canvas_lti_third_party_cookies 0.3.3 → 1.0.1

data/app/assets/javascripts/canvas_lti_third_party_cookies/relaunch_on_login.js

@@ -0,0 +1,77 @@
+const getRelaunchElement = (id) => document.getElementById(`relaunch-${id}`);
+const hide = (el) => (el.style.display = "none");
+const show = (el) => (el.style.display = "flex"); // normally this is 'block', but the containers need to be 'flex'
+const COOKIE_NAME = "can_set_cookies";
+
+const openNewWindow = ({ window_type, form_target, width, height }) => {
+  switch (window_type) {
+    case "popup": {
+      return window.open(
+        "",
+        form_target,
+        "toolbar=no,menubar=no,location=no,status=no,resizable,scrollbars," +
+          `width=${width},height=${height}`
+      );
+    }
+    case "new_window": {
+      return window.open("", form_target);
+    }
+  }
+};
+
+const relaunchOnLogin = () => {
+  const { window_type, form_target, width, height } = window.ENV;
+
+  const successMessageEl = getRelaunchElement("success");
+  const retryMessageEl = getRelaunchElement("retry");
+  const relaunchFormEl = getRelaunchElement("form");
+  const retryButtonEl = getRelaunchElement("request");
+
+  // set a test cookie, both with and without same-site none
+  // this will work for local development and deployed environments
+  document.cookie = `${COOKIE_NAME}=true; path=/;`;
+  document.cookie = `${COOKIE_NAME}=true; path=/; samesite=none; secure`;
+  if (
+    document.cookie.split(";").some((cookie) => cookie.includes(COOKIE_NAME))
+  ) {
+    // setting cookies works, remove test cookie and continue login flow inline
+    document.cookie = `${COOKIE_NAME}=; path=/; expires=Thu, 01 Jan 1970 00:00:01 GMT`;
+    document.getElementById("redirect-form").submit();
+    return;
+  }
+
+  // open in new tab and restart login flow
+  show(successMessageEl);
+  const newWindow = openNewWindow({ window_type, form_target, width, height });
+
+  if (newWindow) {
+    // tool opened successfully, POST login form data to opened window
+    relaunchFormEl.submit();
+    return;
+  }
+
+  // tool open blocked, tell user to allow popups and try again
+  show(retryMessageEl);
+  hide(successMessageEl);
+
+  retryButtonEl.addEventListener("click", () => {
+    // open tool and POST login data again
+    openNewWindow({ window_type, form_target, width, height });
+    relaunchFormEl.submit();
+
+    show(successMessageEl);
+    hide(retryMessageEl);
+  });
+};
+
+// run on page load
+document.addEventListener("DOMContentLoaded", relaunchOnLogin);
+
+// exported for testing only
+module.exports = {
+  COOKIE_NAME,
+  openNewWindow,
+  hide,
+  show,
+  relaunchOnLogin,
+};

data/app/assets/stylesheets/canvas_lti_third_party_cookies/relaunch_on_login.css

@@ -0,0 +1,52 @@
+.flex-container {
+  display: none;
+  flex-direction: column;
+  height: 100%;
+  font-family: "Segoe UI", Frutiger, "Frutiger Linotype", "Dejavu Sans",
+    "Helvetica Neue", Arial, sans-serif;
+  font-size: 1.1rem;
+  padding: 0 24px;
+}
+
+.flex-item {
+  margin-bottom: 10px;
+  text-align: center;
+}
+
+.flex-container div:first-child {
+  margin-top: 24px;
+}
+
+p {
+  margin: 0 0 0.5em 0;
+}
+
+button {
+  background: #008ee2;
+  color: #ffffff;
+  border: 1px solid;
+  border-color: #0079c1;
+  border-radius: 3px;
+  transition: background-color 0.2s ease-in-out;
+  display: inline-block;
+  position: relative;
+  padding: 8px 14px;
+  margin-bottom: 0;
+  font-size: 16px;
+  font-size: 1rem;
+  line-height: 20px;
+  text-align: center;
+  vertical-align: middle;
+  cursor: pointer;
+  text-decoration: none;
+  overflow: hidden;
+  text-shadow: none;
+  -webkit-user-select: none;
+  -moz-user-select: none;
+  user-select: none;
+}
+
+img {
+  width: 100px;
+  height: 100px;
+}

data/app/controllers/concerns/canvas_lti_third_party_cookies/relaunch_on_login.rb

