RubyGems - canvas_lti_third_party_cookies - Versions diffs - 0.3.3 → 0.4.0 - Mend

canvas_lti_third_party_cookies 0.3.3 → 0.4.0

Files changed (7) hide show

checksums.yaml +4 -4
data/README.md +22 -39
data/app/controllers/concerns/canvas_lti_third_party_cookies/safari_launch.rb +32 -48
data/app/views/canvas_lti_third_party_cookies/{request_storage_access.erb → prep_for_full_window_launch.erb} +23 -39
data/lib/canvas_lti_third_party_cookies/version.rb +1 -1
metadata +3 -4
data/app/views/canvas_lti_third_party_cookies/full_window_launch.erb +0 -80

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8d622f96431568706549721c48a8cab10edd7f21790f739d612f2af1e649a686
-  data.tar.gz: b0a008358a161f117a9c828975ac40e642a93af253cbd34b4ae3f2abf4890efb
+  metadata.gz: 8d232d4448ee62b75121b20f70143f70f75e0ea38a83408b3ed42bb51ce41247
+  data.tar.gz: 44605463e21036992d5e0dadc1ac7180384e3f4186917e0139fe586c9451c936
 SHA512:
-  metadata.gz: 076670fa98327844ceee397d68e346179d326839b831454b80c94e68a1866c43a58873d9b1c1d6032258c21e0be38d44164bd831f7a4287d7a8d9daf519688ee
-  data.tar.gz: 4d70af2daa01fc4fb262c01c186f581c81db4fe32c3bf7c025050fe4d9e149bd70c3430e7ce1f8f05cfaab245e3a4df4adae7a09b5b42ba6a13370dca237ed74
+  metadata.gz: 65a832d626b6062a7f4982417681a267bab2d49a6d070e4aef5e99b28d947fdb9d22ba73fc51badc1ceb4a9a7b59e45b3f08f8998fb1c2a286d6ec3bebd440f9
+  data.tar.gz: 47b3da8ab13ac2b3b9e9fae11ccaba87344b2cce53d98edbe6f96250c37c54e98210b6d0345180adbd57e1990516c89f6eed8a6a9304a8abcd2e9ae44a9fe4dc

data/README.md CHANGED Viewed

@@ -1,47 +1,11 @@
 # canvas_lti_third_party_cookies
-Safari blocks all 3rd-party cookies by default, which breaks LTI tools that rely on setting cookies when launched in an iframe. Instead, it exposes a new API for getting user-permitted access to set cookies from an iframe, which works though requires jumping through some fun hoops.
-See this article for a detailed explanation: https://community.canvaslms.com/t5/Developers-Group/Safari-13-1-and-LTI-Integration/ba-p/273051
+Safari blocks all 3rd-party cookies by default, which breaks LTI tools that rely on setting cookies when launched in an iframe. Instead, it exposes a new API for getting user-permitted access to set cookies from an iframe, which unfortunately doesn't completely work for LTI use cases.
+See this article for a detailed explanation of the Storage Access API and previous attempts to launch LTI tools in Safari: https://community.canvaslms.com/t5/Developers-Group/Safari-13-1-and-LTI-Integration/ba-p/273051
-This gem wraps the Safari cookie dance in a Rails engine that can be easily used with one before_action callback. It is built for use with Canvas,
-which is responsible for some parts of this cookie dance, including launching the tool in a full-window 1st-party context, and providing a
-redirect url for the relaunch after the full-window launch is complete.
-This gem won't work without being launched from Canvas, or a Tool Consumer that implements the same `window.postMessage` listener as Canvas
+The current workaround that this gem implements is to relaunch the tool in a new tab, new window, or popup window, where it can set first-party cookies to it's heart's content. This gem won't work without being launched from Canvas, or a Tool Consumer that implements the same `window.postMessage` listener as Canvas
 does here: https://github.com/instructure/canvas-lms/blob/master/public/javascripts/lti/post_message/requestFullWindowLaunch.js
-## Usage
-Choose the Rails controller action that's used to launch your tool and set cookies. Set the before_action callback
-below to run on that action, and pass the data needed.
-* the `launch_url` parameter is required, which should be the route
-  that launches the tool.
-* the `launch_params` parameter is optional, and should contain
-  all needed query parameters that the tool requires to launch.
-* the `launch_data` parameter is optional, and should contain
-  all needed form data that the tool requires to launch.
-Usually, only query parameters *or* form data is needed, not both.
-```ruby
-include CanvasLtiThirdPartyCookies::SafariLaunch
-#...
-before_action -> {
-  handle_safari_launch(launch_url: action_url, launch_params: { foo: bar }, launch_data: { foo: baz })
-}
-```
-This will launch the tool multiple times, and also redirect the user back to Canvas when needed. For more information on the detailed tool
-launches, see the comments in `app/controllers/concerns/canvas_lti_third_party_cookies/safari_launch.rb`.
-Note that the tool will be relaunched from within this method once Storage Access is granted and pass all parameters from the previous
-Canvas launch, which will break JWT nonce verification since it will detect the nonce has already been used.
-To combat this, this gem provides the `should_ignore_nonce?` method so that your tool can ignore the nonce verification for that
-specific launch. Normally, ignoring a duplicate nonce can lead to replay attacks. This method will only return true if the request's
-`Referer` header matches the tool's domain, which only happens in this last internal redirect.
 ## Installation
 Add this line to your application's Gemfile:
@@ -55,6 +19,25 @@ And then execute:
 $ bundle install
 ```
+## Usage
+Choose the Rails controller action that's used to launch your tool and set cookies. Set the before_action callback
+below to run on that action, and pass the data needed.
+* `placement`: (required) Should be the Canvas placement that the tool was launched from, taken from the decoded id_token's `https://www.instructure.com/placement` claim.
+* `window_type`: (optional) Set to `:new_window` to open the tool in a new tab or window, or to `:popup` to open in a popup window.Defaults to `:new_window`.
+* `width`: (optional) The width the popup window should be, in px. User has the discretion to ignore this. Only valid with window_type: popup. Defaults to 800px.
+* `height`: (optional) The height the popup window should be, in px. User has the discretion to ignore this. Only valid with window_type: popup. Defaults to 600px.
+```ruby
+include CanvasLtiThirdPartyCookies::SafariLaunch
+#...
+before_action -> {
+  placement = decoded_id_token['https://www.instructure.com/placement']
+  handle_safari_launch(placement: placement, window_type: :popup)
+}
+```
 ## Testing
 ```bash

