coalescing_panda 5.0.10 → 5.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0d5aa87e2a3916918af65a1e1f277bc43d7f7e84
-  data.tar.gz: 442e7c12a0bc6e5b9ff459c1a5b7e35f069961c9
+  metadata.gz: ca4769293181b5ee47471cc9051ad0b678915f71
+  data.tar.gz: 60c8585ff7f5d28057b703a9ae7c5a85ab6dbdb7
 SHA512:
-  metadata.gz: 13ce225d0d9f95cf1f56327fa231d8680611ad55b9b3ceab43cbf11da20775b1ccd54a5ffb564b0460c75e2ad238ccd4b1b2e9ebddfd5bda51280b7b320e5fbb
-  data.tar.gz: dd493d6bf57b29132db15a9a3cd48bcb85b924591c77b39d9c1e2d22a9a486755ea077c412f98034cce860002af797189e7464b461d4d0bfdf7167948b6b2688
+  metadata.gz: 6103b51481915a9d2719a87ff81c042a783d0111108e4c270fc3261a61008ab3683beaae3b2a9490450248fe882f4be75776d360219fe2dadb7377cc301f229f
+  data.tar.gz: f434c3a048769d55b72fe0ba190c7033ce0429b0acbf3ec0ec1a2ea2bc920262de49ef9336feb5e236d1767237bd79dd4ccf6bf14765c79358faa24fa329e91c

data/app/controllers/coalescing_panda/oauth2_controller.rb

@@ -34,7 +34,7 @@ module CoalescingPanda
     private
 
     def oauth2_protocol
-      ENV['OAUTH_PROTOCOL'] || 'https'
+      ENV['OAUTH_PROTOCOL'] || (Rails.env.development? ? 'http' : 'https')
     end
 
     def retrieve_oauth_state

data/lib/coalescing_panda/controller_helpers.rb

@@ -1,51 +1,17 @@
 require 'browser'
+require_relative 'session_replacement'
 
 module CoalescingPanda
   module ControllerHelpers
     extend ActiveSupport::Concern
-
-    included do
-      alias_method :rails_session, :session
-
-      helper_method :encrypted_session_key, :current_session_data, :current_session
-      append_after_action :save_session, if: -> { @current_session && session_changed? }
-    end
-
-    class_methods do
-      def use_native_sessions
-        after_action do
-          rails_session['persistent_session_key'] = current_session.session_key if @current_session.present?
-        end
-      end
-    end
-
-    def current_session
-      @current_session ||= (CoalescingPanda::PersistentSession.find_by(session_key: session_key) if session_key)
-      @current_session ||= (CoalescingPanda::PersistentSession.create_from_launch(params, current_lti_account.id) if current_lti_account.present?)
-      @current_session
-    end
+    include SessionReplacement
 
     def current_lti_account
       @account ||= (CoalescingPanda::LtiAccount.find_by!(key: organization_key) if organization_key)
       @account ||= (CoalescingPanda::LtiAccount.find_by(id: organization_id) if organization_id)
       @account
     end
-
-    def current_session_data
-      current_session.data
-    end
-
-    def encrypted_session_key
-      msg_encryptor.encrypt_and_sign(current_session.session_key)
-    end
-
-    def save_session
-      current_session.try(:save)
-    end
-
-    def session_changed?
-      current_session.changed? && current_session.changes[:data].present?
-    end
+    def current_organization; current_lti_account; end
 
     def canvas_oauth2(*roles)
       return if have_session?
@@ -191,14 +157,22 @@ module CoalescingPanda
       end
     end
 
-    def session_check
-      logger.warn 'session_check is deprecated. Functionality moved to lti_authorize.'
+    def valid_session?
+      [
+        current_session&.persisted?,
+      ].all?
+    rescue SessionNonceMismatch
+      false
     end
 
     private
 
-    def msg_encryptor
-      @crypt ||= ActiveSupport::MessageEncryptor.new(Rails.application.secrets.secret_key_base[0..31])
+    def find_or_create_session(key:)
+      if key == :create
+        CoalescingPanda::PersistentSession.create_from_launch(params, current_lti_account.id) if current_lti_account.present?
+      else
+        CoalescingPanda::PersistentSession.find_by(session_key: key)
+      end
     end
 
     def organization_key
@@ -209,54 +183,6 @@ module CoalescingPanda
       params[:organization_id] || (current_session_data[:launch_params][:organization_id] if @current_session)
     end
 
