canvas_lti_third_party_cookies 0.4.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8d232d4448ee62b75121b20f70143f70f75e0ea38a83408b3ed42bb51ce41247
-  data.tar.gz: 44605463e21036992d5e0dadc1ac7180384e3f4186917e0139fe586c9451c936
+  metadata.gz: bfadd9bf819df5cfb7740b3b1c88f7436337b0bafbc243d9df216af7e948cd9e
+  data.tar.gz: 6a539c02d809cbffbc9693a69567942af8ba24d839299d0baca93e3ebe1ef676
 SHA512:
-  metadata.gz: 65a832d626b6062a7f4982417681a267bab2d49a6d070e4aef5e99b28d947fdb9d22ba73fc51badc1ceb4a9a7b59e45b3f08f8998fb1c2a286d6ec3bebd440f9
-  data.tar.gz: 47b3da8ab13ac2b3b9e9fae11ccaba87344b2cce53d98edbe6f96250c37c54e98210b6d0345180adbd57e1990516c89f6eed8a6a9304a8abcd2e9ae44a9fe4dc
+  metadata.gz: a346aec85ae07519abe21496dbec0126bab0ab6ffc96de0d0b7c23be9eea02080cde3b7949295b598e9827c597442d83f866c758f0790a5bfad4da4faa4821cb
+  data.tar.gz: 9fb2fbc396790aca7e388e430adcd36ff2b2acf5d3f94309413e732b1ad354fdac8ee76197f1b3e74948ac59731cc10cbd3c931968361d0d6d3176c0e4af8a73

data/README.md

@@ -1,10 +1,9 @@
 # canvas_lti_third_party_cookies
 
-Safari blocks all 3rd-party cookies by default, which breaks LTI tools that rely on setting cookies when launched in an iframe. Instead, it exposes a new API for getting user-permitted access to set cookies from an iframe, which unfortunately doesn't completely work for LTI use cases.
+Safari blocks all 3rd-party cookies by default, which breaks LTI tools that rely on setting cookies when launched in an iframe. Other browsers will soon follow suit. Instead, it exposes a new API for getting user-permitted access to set cookies from an iframe, which unfortunately doesn't completely work for LTI use cases.
 See this article for a detailed explanation of the Storage Access API and previous attempts to launch LTI tools in Safari: https://community.canvaslms.com/t5/Developers-Group/Safari-13-1-and-LTI-Integration/ba-p/273051
 
-The current workaround that this gem implements is to relaunch the tool in a new tab, new window, or popup window, where it can set first-party cookies to it's heart's content. This gem won't work without being launched from Canvas, or a Tool Consumer that implements the same `window.postMessage` listener as Canvas
-does here: https://github.com/instructure/canvas-lms/blob/master/public/javascripts/lti/post_message/requestFullWindowLaunch.js
+The current workaround that this gem implements is to relaunch the tool in a new tab, new window, or popup window, where it can set first-party cookies to it's heart's content. The relaunch occurs during the login request, so the tool is entirely in control, and no other parts of the LTI launch flow are modified.
 
 ## Installation
 Add this line to your application's Gemfile:
@@ -24,18 +23,41 @@ $ bundle install
 Choose the Rails controller action that's used to launch your tool and set cookies. Set the before_action callback
 below to run on that action, and pass the data needed.
 
-* `placement`: (required) Should be the Canvas placement that the tool was launched from, taken from the decoded id_token's `https://www.instructure.com/placement` claim.
-* `window_type`: (optional) Set to `:new_window` to open the tool in a new tab or window, or to `:popup` to open in a popup window.Defaults to `:new_window`.
-* `width`: (optional) The width the popup window should be, in px. User has the discretion to ignore this. Only valid with window_type: popup. Defaults to 800px. 
-* `height`: (optional) The height the popup window should be, in px. User has the discretion to ignore this. Only valid with window_type: popup. Defaults to 600px.
+* `redirect_url` (required): the authorization redirect URL to continue the login flow
+* `redirect_data` (required): all form data required for the authorization redirect, which
+the previous login render call should have included in a form tag.
+* `window_type`: (optional) Set to `:new_window` to open the tool in a
+new tab or window, or to `:popup` to open in a popup window.
+Defaults to `:new_window`.
+* `width`: (optional) The width the popup window should be, in px. User
+has the discretion to ignore this. Only valid with window_type: popup.
+Defaults to 800px.
+* `height`: (optional) The height the popup window should be, in px. User
+has the discretion to ignore this. Only valid with window_type: popup.
+Defaults to 600px.
 