@@ -0,0 +1,84 @@
+module CanvasLtiThirdPartyCookies::RelaunchOnLogin
+  extend ActiveSupport::Concern
+
+  # this should replace your previous login render call, at the end of your login action.
+  #
+  # `redirect_url` (required): the authorization redirect URL to continue the login flow
+  #
+  # `redirect_data` (required): all form data required for the authorization redirect, which
+  # the previous login render call should have included in a form tag.
+  #
+  # `window_type`: (optional) Set to `:new_window` to open the tool in a
+  # new tab or window, or to `:popup` to open in a popup window.
+  # Defaults to `:new_window`.
+  #
+  # `width`: (optional) The width the popup window should be, in px. User
+  # has the discretion to ignore this. Only valid with window_type: popup.
+  # Defaults to 800px.
+  #
+  # `height`: (optional) The height the popup window should be, in px. User
+  # has the discretion to ignore this. Only valid with window_type: popup.
+  # Defaults to 600px.
+  #
+  # example:
+  # include CanvasLtiThirdPartyCookies::RelaunchOnLogin
+  # ...
+  # def login
+  #   state, nonce = create_and_cache_state # handled elsewhere
+  #   redirect_url = 'http://canvas.instructure.com/api/lti/authorize_redirect'
+  #   redirect_data = {
+  #     scope: 'openid',
+  #     response_type: 'id_token',
+  #     response_mode: 'form_post',
+  #     prompt: 'none',
+  #     redirect_uri: redirect_uri, # the launch url of the tool
+  #     client_id: params.require(:client_id),
+  #     login_hint: params.require(:login_hint),
+  #     lti_message_hint: params.require(:lti_message_hint),
+  #     state: state,
+  #     nonce: nonce
+  #   }
+  #
+  #   relaunch_on_login(redirect_url, redirect_data)
+  # end
+  def relaunch_on_login(redirect_url, redirect_data, window_type: :new_window, width: 800, height: 600)
+    raise ArgumentError.new("window_type must be either :new_window or :popup") unless [:new_window, :popup].include? window_type
+
+    I18n.locale = calculate_locale
+    form_target = 'login_relaunch'
+    render(
+      'canvas_lti_third_party_cookies/relaunch_on_login',
+      locals: {
+        redirect_url: redirect_url,
+        redirect_data: redirect_data,
+        relaunch_url: request.url,
+        relaunch_data: params.permit(:canvas_region, :client_id, :iss, :login_hint, :lti_message_hint, :target_link_uri),
+        form_target: form_target,
+        window_type: window_type,
+        js_env: {
+          form_target: form_target,
+          window_type: window_type,
+          width: width,
+          height: height
+        }
+      }
+    )
+  end
+
+  def calculate_locale
+    decoded_jwt = params[:lti_message_hint] ? JSON::JWT.decode(params[:lti_message_hint], :skip_verification) : {}
+    if decoded_jwt['canvas_locale']
+      # this is essentially the same logic as language_region_compatible_from below
+      # example: 'en-AU', 'da-x-k12', 'ru', 'zh-Hant'
+      full_locale = decoded_jwt['canvas_locale'].to_sym
+      return full_locale if I18n.available_locales.include?(full_locale)
+
+      # The exact locale is not available, let's trim it down if possible
+      # example: 'en', 'da', 'ru', 'zh'
+      trimmed_locale = decoded_jwt['canvas_locale'][0..1].to_sym
+      return trimmed_locale if I18n.available_locales.include?(trimmed_locale)
+    end
+
+    http_accept_language.language_region_compatible_from(I18n.available_locales) || I18n.default_locale
+  end
+end

