coalescing_panda 5.1.10 → 5.2.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: acb564123796d263404c131eb71d372a3592d105d822aa843849be8b36ee3474
-  data.tar.gz: b5cd0d04fda7b01b3b91098a68d27b4d151737d2ee481eff8e0263795d69f248
+  metadata.gz: bee89db63211898d79a2be426960cb091d7d4b9c384b848587c45744e40471e9
+  data.tar.gz: 06b1367659b15e63d7811a0a4ed6385f8f8925c3fac3767b9b0283bd00bd78b2
 SHA512:
-  metadata.gz: 0f75b1ab2b563eb1d512432859c4e54eb592ccdb59b99aa14920a62b725f1edda6d4c3a47d62b37db2d1de67ed4c382247ad2eebaed33eb3f2e55bd4c89d1cbc
-  data.tar.gz: fbbef643a7ad94950d3ffd9d54cd11f8808bc0ad4d807227eaff73fff1c0f601ea2ff7e58e59fa09db9507b950f1609c8adb3d555e85503bf0301c5a2c5061ed
+  metadata.gz: c902f68f0ed0685039be21864520fe6c80bc199f74afc897b5a38a38e6ea72b335463c0de6498024871e335cb515a7b68c9fa952a384fdf8cb10da12df5e6f23
+  data.tar.gz: 6cc22dcad22c6c77a9734b818969356e5600eedef854057d06320b05e1692631e4c814106ac8179a83bb39d2bef1e5396a02df95a6f1144046b09b5eaa739b64

data/app/controllers/coalescing_panda/oauth2_controller.rb

@@ -15,10 +15,12 @@ module CoalescingPanda
         client_key = lti_account.oauth2_client_key
         user_id = @oauth_state.data[:user_id]
         api_domain = @oauth_state.data[:api_domain]
+        prefix = @oauth_state.data[:api_url]
         @oauth_state.destroy
-        prefix = [oauth2_protocol, '://', api_domain].join
+
         Rails.logger.info "Creating Bearcat client for auth token retrieval pointed to: #{prefix}"
         client = Bearcat::Client.new(prefix: prefix)
+
         token_body = client.retrieve_token(client_id, coalescing_panda.oauth2_redirect_url, client_key, params['code'])
         auth = CanvasApiAuth.where('user_id = ? and api_domain = ?', user_id, api_domain).first_or_initialize
         auth.api_token = token_body['access_token']
@@ -30,20 +32,10 @@ module CoalescingPanda
       end
     end
 
-
     private
 
-    def oauth2_protocol
-      ENV['OAUTH_PROTOCOL'] || (Rails.env.development? ? 'http' : 'https')
-    end
-
     def retrieve_oauth_state
       @oauth_state ||= params[:state].present? && OauthState.find_by(state_key: params[:state])
     end
-
-    def valid_state_token
-      return false unless params['state'].present? && session['state'].present?
-      params['state'] == session['state']
-    end
   end
 end

data/app/views/coalescing_panda/oauth2/oauth2.html.haml

@@ -3,7 +3,9 @@
   %h2 Canvas Authentication Required
   %button.btn-canvas#oauth_btn Authenticate
 
-%form{id: 'lti_form', action: "#{request.original_url}", method: 'post'}
+%form{id: 'lti_form', action: "#{request.original_url}", method: request.method}
+  - unless @lti_params.include?(:session_token) || @lti_params.include?(:session_key)
+    %input{:type =>"hidden", :value=>link_nonce, :name=>"session_token"}
   - @lti_params.each do |k,v|
     %input{:type =>"hidden", :value=>"#{v}", :name=>"#{k}"}
 

data/db/migrate/20150714205405_create_coalescing_panda_group_categories.rb

@@ -2,7 +2,6 @@ class CreateCoalescingPandaGroupCategories < CoalescingPanda::MiscHelper::Migrat
   def change
     create_table :coalescing_panda_group_categories do |t|
       t.belongs_to :context, polymorphic: true
-      t.string :context_type
       t.integer :canvas_group_category_id
       t.string :name
 

data/lib/coalescing_panda/bearcat_uri.rb

@@ -1,24 +1,26 @@
-class CoalescingPanda::BearcatUri
-  attr_accessor :uri
+module CoalescingPanda
+  class BearcatUri
+    attr_accessor :uri
 
-  def initialize(uri)
-    Rails.logger.info "Parsing Bearcat URI: #{uri}"
-    @uri = URI.parse(uri)
-  end
+    def initialize(uri)
+      Rails.logger.info "Parsing Bearcat URI: #{uri}"
+      @uri = URI.parse(uri)
+    end
 
-  def api_domain
-    if Rails.env.test? or Rails.env.development?
-      uri.port.present? ? URI.encode("#{uri.host}:#{uri.port.to_s}") : uri.host
-    else
-      uri.host
+    def api_domain
+      if Rails.env.test? or Rails.env.development?
+        uri.port.present? ? URI.encode("#{uri.host}:#{uri.port.to_s}") : uri.host
+      else
+        uri.host
+      end
     end
-  end
 
-  def scheme
-    [uri.scheme, '://'].join
-  end
+    def scheme
+      [uri.scheme, '://'].join
+    end
 