+example:
 ```ruby
-include CanvasLtiThirdPartyCookies::SafariLaunch
-#...
-before_action -> { 
-  placement = decoded_id_token['https://www.instructure.com/placement']
-  handle_safari_launch(placement: placement, window_type: :popup)
-}
+include CanvasLtiThirdPartyCookies::RelaunchOnLogin
+...
+def login
+  state, nonce = create_and_cache_state # handled elsewhere
+  redirect_url = 'http://canvas.instructure.com/api/lti/authorize_redirect' 
+  redirect_data = {
+    scope: 'openid',
+    response_type: 'id_token',
+    response_mode: 'form_post',
+    prompt: 'none',
+    redirect_uri: redirect_uri, # the launch url of the tool
+    client_id: params.require(:client_id),
+    login_hint: params.require(:login_hint),
+    lti_message_hint: params.require(:lti_message_hint),
+    state: state,
+    nonce: nonce
+  }
+
+  relaunch_on_login(redirect_url, redirect_data)
+end
 ```
 
 ## Testing
@@ -47,7 +69,7 @@ $ rails test
 ## Publishing New Versions
 
 1. Bump the version in `lib/canvas_lti_third_party_cookies/version.rb`.
-2. Commit, push, and merge that change.
-3. `rake install`
+2. `rake install`
+3. Commit, push, and merge that change.
 4. `gem push pkg/canvas_lti_third_party_cookies-<version>.gem`
   - note that this will only work if you have access

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 begin
   require 'bundler/setup'
 rescue LoadError

data/app/assets/javascripts/canvas_lti_third_party_cookies/relaunch_on_login.js

@@ -0,0 +1,66 @@
+document.addEventListener("DOMContentLoaded", () => {
+  const { window_type, form_target, width, height } = window.ENV;
+
+  let newWindow;
+  const openNewWindow = () => {
+    switch (window_type) {
+      case "popup": {
+        newWindow = window.open(
+          "",
+          form_target,
+          "toolbar=no,menubar=no,location=no,status=no,resizable,scrollbars," +
+            `width=${width},height=${height}`
+        );
+        break;
+      }
+      case "new_window": {
+        newWindow = window.open("", form_target);
+        break;
+      }
+    }
+  };
+
+  const getRelaunchElement = (id) => document.getElementById(`relaunch-${id}`);
+  const hide = (el) => (el.style.display = "none");
+  const show = (el) => (el.style.display = "flex"); // normally this is 'block', but the containers need to be 'flex'
+
+  const successMessageEl = getRelaunchElement("success");
+  const retryMessageEl = getRelaunchElement("retry");
+  const relaunchFormEl = getRelaunchElement("form");
+  const retryButtonEl = getRelaunchElement("request");
+
+  // set a test cookie
+  const testCookie = "canSetCookies=true";
+  document.cookie = testCookie;
+  if (
+    document.cookie.split(";").some((cookie) => cookie.includes(testCookie))
+  ) {
+    // setting cookies works, continue login flow inline
+    // todo: remove test cookie
+    document.getElementById("redirect-form").submit();
+    return;
+  }
+
+  // open in new tab and restart login flow
+  show(successMessageEl);
+  openNewWindow();
+
+  if (newWindow) {
+    // tool opened successfully, POST login form data to opened window
+    relaunchFormEl.submit();
+    return;
+  }
+
+  // tool open blocked, tell user to allow popups and try again
+  show(retryMessageEl);
+  hide(successMessageEl);
+
+  retryButtonEl.addEventListener("click", () => {
+    // open tool and POST login data again
+    openNewWindow();
+    relaunchFormEl.submit();
+
+    show(successMessageEl);
+    hide(retryMessageEl);
+  });
+});

data/app/assets/stylesheets/canvas_lti_third_party_cookies/relaunch_on_login.css

@@ -0,0 +1,52 @@
+.flex-container {
+  display: none;
+  flex-direction: column;
+  height: 100%;
+  font-family: "Segoe UI", Frutiger, "Frutiger Linotype", "Dejavu Sans",
+    "Helvetica Neue", Arial, sans-serif;
+  font-size: 1.1em;
+  padding: 0 24px;
+}
+
+.flex-item {
+  margin-bottom: 10px;
+  text-align: center;
+}
+
+.flex-container div:first-child {
+  margin-top: 24px;
+}
+
+p {
+  margin: 0 0 0.5em 0;
+}
+
+button {
+  background: #008ee2;
+  color: #ffffff;
+  border: 1px solid;
+  border-color: #0079c1;
+  border-radius: 3px;
+  transition: background-color 0.2s ease-in-out;
+  display: inline-block;
+  position: relative;
+  padding: 8px 14px;
+  margin-bottom: 0;
+  font-size: 16px;
+  font-size: 1rem;
+  line-height: 20px;
+  text-align: center;
+  vertical-align: middle;
+  cursor: pointer;
+  text-decoration: none;
+  overflow: hidden;
+  text-shadow: none;
+  -webkit-user-select: none;
+  -moz-user-select: none;
+  user-select: none;
+}
+
+img {
+  width: 100px;
+  height: 100px;
+}

data/app/controllers/concerns/canvas_lti_third_party_cookies/relaunch_on_login.rb