data/app/views/canvas_lti_third_party_cookies/_cookie_message.erb

@@ -0,0 +1,11 @@
+<div id="<%= id %>" class="flex-container">
+  <div class="flex-item">
+    <%= image_tag "canvas_lti_third_party_cookies/cookies.svg" %>
+  </div>
+
+  <div class="flex-item">
+    <h3><%= I18n.t "It looks like your browser doesn't like cookies." %></h3>
+  </div>
+
+  <%= yield %>
+</div>

data/app/views/canvas_lti_third_party_cookies/relaunch_on_login.erb

@@ -0,0 +1,49 @@
+<%= stylesheet_link_tag 'canvas_lti_third_party_cookies/relaunch_on_login' %>
+<%= javascript_tag do %>
+  window.ENV = <%= js_env.to_json.html_safe %>
+<% end %>
+<%= javascript_include_tag 'canvas_lti_third_party_cookies/relaunch_on_login' %>
+
+<%# when submitted, continue to login flow step 2: redirect back to Canvas for authentication %>
+<%= form_tag(redirect_url, method: :post, id: 'redirect-form') do %>
+  <% redirect_data.each do |k, v| %>
+    <%= hidden_field_tag(k, v) %>
+  <% end %>
+<% end %>
+
+<%# when submitted, replay login flow step 1 in a new window %>
+<%# the target attribute tells the form to POST in the window matching that target, which is opened below %>
+<%= form_tag(relaunch_url, method: :post, id: 'relaunch-form', target: form_target) do %>
+  <% relaunch_data.each do |k, v| %>
+    <%= hidden_field_tag(k, v) %>
+  <% end %>
+<% end %>
+
+<%# default message to display on new window launch; hidden by default %>
+<%= render 'canvas_lti_third_party_cookies/cookie_message', id: 'relaunch-success' do %>
+  <div class="flex-item">
+    <p><%= I18n.t "Some browsers block third-party cookies by default, which this app relies on for launch and sign-in features." %></p>
+    <p><%= window_type == :new_window ?
+      I18n.t("This app has opened in a new tab, so that it can set its own cookies.") :
+      I18n.t("This app has opened in a popup window, so that it can set its own cookies.")
+    %></p>
+  </div>
+<% end %>
+
+<%# message displayed when popups are blocked; hidden by default %>
+<%= render 'canvas_lti_third_party_cookies/cookie_message', id: 'relaunch-retry' do %>
+  <div class="flex-item">
+    <p><%= I18n.t "Some browsers block third-party cookies by default, which this app relies on for launch and sign-in features." %></p>
+    <p><%= window_type == :new_window ?
+      I18n.t("Launching this app in a new tab, separate from Canvas, will allow the app to set its own cookies.") :
+      I18n.t("Launching this app in a popup window, separate from Canvas, will allow the app to set its own cookies.")
+    %></p>
+    <p><%= I18n.t "To open the app, make sure your browser allows popups for this page and try again." %></p>
+  </div>
+
+  <div class="flex-item">
+    <button id="relaunch-request">
+      <%= window_type == :new_window ? I18n.t("Open in New Tab") : I18n.t("Open in Popup Window")%>
+    </button>
+  </div>
+<% end %>

data/lib/canvas_lti_third_party_cookies/engine.rb

@@ -1,5 +1,23 @@
+require 'i18nliner'
+require 'http_accept_language'
+require 'json/jwt'
+
 module CanvasLtiThirdPartyCookies
   class Engine < ::Rails::Engine
     isolate_namespace CanvasLtiThirdPartyCookies
+
+    initializer "CanvasLtiThirdPartyCookies.assets.precompile" do |app|
+      app.config.assets.precompile += %w(
+        canvas_lti_third_party_cookies/relaunch_on_login.js
+        canvas_lti_third_party_cookies/relaunch_on_login.css
+        canvas_lti_third_party_cookies/cookies.svg
+      )
+    end
+
+    initializer "CanvasLtiThirdPartyCookies.i18n.locale" do |app|
+      app.config.i18n.load_path += Dir[root.join('config','locales','*.yml')]
+      app.config.i18n.default_locale = :en
+      app.config.i18n.fallbacks = true
+    end
   end
 end