-    def session_key
-      if params[:encrypted_session_key]
-        return msg_encryptor.decrypt_and_verify(params[:encrypted_session_key])
-      end
-      params[:session_key] || session_key_header || rails_session['persistent_session_key']
-    end
-
-    def session_key_header
-      if (match = request.headers['Authorization'].try(:match, /crypted_token=(.+)/))
-        msg_encryptor.decrypt_and_verify(match[1])
-      elsif (match = request.headers['Authorization'].try(:match, /token=(.+)/))
-        match[1]
-      end
-    end
-
-    # Redirect with the session key intact. In production,
-    # handle this by encrypting the session key.  That way if the
-    # url is logged anywhere, it will all be encrypted data.   In dev,
-    # just put it in the URL. Putting it in the URL
-    # is insecure, but is fine in development.
-    # Keeping it in the URL in development means that it plays
-    # nicely with webpack-dev-server live reloading (otherwise
-    # you get an access error every time it tries to live reload).
-
-    def redirect_with_session_to(path, id_or_resource = nil, redirect_params = {})
-      if Rails.env.development? || Rails.env.test?
-        redirect_development_mode(path, id_or_resource, redirect_params)
-      else
-        redirect_production_mode(path, id_or_resource, redirect_params)
-      end
-    end
-
-    def redirect_development_mode(path, id_or_resource = nil, redirect_params)
-      redirect_to send(path, id_or_resource, {
-          session_key: current_session.session_key,
-          organization_id: current_lti_account.id
-      }.merge(redirect_params))
-    end
-
-    def redirect_production_mode(path, id_or_resource = nil, redirect_params)
-      redirect_to send(path, id_or_resource, {
-          encrypted_session_key: encrypted_session_key,
-          organization_id: current_lti_account.id
-      }.merge(redirect_params))
-    end
-
-    private
-
     # This is necessitated by a bug in Rails Engines where it isn't resolving the URL correctly
     # when using coalescing_panda.xyz_url (The Engine Prefix is not included)
     # I believe https://github.com/rails/rails/issues/34452 is the same issue

data/lib/coalescing_panda/secure_headers.rb

@@ -48,11 +48,6 @@ module CoalescingPanda
         end
       end
 
-      if CoalescingPanda.lti_options.has_key?(:allow_unsafe_eval) && CoalescingPanda.lti_options[:allow_unsafe_eval] == true
-        # For when code is returned from server and injected into dom.  Need to have unsafe-eval or it won't work.
-        csp_entry(:script_src, "'unsafe-eval'")
-      end
-
       # Detect and permit Sentry
       if defined?(Raven) && Raven.configuration.server.present?
         csp_entry(:connect_src, Raven.configuration.server)

