canvas_lti_third_party_cookies 0.3.0 → 0.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 890865e3f76d11ffcb3c1e203b7b507c068127b0b2cba1455fdf0fa558ef96f8
|
|
4
|
+
data.tar.gz: 197439ea71f9dd99b21235358022f7c324f86fdec4e03ce93c7f28201dfc2d83
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8c7001cbfb01825b8a475ed48f15cfdd3e962ce5fcda789f1a211a1445c5d75e8f171982a7e7c4ed954e43a22f393f781be9a9e15fbfee97122e7f8438cac9d6
|
|
7
|
+
data.tar.gz: 8a4a17fc88a70d26b57ea6862bdbd9f71bd2ec21cfa548e42868d4dec3167be6d24471c29ed346e03dfa8900ff6b4e08849084519160ce8f78f5a8a927bd59b5
|
data/README.md
CHANGED
|
@@ -32,6 +32,16 @@ before_action -> {
|
|
|
32
32
|
}
|
|
33
33
|
```
|
|
34
34
|
|
|
35
|
+
This will launch the tool multiple times, and also redirect the user back to Canvas when needed. For more information on the detailed tool
|
|
36
|
+
launches, see the comments in `app/controllers/concerns/canvas_lti_third_party_cookies/safari_launch.rb`.
|
|
37
|
+
|
|
38
|
+
Note that the tool will be relaunched from within this method once Storage Access is granted and pass all parameters from the previous
|
|
39
|
+
Canvas launch, which will break JWT nonce verification since it will detect the nonce has already been used.
|
|
40
|
+
|
|
41
|
+
To combat this, this gem provides the `should_ignore_nonce?` method so that your tool can ignore the nonce verification for that
|
|
42
|
+
specific launch. Normally, ignoring a duplicate nonce can lead to replay attacks. This method will only return true if the request's
|
|
43
|
+
`Referer` header matches the tool's domain, which only happens in this last internal redirect.
|
|
44
|
+
|
|
35
45
|
## Installation
|
|
36
46
|
Add this line to your application's Gemfile:
|
|
37
47
|
|
|
@@ -49,4 +59,12 @@ $ bundle install
|
|
|
49
59
|
|
|
50
60
|
```bash
|
|
51
61
|
$ rails test
|
|
52
|
-
```
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
## Publishing New Versions
|
|
65
|
+
|
|
66
|
+
1. Bump the version in `lib/canvas_lti_third_party_cookies/version.rb`.
|
|
67
|
+
2. Commit, push, and merge that change.
|
|
68
|
+
3. `rake install`
|
|
69
|
+
4. `gem push pkg/canvas_lti_third_party_cookies-<version>.gem`
|
|
70
|
+
- note that this will only work if you have access
|
|
@@ -23,13 +23,9 @@ module CanvasLtiThirdPartyCookies::SafariLaunch
|
|
|
23
23
|
return unless browser.safari? || (browser.webkit? && browser.platform.ios?)
|
|
24
24
|
|
|
25
25
|
# Safari launch #4: Storage Access has been granted,
|
|
26
|
-
# so launch the app normally.
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
# the tool *really* doesn't have to worry about this being present
|
|
30
|
-
request.request_parameters.delete(:storage_access_status)
|
|
31
|
-
return
|
|
32
|
-
end
|
|
26
|
+
# so launch the app normally. Note that this is not an actual LTI launch, but
|
|
27
|
+
# just opaquely passing on the data from launch #3.
|
|
28
|
+
return if params[:storage_access_status].present?
|
|
33
29
|
|
|
34
30
|
# Safari launch #2: Full-window launch, solely for first-party user interaction.
|
|
35
31
|
# During a full-window launch, Canvas provides a :platform_redirect_url that
|
|
@@ -57,6 +53,15 @@ module CanvasLtiThirdPartyCookies::SafariLaunch
|
|
|
57
53
|
)
|
|
58
54
|
end
|
|
59
55
|
|
|
56
|
+
# Safari launch #4 (described above) is actually an internal opaque redirect of launch #3
|
|
57
|
+
# and not a real Canvas LTI launch, so the id_token (and specifically the nonce inside)
|
|
58
|
+
# is exactly the same. Normally, ignoring the nonce is a Bad Idea since it can allow
|
|
59
|
+
# replay attacks, but for this specific situation (the request is an internal redirect)
|
|
60
|
+
# it's a sufficient hack.
|
|
61
|
+
def should_ignore_nonce?
|
|
62
|
+
params[:storage_access_status] == "granted" && URI.parse(request.referer).host == request.host
|
|
63
|
+
end
|
|
64
|
+
|
|
60
65
|
private
|
|
61
66
|
|
|
62
67
|
def relaunch_url(launch_url, launch_params)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: canvas_lti_third_party_cookies
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Xander Moffatt
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-03-
|
|
11
|
+
date: 2021-03-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|