data/lib/canvas_lti_third_party_cookies/version.rb

@@ -1,3 +1,3 @@
 module CanvasLtiThirdPartyCookies
-  VERSION = '0.3.3'
+  VERSION = '1.0.1'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: canvas_lti_third_party_cookies
 version: !ruby/object:Gem::Version
-  version: 0.3.3
+  version: 1.0.1
 platform: ruby
 authors:
 - Xander Moffatt
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-10 00:00:00.000000000 Z
+date: 2022-03-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -16,40 +16,62 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.0.2
+        version: '6.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.2.1
+        version: 6.1.4.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.0.2
+        version: '6.1'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.2.1
+        version: 6.1.4.2
 - !ruby/object:Gem::Dependency
-  name: browser
+  name: i18nliner
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.6'
-    - - ">="
+        version: 0.1.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.2
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.6.1
+        version: 1.13.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.6'
-    - - ">="
+        version: 1.13.0
+- !ruby/object:Gem::Dependency
+  name: http_accept_language
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.6.1
+        version: 2.1.1
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
@@ -75,9 +97,12 @@ files:
 - LICENSE
 - README.md
 - Rakefile
-- app/controllers/concerns/canvas_lti_third_party_cookies/safari_launch.rb
-- app/views/canvas_lti_third_party_cookies/full_window_launch.erb
-- app/views/canvas_lti_third_party_cookies/request_storage_access.erb
+- app/assets/images/canvas_lti_third_party_cookies/cookies.svg
+- app/assets/javascripts/canvas_lti_third_party_cookies/relaunch_on_login.js
+- app/assets/stylesheets/canvas_lti_third_party_cookies/relaunch_on_login.css
+- app/controllers/concerns/canvas_lti_third_party_cookies/relaunch_on_login.rb
+- app/views/canvas_lti_third_party_cookies/_cookie_message.erb
+- app/views/canvas_lti_third_party_cookies/relaunch_on_login.erb
 - app/views/layouts/application.html.erb
 - lib/canvas_lti_third_party_cookies.rb
 - lib/canvas_lti_third_party_cookies/engine.rb
@@ -101,7 +126,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.1
+rubygems_version: 3.2.32
 signing_key:
 specification_version: 4
 summary: Allow LTI tools launched by Canvas to set 3rd party cookies in Safari 13.1+

data/app/controllers/concerns/canvas_lti_third_party_cookies/safari_launch.rb

@@ -1,76 +0,0 @@
-require 'browser'
-
-module CanvasLtiThirdPartyCookies::SafariLaunch
-  extend ActiveSupport::Concern
-
-  # this needs to be called as a before_action on the route that launches the tool
-  # and the tool is required to pass some parameters to this method.
-  # the `launch_url` parameter is required, which should be the route
-  #   that launches the tool.
-  # the `launch_params` parameter is optional, and should contain
-  #   all needed query parameters that the tool requires to launch.
-  # the `launch_data` parameter is optional, and should contain
-  #   all needed form data that the tool requires to launch.
-  # example:
-  # include CanvasLtiThirdPartyCookies::SafariLaunch
-  # ...
-  # before_action -> { 
-  #   handle_safari_launch(launch_url: action_url, launch_params: { foo: bar }, launch_data: { foo: baz })
-  # }
-  def handle_safari_launch(launch_url:, launch_params: {}, launch_data: {})
-    return unless is_safari?
-
-    # Safari launch #4: Storage Access has been granted,
-    #   so launch the app normally. Note that this is not an actual LTI launch, but
-    #   just opaquely passing on the data from launch #3.
-    return if params[:storage_access_status].present?
-
-    # Safari launch #2: Full-window launch, solely for first-party user interaction.
-    #   During a full-window launch, Canvas provides a :platform_redirect_url that
-    #   will launch the tool again within an iframe in Canvas. (#3)
-    if params[:platform_redirect_url].present?
-      return render(
-        'canvas_lti_third_party_cookies/full_window_launch',
-        locals: { platform_redirect_url: params[:platform_redirect_url] }
-      )
-    end
-
-    # Safari launch #1: request Storage Access, then relaunch the tool. (#4)
-    #   If request fails, request a full window launch instead. (#2)
-    # Safari launch #3: Relaunched by Canvas after full-window launch,
-    #   request Storage Access and then relaunch the tool. (#4)
-    # Pass along any parameters provided by the tool that are needed to launch correctly,
-    # and tell the tool that it has Storage Access.
-    render(
-      'canvas_lti_third_party_cookies/request_storage_access',
-      locals: {
-        launch_url: launch_url,
-        relaunch_url: relaunch_url(launch_url, launch_params),
-        launch_data: launch_data.merge({ storage_access_status: "granted"})
-      }
-    )
-  end
-
-  # Safari launch #4 (described above) is actually an internal opaque redirect of launch #3
-  # and not a real Canvas LTI launch, so the id_token (and specifically the nonce inside)
-  # is exactly the same. Normally, ignoring the nonce is a Bad Idea since it can allow
-  # replay attacks, but for this specific situation (the request is an internal redirect)
-  # it's a sufficient hack.
-  def should_ignore_nonce?
-    referer = URI.parse(request.referer)
-    is_safari? && params[:storage_access_status] == "granted" && referer.host == request.host && referer.port == request.port
-  end
-
-  private
-
-  def is_safari?
-    browser = Browser.new(request.headers["User-Agent"])
-    # detect both MacOS and iOS Safari
-    browser.safari? || (browser.webkit? && browser.platform.ios?)
-  end
-
-  def relaunch_url(launch_url, launch_params)
-    return launch_url if launch_params.empty?
-    "#{launch_url}?#{launch_params.to_query}"
-  end
-end