@@ -0,0 +1,71 @@
+module CanvasLtiThirdPartyCookies::RelaunchOnLogin
+  extend ActiveSupport::Concern
+
+  # this should replace your previous login render call, at the end of your login action.
+  # 
+  # `redirect_url` (required): the authorization redirect URL to continue the login flow
+  #
+  # `redirect_data` (required): all form data required for the authorization redirect, which
+  # the previous login render call should have included in a form tag.
+  #
+  # `window_type`: (optional) Set to `:new_window` to open the tool in a
+  # new tab or window, or to `:popup` to open in a popup window.
+  # Defaults to `:new_window`.
+  #
+  # `width`: (optional) The width the popup window should be, in px. User
+  # has the discretion to ignore this. Only valid with window_type: popup.
+  # Defaults to 800px.
+  #
+  # `height`: (optional) The height the popup window should be, in px. User
+  # has the discretion to ignore this. Only valid with window_type: popup.
+  # Defaults to 600px.
+  #
+  # example:
+  # include CanvasLtiThirdPartyCookies::RelaunchOnLogin
+  # ...
+  # def login
+  #   state, nonce = create_and_cache_state # handled elsewhere
+  #   redirect_url = 'http://canvas.instructure.com/api/lti/authorize_redirect' 
+  #   redirect_data = {
+  #     scope: 'openid',
+  #     response_type: 'id_token',
+  #     response_mode: 'form_post',
+  #     prompt: 'none',
+  #     redirect_uri: redirect_uri, # the launch url of the tool
+  #     client_id: params.require(:client_id),
+  #     login_hint: params.require(:login_hint),
+  #     lti_message_hint: params.require(:lti_message_hint),
+  #     state: state,
+  #     nonce: nonce
+  #   }
+  #
+  #   relaunch_on_login(redirect_url, redirect_data)
+  # end
+  def relaunch_on_login(redirect_url, redirect_data, window_type: :new_window, width: 800, height: 600)
+    raise ArgumentError.new("window_type must be either :new_window or :popup") unless [:new_window, :popup].include? window_type
+
+    window_type_text = {
+      new_window: 'new tab',
+      popup: 'popup window'
+    }
+    form_target = 'login_relaunch'
+
+    render(
+      'canvas_lti_third_party_cookies/relaunch_on_login',
+      locals: {
+        redirect_url: redirect_url,
+        redirect_data: redirect_data,
+        relaunch_url: request.url,
+        relaunch_data: params.permit(:canvas_region, :client_id, :iss, :login_hint, :lti_message_hint, :target_link_uri),
+        form_target: form_target,
+        window_type_text: window_type_text[window_type],
+        js_env: {
+          form_target: form_target,
+          window_type: window_type,
+          width: width,
+          height: height
+        }
+      }
+    )
+  end
+end

data/app/views/canvas_lti_third_party_cookies/_cookie_message.erb

@@ -0,0 +1,11 @@
+<div id="<%= id %>" class="flex-container">
+  <div class="flex-item">
+    <img src="https://upload.wikimedia.org/wikipedia/commons/0/03/Oxygen480-apps-preferences-web-browser-cookies.svg" alt="Cookie" />
+  </div>
+
+  <div class="flex-item">
+    <strong>It looks like your browser doesn't like cookies.</strong>
+  </div>
+
+  <%= yield %>
+</div>