data/lib/coalescing_panda/session_replacement.rb

@@ -0,0 +1,185 @@
+module CoalescingPanda
+  class SessionNonceMismatch < StandardError; end
+
+  module SessionReplacement
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :link_nonce, :current_session, :current_session_data
+      helper_method :link_with_session_to, :url_with_session, :session_url_for
+
+      prepend_around_action :monkeypatch_flash
+      prepend_around_action :auto_save_session
+    end
+
+    class_methods do
+      def link_nonce_type(value = :not_given)
+        if value == :not_given
+          @link_nonce_type || superclass.try(:link_nonce_type) || :nonce
+        else
+          @link_nonce_type = value
+        end
+      end
+    end
+
+    def save_session
+      current_session.try(:save)
+    end
+
+    def current_session
+      return @current_session if @current_session.present?
+
+      if params[:session_token]
+        payload = JSON.parse(session_cryptor.decrypt_and_verify(params[:session_token])).with_indifferent_access
+        matched_session = find_or_create_session(key: payload[:session_key])
+
+        if matched_session.present?
+          if payload[:token_type] == 'nonce' && matched_session.data[:link_nonce] == payload[:nonce]
+            @current_session = matched_session
+            @current_session.data[:link_nonce] = nil
+          elsif payload[:token_type] == 'fixed_ip' && matched_session.data[:remote_ip] == request.remote_ip &&
+            DateTime.parse(matched_session.data[:last_ip_token_requested]) > 15.minutes.ago
+            @current_session = matched_session
+          end
+        end
+        raise SessionNonceMismatch, "Session Not Found" unless @current_session.present?
+      elsif (session_key = params[:session_key] || session_key_header || flash[:session_key] || session[:session_key]).present?
+        @current_session = find_or_create_session(key: session_key)
+      end
+
+      @current_session ||= find_or_create_session(key: :create)
+
+      @current_session
+    end
+
+    def current_session_data
+      current_session.data
+    end
+
+    def session_changed?
+      current_session.changed? && current_session.changes[:data].present?
+    end
+
+    def forbid_access_if_lacking_session
+      render plain: 'You should do an LTI Tool Launch.', status: :unauthorized unless valid_session?
+    end
+
+    def verify_authenticity_token
+      # No need to check CSRF when no cookies were sent. This fixes CSRF failures in Browsers
+      # that restrict Cookie setting within an IFrame.
+      return unless request.cookies.keys.length > 0
+      super
+    end
+
+    # Redirect with the session key intact. In production,
+    # handle this by adding a one-time use encrypted token to the URL.
+    # Keeping it in the URL in development means that it plays
+    # nicely with webpack-dev-server live reloading (otherwise
+    # you get an access error everytime it tries to live reload).
+
+    def redirect_with_session_to(*args)
+      redirect_to url_with_session(*args)
+    end
+
+    def link_with_session_to(*args)
+      helpers.link_to url_with_session(*args)
+    end
+
+    def session_url_for(*args)
+      url_for(build_session_url_params(*args))
+    end
+
+    def url_with_session(location, *args, route_context: self, **kwargs)
+      route_context.send(location, *build_session_url_params(*args, **kwargs))
+    end
+
+    def link_nonce(type: link_nonce_type)
+      type = instance_exec(&type) if type.is_a?(Proc)
+      type = type.to_s
+
+      @cached_link_nonces ||= {}
+      @cached_link_nonces[type] ||= begin
+        payload = {
+          token_type: type,
+          session_key: current_session.session_key,
+          organization_id: current_organization.id,
+        }
+
+        if type == 'nonce'
+          current_session_data[:link_nonce] = SecureRandom.hex
+          payload.merge!(nonce: current_session_data[:link_nonce])
+        elsif type == 'fixed_ip'
+          current_session_data[:remote_ip] ||= request.remote_ip
+          current_session_data[:last_ip_token_requested] = DateTime.now.iso8601
+        else
+          raise StandardError, "Unsupported link_nonce_type: '#{type}'"
+        end
+
+        session_cryptor.encrypt_and_sign(payload.to_json)
+      end
+    end
+
+    def link_nonce_type
+      self.class.link_nonce_type
+    end
+
+    private
+
+    def session_cryptor
+      secret_key_base = Rails.application.try(:secret_key_base) || Rails.application.secrets.secret_key_base
+      @session_cryptor ||= ActiveSupport::MessageEncryptor.new(secret_key_base[0..31])
+    end
+
+    def session_key_header
+      if match = request.headers['Authorization'].try(:match, /token=(.+)/)
+        match[1]
+      end
+    end
+
+    def build_session_url_params(*args, nonce_type: link_nonce_type, **kwargs)
+      if args[-1].is_a?(Hash)
+        args[-1] = args[-1].dup
+      else
+        args.push({})
+      end
+
+      if Rails.env.development?
+        args[-1].merge!(
+          session_key: current_session.session_key,
+          organization_id: current_organization.id,
+        )
+      else
+        args[-1].merge!(
+          session_token: link_nonce(type: nonce_type),
+          organization_id: current_organization.id,
+        )
+      end
+
+      args[-1].merge!(kwargs)
+      args
+    end
+
+    def auto_save_session
+      yield if block_given?
+      save_session if @current_session && session_changed?
+    end
+
+    def monkeypatch_flash
+      if valid_session? && (value = current_session_data['flashes']).present?
+        flashes = value["flashes"]
+        if discard = value["discard"]
+          flashes.except!(*discard)
+        end
+        flash.replace(flashes)
+        flash.discard()
+      end
+
+      yield
+
+      if @current_session.present?
+        current_session_data['flashes'] = flash.to_session_value
+        flash.discard()
+      end
+    end
+  end
+end

data/lib/coalescing_panda/version.rb

@@ -1,3 +1,3 @@
 module CoalescingPanda
-  VERSION = '5.0.10'
+  VERSION = '5.1.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: coalescing_panda
 version: !ruby/object:Gem::Version
-  version: 5.0.10
+  version: 5.1.0
 platform: ruby
 authors:
 - Nathan Mills
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-10 00:00:00.000000000 Z
+date: 2020-09-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -490,6 +490,7 @@ files:
 - lib/coalescing_panda/misc_helper.rb
 - lib/coalescing_panda/route_helpers.rb
 - lib/coalescing_panda/secure_headers.rb
+- lib/coalescing_panda/session_replacement.rb
 - lib/coalescing_panda/version.rb
 - lib/tasks/coalescing_panda_tasks.rake
 - spec/controllers/coalescing_panda/canvas_batches_controller_spec.rb