data/app/controllers/concerns/canvas_lti_third_party_cookies/safari_launch.rb CHANGED Viewed

@@ -5,72 +5,56 @@ module CanvasLtiThirdPartyCookies::SafariLaunch
   # this needs to be called as a before_action on the route that launches the tool
   # and the tool is required to pass some parameters to this method.
-  # the `launch_url` parameter is required, which should be the route
-  #   that launches the tool.
-  # the `launch_params` parameter is optional, and should contain
-  #   all needed query parameters that the tool requires to launch.
-  # the `launch_data` parameter is optional, and should contain
-  #   all needed form data that the tool requires to launch.
+  #
+  # `placement`: (required) Should be the Canvas placement that
+  # the tool was launched from, taken from the decoded id_token's
+  # `https://www.instructure.com/placement` claim.
+  #
+  # `window_type`: (optional) Set to `:new_window` to open the tool in a
+  # new tab or window, or to `:popup` to open in a popup window.
+  # Defaults to `:new_window`.
+  #
+  # `width`: (optional) The width the popup window should be, in px. User
+  # has the discretion to ignore this. Only valid with window_type: popup.
+  # Defaults to 800px.
+  #
+  # `height`: (optional) The height the popup window should be, in px. User
+  # has the discretion to ignore this. Only valid with window_type: popup.
+  # Defaults to 600px.
+  #
   # example:
   # include CanvasLtiThirdPartyCookies::SafariLaunch
   # ...
   # before_action -> {
-  #   handle_safari_launch(launch_url: action_url, launch_params: { foo: bar }, launch_data: { foo: baz })
+  #   placement = decoded_id_token['https://www.instructure.com/placement']
+  #   handle_safari_launch(placement: placement, window_type: :popup)
   # }
-  def handle_safari_launch(launch_url:, launch_params: {}, launch_data: {})
+  def handle_safari_launch(placement:, window_type: :new_window, width: nil, height: nil)
+    raise ArgumentError.new("window_type must be either :new_window or :popup") unless [:new_window, :popup].include? window_type
     return unless is_safari?
+    return if is_full_window_launch?
-    # Safari launch #4: Storage Access has been granted,
-    #   so launch the app normally. Note that this is not an actual LTI launch, but
-    #   just opaquely passing on the data from launch #3.
-    return if params[:storage_access_status].present?
-    # Safari launch #2: Full-window launch, solely for first-party user interaction.
-    #   During a full-window launch, Canvas provides a :platform_redirect_url that
-    #   will launch the tool again within an iframe in Canvas. (#3)
-    if params[:platform_redirect_url].present?
-      return render(
-        'canvas_lti_third_party_cookies/full_window_launch',
-        locals: { platform_redirect_url: params[:platform_redirect_url] }
-      )
-    end
-    # Safari launch #1: request Storage Access, then relaunch the tool. (#4)
-    #   If request fails, request a full window launch instead. (#2)
-    # Safari launch #3: Relaunched by Canvas after full-window launch,
-    #   request Storage Access and then relaunch the tool. (#4)
-    # Pass along any parameters provided by the tool that are needed to launch correctly,
-    # and tell the tool that it has Storage Access.
     render(
-      'canvas_lti_third_party_cookies/request_storage_access',
+      'canvas_lti_third_party_cookies/prep_for_full_window_launch',
       locals: {
-        launch_url: launch_url,
-        relaunch_url: relaunch_url(launch_url, launch_params),
-        launch_data: launch_data.merge({ storage_access_status: "granted"})
+        launch_url: request.base_url + request.fullpath,
+        placement: placement,
+        window_type: window_type.to_s,
+        width: width || 800,
+        height: height || 600
       }
     )
   end
-  # Safari launch #4 (described above) is actually an internal opaque redirect of launch #3
-  # and not a real Canvas LTI launch, so the id_token (and specifically the nonce inside)
-  # is exactly the same. Normally, ignoring the nonce is a Bad Idea since it can allow
-  # replay attacks, but for this specific situation (the request is an internal redirect)
-  # it's a sufficient hack.
-  def should_ignore_nonce?
-    referer = URI.parse(request.referer)
-    is_safari? && params[:storage_access_status] == "granted" && referer.host == request.host && referer.port == request.port
-  end
   private
+  def is_full_window_launch?
+    params[:full_win_launch_requested].present?
+  end
   def is_safari?
     browser = Browser.new(request.headers["User-Agent"])
     # detect both MacOS and iOS Safari
     browser.safari? || (browser.webkit? && browser.platform.ios?)
   end
-  def relaunch_url(launch_url, launch_params)
-    return launch_url if launch_params.empty?
-    "#{launch_url}?#{launch_params.to_query}"
-  end
 end