data/app/views/canvas_lti_third_party_cookies/relaunch_on_login.erb

@@ -0,0 +1,41 @@
+<%= stylesheet_link_tag 'canvas_lti_third_party_cookies/relaunch_on_login' %>
+<%= javascript_tag do %>
+  window.ENV = <%= js_env.to_json.html_safe %>
+<% end %>
+<%= javascript_include_tag 'canvas_lti_third_party_cookies/relaunch_on_login' %>
+
+<%# when submitted, continue to login flow step 2: redirect back to Canvas for authentication %>
+<%= form_tag(redirect_url, method: :post, id: 'redirect-form') do %>
+  <% redirect_data.each do |k, v| %>
+    <%= hidden_field_tag(k, v) %>
+  <% end %>
+<% end %>
+
+<%# when submitted, replay login flow step 1 in a new window %>
+<%# the target attribute tells the form to POST in the window matching that target, which is opened below %>
+<%= form_tag(relaunch_url, method: :post, id: 'relaunch-form', target: form_target) do %>
+  <% relaunch_data.each do |k, v| %>
+    <%= hidden_field_tag(k, v) %>
+  <% end %>
+<% end %>
+
+<%# default message to display on new window launch; hidden by default %>
+<%= render 'canvas_lti_third_party_cookies/cookie_message', id: 'relaunch-success' do %>
+  <div class="flex-item">
+    <p>Some browsers block third-party cookies by default, which this app relies on for launch and sign-in features.</p>
+    <p>This app has opened in a <%= window_type_text %>, so that it can set its own cookies.
+  </div>
+<% end %>
+
+<%# message displayed when popups are blocked; hidden by default %>
+<%= render 'canvas_lti_third_party_cookies/cookie_message', id: 'relaunch-retry' do %>
+  <div class="flex-item">
+    <p>Some browsers block third-party cookies by default, which this app relies on for launch and sign-in features.</p>
+    <p>Launching this app in a <%= window_type_text %>, separate from Canvas, will allow the app to set its own cookies.</p>
+    <p>To open the app, make sure your browser allows popups for this page and try again.</p>
+  </div>
+  
+  <div class="flex-item">
+    <button id="relaunch-request">Open in <%= window_type_text.capitalize %></button>
+  </div>
+<% end %>

data/lib/canvas_lti_third_party_cookies/engine.rb

@@ -1,5 +1,9 @@
 module CanvasLtiThirdPartyCookies
   class Engine < ::Rails::Engine
     isolate_namespace CanvasLtiThirdPartyCookies
+
+    initializer "CanvasLtiThirdPartyCookies.assets.precompile" do |app|
+      app.config.assets.precompile += %w( canvas_lti_third_party_cookies/relaunch_on_login.js canvas_lti_third_party_cookies/relaunch_on_login.css )
+    end
   end
 end

data/lib/canvas_lti_third_party_cookies/version.rb

@@ -1,3 +1,3 @@
 module CanvasLtiThirdPartyCookies
-  VERSION = '0.4.0'
+  VERSION = '1.0.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: canvas_lti_third_party_cookies
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Xander Moffatt
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-26 00:00:00.000000000 Z
+date: 2021-06-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -16,20 +16,20 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.0.2
+        version: 6.0.3
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.2.1
+        version: 6.0.3.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.0.2
+        version: 6.0.3
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.2.1
+        version: 6.0.3.6
 - !ruby/object:Gem::Dependency
   name: browser
   requirement: !ruby/object:Gem::Requirement
@@ -75,8 +75,11 @@ files:
 - LICENSE
 - README.md
 - Rakefile
-- app/controllers/concerns/canvas_lti_third_party_cookies/safari_launch.rb
-- app/views/canvas_lti_third_party_cookies/prep_for_full_window_launch.erb
+- app/assets/javascripts/canvas_lti_third_party_cookies/relaunch_on_login.js
+- app/assets/stylesheets/canvas_lti_third_party_cookies/relaunch_on_login.css
+- app/controllers/concerns/canvas_lti_third_party_cookies/relaunch_on_login.rb
+- app/views/canvas_lti_third_party_cookies/_cookie_message.erb
+- app/views/canvas_lti_third_party_cookies/relaunch_on_login.erb
 - app/views/layouts/application.html.erb
 - lib/canvas_lti_third_party_cookies.rb
 - lib/canvas_lti_third_party_cookies/engine.rb