data/app/views/canvas_lti_third_party_cookies/full_window_launch.erb

@@ -1,80 +0,0 @@
-<%= javascript_tag do -%>
-  document.addEventListener("DOMContentLoaded", () => {
-    document.getElementById("redirect").addEventListener("click", () => {
-      window.location.replace("<%= platform_redirect_url %>");
-    });
-  });
-<% end %>
-<style type="text/css">
-  .flex-container {
-    display: flex;
-    flex-direction: column;
-    height: 100%;
-    font-family: "Segoe UI", Frutiger, "Frutiger Linotype", "Dejavu Sans", "Helvetica Neue", Arial, sans-serif;
-    font-size: 1.1em;
-    padding: 0 75px 0 75px;
-  }
-
-  .flex-item {
-    margin-bottom: 10px;
-    text-align: center;
-  }
-
-  .first {
-    margin-top: 50px;
-  }
-
-  p {
-    margin: 0 0 0.5em 0;
-  }
-
-  button {
-    background: #008EE2;
-    color: #ffffff;
-    border: 1px solid;
-    border-color: #0079C1;
-    border-radius: 3px;
-    transition: background-color 0.2s ease-in-out;
-    display: inline-block;
-    position: relative;
-    padding: 8px 14px;
-    margin-bottom: 0;
-    font-size: 16px;
-    font-size: 1rem;
-    line-height: 20px;
-    text-align: center;
-    vertical-align: middle;
-    cursor: pointer;
-    text-decoration: none;
-    overflow: hidden;
-    text-shadow: none;
-    -webkit-user-select: none;
-    -moz-user-select: none;
-  }
-
-  #safari-logo {
-    width: 100px;
-    height: 100px;
-  }
-</style>
-
-<div class="flex-container">
-  <div class="flex-item first">
-    <img id="safari-logo" src="https://upload.wikimedia.org/wikipedia/commons/5/52/Safari_browser_logo.svg" alt="Safari Logo" />
-  </div>
-
-  <div class="flex-item">
-    <strong>It looks like you are using Safari.</strong>
-  </div>
-
-  <div class="flex-item">
-    <p>Occasionally, Safari requires you to launch this app outside of Canvas before logging in.</p>
-    <p>This setup is now complete, and Canvas can now relaunch this app.</p>
-    <p>In some cases, you may need to relaunch this app yourself.</p>
-  </div>
-  
-  <div class="flex-item">
-     <button id="redirect">Relaunch App in Canvas</button>
-  </div>
-  <div>
-</div>