data/app/views/canvas_lti_third_party_cookies/{request_storage_access.erb → prep_for_full_window_launch.erb} RENAMED Viewed

@@ -1,36 +1,25 @@
 <%= javascript_tag do -%>
-  const requestStorageAccess = () => {
-    document
-      .requestStorageAccess()
-      .then(() => redirectToSetCookies())
-      .catch(() => requestFullWindowLaunch());
-  };
   const requestFullWindowLaunch = () => {
+    console.log("clicked")
     window.parent.postMessage(
       {
         messageType: "requestFullWindowLaunch",
-        data: "<%= launch_url %>",
+        data: {
+          url: "<%= launch_url %>",
+          placement: "<%= placement %>",
+          launchType: "<%= window_type %>",
+          launchOptions: {
+            width: <%= width %>,
+            height: <%= height %>
+          }
+        }
       },
       "*"
     );
   };
-  const redirectToSetCookies = () => {
-    const form = document.getElementById("relaunch");
-    form.submit();
-  };
   document.addEventListener("DOMContentLoaded", () => {
-    document.getElementById("request").addEventListener("click", requestStorageAccess)
-    document
-      .hasStorageAccess()
-      .then((hasStorageAccess) => {
-        if (hasStorageAccess) {
-          redirectToSetCookies();
-        }
-      })
-      .catch((err) => console.error(err));
+    console.log("loaded")
+    document.getElementById("request").addEventListener("click", requestFullWindowLaunch)
   });
 <% end %>
 <style type="text/css">
@@ -40,7 +29,7 @@
     height: 100%;
     font-family: "Segoe UI", Frutiger, "Frutiger Linotype", "Dejavu Sans", "Helvetica Neue", Arial, sans-serif;
     font-size: 1.1em;
-    padding: 0 75px 0 75px;
+    padding: 0 24px;
   }
   .flex-item {
@@ -48,8 +37,8 @@
     text-align: center;
   }
-  .first {
-    margin-top: 50px;
+  .flex-container div:first-child {
+    margin-top: 24px;
   }
   p {
@@ -87,7 +76,7 @@
 </style>
 <div class="flex-container">
-  <div class="flex-item first">
+  <div class="flex-item">
     <img id="safari-logo" src="https://upload.wikimedia.org/wikipedia/commons/5/52/Safari_browser_logo.svg" alt="Safari Logo" />
   </div>
@@ -96,20 +85,15 @@
   </div>
   <div class="flex-item">
-    <p>Safari requires your interaction with this app before logging you in.</p>
-    <p>A dialog may appear asking you to allow this app to use cookies while browsing Canvas.</p>
-    <p>For the best experience, click Allow.</p>
-    <p>A dialog may also appear asking you to navigate somewhere else.</p>
-    <p>If it does, save your work first and then click Leave Page.</p>
+    <p>Safari blocks third-party cookies by default, which this app relies on for sign-in features.</p>
+    <p>Launching this app in a <%if window_type == "popup"%>popup window<%else%>new tab<%end%>, separate from Canvas, will allow the app to set its own cookies.</p>
+    <%if window_type == "popup"%>
+    <p>If the app doesn't appear, make sure Safari is not blocking popups.</p>
+    <%end%>
   </div>
   <div class="flex-item">
-    <button id="request">Continue to App</button>
+    <button id="request">Open <%if window_type == "popup"%>Popup<%else%>in New Tab<%end%></button>
   </div>
   <div>
-</div>
-<form id="relaunch" method="POST" action="<%= relaunch_url %>">
-  <% launch_data.each do |key, value| -%>
-    <%= hidden_field_tag key, value %>
-  <% end -%>
-</form>
+</div>