data/app/controllers/concerns/canvas_lti_third_party_cookies/safari_launch.rb

@@ -1,60 +0,0 @@
-require 'browser'
-
-module CanvasLtiThirdPartyCookies::SafariLaunch
-  extend ActiveSupport::Concern
-
-  # this needs to be called as a before_action on the route that launches the tool
-  # and the tool is required to pass some parameters to this method.
-  #
-  # `placement`: (required) Should be the Canvas placement that
-  # the tool was launched from, taken from the decoded id_token's 
-  # `https://www.instructure.com/placement` claim.
-  #
-  # `window_type`: (optional) Set to `:new_window` to open the tool in a
-  # new tab or window, or to `:popup` to open in a popup window.
-  # Defaults to `:new_window`.
-  #
-  # `width`: (optional) The width the popup window should be, in px. User
-  # has the discretion to ignore this. Only valid with window_type: popup.
-  # Defaults to 800px.
-  #
-  # `height`: (optional) The height the popup window should be, in px. User
-  # has the discretion to ignore this. Only valid with window_type: popup.
-  # Defaults to 600px.
-  #
-  # example:
-  # include CanvasLtiThirdPartyCookies::SafariLaunch
-  # ...
-  # before_action -> { 
-  #   placement = decoded_id_token['https://www.instructure.com/placement']
-  #   handle_safari_launch(placement: placement, window_type: :popup)
-  # }
-  def handle_safari_launch(placement:, window_type: :new_window, width: nil, height: nil)
-    raise ArgumentError.new("window_type must be either :new_window or :popup") unless [:new_window, :popup].include? window_type
-    return unless is_safari?
-    return if is_full_window_launch?
-
-    render(
-      'canvas_lti_third_party_cookies/prep_for_full_window_launch',
-      locals: {
-        launch_url: request.base_url + request.fullpath,
-        placement: placement,
-        window_type: window_type.to_s,
-        width: width || 800,
-        height: height || 600
-      }
-    )
-  end
-
-  private
-
-  def is_full_window_launch?
-    params[:full_win_launch_requested].present?
-  end
-
-  def is_safari?
-    browser = Browser.new(request.headers["User-Agent"])
-    # detect both MacOS and iOS Safari
-    browser.safari? || (browser.webkit? && browser.platform.ios?)
-  end
-end

data/app/views/canvas_lti_third_party_cookies/prep_for_full_window_launch.erb

@@ -1,99 +0,0 @@
-<%= javascript_tag do -%>
-  const requestFullWindowLaunch = () => {
-    console.log("clicked")
-    window.parent.postMessage(
-      {
-        messageType: "requestFullWindowLaunch",
-        data: {
-          url: "<%= launch_url %>",
-          placement: "<%= placement %>",
-          launchType: "<%= window_type %>",
-          launchOptions: {
-            width: <%= width %>,
-            height: <%= height %>
-          }
-        }
-      },
-      "*"
-    );
-  };
-  document.addEventListener("DOMContentLoaded", () => {
-    console.log("loaded")
-    document.getElementById("request").addEventListener("click", requestFullWindowLaunch)
-  });
-<% end %>
-<style type="text/css">
-  .flex-container {
-    display: flex;
-    flex-direction: column;
-    height: 100%;
-    font-family: "Segoe UI", Frutiger, "Frutiger Linotype", "Dejavu Sans", "Helvetica Neue", Arial, sans-serif;
-    font-size: 1.1em;
-    padding: 0 24px;
-  }
-
-  .flex-item {
-    margin-bottom: 10px;
-    text-align: center;
-  }
-
-  .flex-container div:first-child {
-    margin-top: 24px;
-  }
-
-  p {
-    margin: 0 0 0.5em 0;
-  }
-
-  button {
-    background: #008EE2;
-    color: #ffffff;
-    border: 1px solid;
-    border-color: #0079C1;
-    border-radius: 3px;
-    transition: background-color 0.2s ease-in-out;
-    display: inline-block;
-    position: relative;
-    padding: 8px 14px;
-    margin-bottom: 0;
-    font-size: 16px;
-    font-size: 1rem;
-    line-height: 20px;
-    text-align: center;
-    vertical-align: middle;
-    cursor: pointer;
-    text-decoration: none;
-    overflow: hidden;
-    text-shadow: none;
-    -webkit-user-select: none;
-    -moz-user-select: none;
-  }
-
-  #safari-logo {
-    width: 100px;
-    height: 100px;
-  }
-</style>
-
-<div class="flex-container">
-  <div class="flex-item">
-    <img id="safari-logo" src="https://upload.wikimedia.org/wikipedia/commons/5/52/Safari_browser_logo.svg" alt="Safari Logo" />
-  </div>
-
-  <div class="flex-item">
-    <strong>It looks like you are using Safari.</strong>
-  </div>
-
-  <div class="flex-item">
-    <p>Safari blocks third-party cookies by default, which this app relies on for sign-in features.</p>
-    <p>Launching this app in a <%if window_type == "popup"%>popup window<%else%>new tab<%end%>, separate from Canvas, will allow the app to set its own cookies.</p>
-    <%if window_type == "popup"%>
-    <p>If the app doesn't appear, make sure Safari is not blocking popups.</p>
-    <%end%>
-  </div>
-  
-  <div class="flex-item">
-    <button id="request">Open <%if window_type == "popup"%>Popup<%else%>in New Tab<%end%></button>
-  </div>
-  <div>
-</div>