/views/canvas_lti_third_party_cookies/full_window_launch.erb
+- app/views/canvas_lti_third_party_cookies/request_storage_access.erb
 - app/views/layouts/application.html.erb
-- app/views/lti_third_party_cookies/full_window_launch.erb
-- app/views/lti_third_party_cookies/request_storage_access.erb
-- config/routes.rb
-- lib/lti_third_party_cookies.rb
-- lib/lti_third_party_cookies/engine.rb
-- lib/lti_third_party_cookies/version.rb
+- lib/canvas_lti_third_party_cookies.rb
+- lib/canvas_lti_third_party_cookies/engine.rb
+- lib/canvas_lti_third_party_cookies/version.rb
 homepage: https://gerrit.instructure.com/#/admin/projects/lti_third_party_cookies
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -103,7 +102,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.0.1
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Allow LTI tools launched by Canvas to set 3rd party cookies in Safari 13.1+
 test_files: []

data/config/routes.rb

@@ -1,2 +0,0 @@
-Rails.application.routes.draw do
-end

data/lib/lti_third_party_cookies.rb

@@ -1,4 +0,0 @@
-require "lti_third_party_cookies/engine"
-
-module LtiThirdPartyCookies
-end

data/lib/lti_third_party_cookies/engine.rb

@@ -1,5 +0,0 @@
-module LtiThirdPartyCookies
-  class Engine < ::Rails::Engine
-    isolate_namespace LtiThirdPartyCookies
-  end
-end

data/lib/lti_third_party_cookies/version.rb

@@ -1,3 +0,0 @@
-module LtiThirdPartyCookies
-  VERSION = '0.2.0'
-end