data/lib/canvas_lti_third_party_cookies/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module CanvasLtiThirdPartyCookies
-  VERSION = '0.3.3'
+  VERSION = '0.4.0'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: canvas_lti_third_party_cookies
 version: !ruby/object:Gem::Version
-  version: 0.3.3
+  version: 0.4.0
 platform: ruby
 authors:
 - Xander Moffatt
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-10 00:00:00.000000000 Z
+date: 2021-03-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -76,8 +76,7 @@ files:
 - README.md
 - Rakefile
 - app/controllers/concerns/canvas_lti_third_party_cookies/safari_launch.rb
-- app/views/canvas_lti_third_party_cookies/full_window_launch.erb
-- app/views/canvas_lti_third_party_cookies/request_storage_access.erb
+- app/views/canvas_lti_third_party_cookies/prep_for_full_window_launch.erb
 - app/views/layouts/application.html.erb
 - lib/canvas_lti_third_party_cookies.rb
 - lib/canvas_lti_third_party_cookies/engine.rb

data/app/views/canvas_lti_third_party_cookies/full_window_launch.erb DELETED Viewed

@@ -1,80 +0,0 @@
-<%= javascript_tag do -%>
-  document.addEventListener("DOMContentLoaded", () => {
-    document.getElementById("redirect").addEventListener("click", () => {
-      window.location.replace("<%= platform_redirect_url %>");
-    });
-  });
-<% end %>
-<style type="text/css">
-  .flex-container {
-    display: flex;
-    flex-direction: column;
-    height: 100%;
-    font-family: "Segoe UI", Frutiger, "Frutiger Linotype", "Dejavu Sans", "Helvetica Neue", Arial, sans-serif;
-    font-size: 1.1em;
-    padding: 0 75px 0 75px;
-  }
-  .flex-item {
-    margin-bottom: 10px;
-    text-align: center;
-  }
-  .first {
-    margin-top: 50px;
-  }
-  p {
-    margin: 0 0 0.5em 0;
-  }
-  button {
-    background: #008EE2;
-    color: #ffffff;
-    border: 1px solid;
-    border-color: #0079C1;
-    border-radius: 3px;
-    transition: background-color 0.2s ease-in-out;
-    display: inline-block;
-    position: relative;
-    padding: 8px 14px;
-    margin-bottom: 0;
-    font-size: 16px;
-    font-size: 1rem;
-    line-height: 20px;
-    text-align: center;
-    vertical-align: middle;
-    cursor: pointer;
-    text-decoration: none;
-    overflow: hidden;
-    text-shadow: none;
-    -webkit-user-select: none;
-    -moz-user-select: none;
-  }
-  #safari-logo {
-    width: 100px;
-    height: 100px;
-  }
-</style>
-<div class="flex-container">
-  <div class="flex-item first">
-    <img id="safari-logo" src="https://upload.wikimedia.org/wikipedia/commons/5/52/Safari_browser_logo.svg" alt="Safari Logo" />
-  </div>
-  <div class="flex-item">
-    <strong>It looks like you are using Safari.</strong>
-  </div>
-  <div class="flex-item">
-    <p>Occasionally, Safari requires you to launch this app outside of Canvas before logging in.</p>
-    <p>This setup is now complete, and Canvas can now relaunch this app.</p>
-    <p>In some cases, you may need to relaunch this app yourself.</p>
-  </div>
-  <div class="flex-item">
-     <button id="redirect">Relaunch App in Canvas</button>
-  </div>
-  <div>
-</div>