-  def prefix
-    [scheme, api_domain].join
+    def prefix
+      [scheme, api_domain].join
+    end
   end
-end
+end

data/lib/coalescing_panda/controller_helpers.rb

@@ -1,5 +1,6 @@
 require 'browser'
 require_relative 'session_replacement'
+require_relative 'bearcat_uri'
 
 module CoalescingPanda
   module ControllerHelpers
@@ -14,96 +15,77 @@ module CoalescingPanda
     def current_organization; current_lti_account; end
 
     def canvas_oauth2(*roles)
-      return if have_session?
-      if lti_authorize!(*roles)
-        user_id = params['user_id']
-        launch_presentation_return_url = @lti_account.settings[:launch_presentation_return_url] || params['launch_presentation_return_url']
-        launch_presentation_return_url = [BearcatUri.new(request.env["HTTP_REFERER"]).prefix, launch_presentation_return_url].join unless launch_presentation_return_url.include?('http')
-        uri = BearcatUri.new(launch_presentation_return_url)
-        set_session(launch_presentation_return_url)
-
-        api_auth = CanvasApiAuth.find_by('user_id = ? and api_domain = ?', user_id, uri.api_domain)
-        if api_auth
-          begin
-            refresh_token(uri, api_auth) if api_auth.expired?
-            @client = Bearcat::Client.new(token: api_auth.api_token, prefix: uri.prefix)
-            @client.user_profile 'self'
-          rescue Footrest::HttpError::BadRequest, Footrest::HttpError::Unauthorized
-            # If we can't retrieve our own user profile, or the token refresh fails, something is awry on the canvas end
-            # and we'll need to go through the oauth flow again
-            render_oauth2_page uri, user_id
-          end
-        else
-          render_oauth2_page uri, user_id
-        end
+      unless valid_session?
+        lti_authorize!(*roles)
+
+        current_session_data['user_id'] = params['user_id']
+        current_session_data['lis_person_sourcedid'] = params['lis_person_sourcedid']
+        current_session_data['oauth_consumer_key'] = params['oauth_consumer_key']
+        current_session_data['custom_canvas_account_id'] = params['custom_canvas_account_id']
       end
+
+      @lti_account = LtiAccount.find_by_key(current_session_data['oauth_consumer_key']) if current_session_data['oauth_consumer_key']
+
+      require_user_api_client
     end
 
-    def render_oauth2_page(uri, user_id)
-      @lti_account = params['oauth_consumer_key'] && LtiAccount.find_by_key(params['oauth_consumer_key'])
-      return unless @lti_account
+    def render_oauth2_page
+      client_id = current_lti_account.oauth2_client_id
+      client = Bearcat::Client.new(prefix: canvas_api_uri)
 
-      client_id = @lti_account.oauth2_client_id
-      client = Bearcat::Client.new(prefix: uri.prefix)
       state = SecureRandom.hex(32)
-      OauthState.create! state_key: state, data: { key: params['oauth_consumer_key'], user_id: user_id, api_domain: uri.api_domain }
+      OauthState.create! state_key: state, data: {
+        key: current_session_data.dig(:launch_params, :oauth_consumer_key),
+        user_id: current_session_data.dig(:launch_params, :user_id),
+        api_domain: URI.parse(canvas_api_uri).host,
+        api_url: canvas_api_uri,
+      }
+
       @canvas_url = client.auth_redirect_url(client_id, resolve_coalescing_panda_url(:oauth2_redirect_url), { state: state })
 
-      #delete the added params so the original oauth sig still works
-      @lti_params = params.to_hash
+      @lti_params = params.to_unsafe_h
       @lti_params.delete('action')
       @lti_params.delete('controller')
+
       render 'coalescing_panda/oauth2/oauth2', layout: 'coalescing_panda/application'
     end
 
-    def refresh_token(uri, api_auth)
-      refresh_client = Bearcat::Client.new(prefix: uri.prefix)
-      refresh_body = refresh_client.retrieve_token(@lti_account.oauth2_client_id, resolve_coalescing_panda_url(:oauth2_redirect_url),
-        @lti_account.oauth2_client_key, api_auth.refresh_token, 'refresh_token')
+    def refresh_token(api_auth)
+      refresh_client = Bearcat::Client.new(prefix: canvas_api_uri)
+      refresh_body = refresh_client.retrieve_token(
+        current_lti_account.oauth2_client_id,
+        resolve_coalescing_panda_url(:oauth2_redirect_url),
+        current_lti_account.oauth2_client_key,
+        api_auth.refresh_token,
+        'refresh_token'
+      )
       api_auth.update({ api_token: refresh_body['access_token'], expires_at: (Time.now + refresh_body['expires_in']) })
     end
 
-    def check_refresh_token
-      return unless current_session_data['uri'] && current_session_data['user_id'] && current_session_data['oauth_consumer_key']
-      uri = BearcatUri.new(current_session_data['uri'])
-      api_auth = CanvasApiAuth.find_by(user_id: current_session_data['user_id'], api_domain: uri.api_domain)
-      @lti_account = LtiAccount.find_by(key: current_session_data['oauth_consumer_key'])
-      return if @lti_account.nil? || api_auth.nil? # Not all tools use oauth
-
-      refresh_token(uri, api_auth) if api_auth.expired?
-    rescue Footrest::HttpError::BadRequest
-      render_oauth2_page uri, current_session_data['user_id']
-    end
-
-    def set_session(launch_presentation_return_url)
-      current_session_data['user_id'] = params['user_id']
-      current_session_data['uri'] = launch_presentation_return_url
-      current_session_data['lis_person_sourcedid'] = params['lis_person_sourcedid']
-      current_session_data['oauth_consumer_key'] = params['oauth_consumer_key']
-      current_session_data['custom_canvas_account_id'] = params['custom_canvas_account_id']
-    end
-
-    def have_session?
-      if params['tool_consumer_instance_guid'] && current_session_data['user_id'] != params['user_id']
-        reset_session
-        logger.info("resetting session params")
-        current_session_data['user_id'] = params['user_id']
+    def require_user_api_client
+      if user_api_client.nil?
+        render_oauth2_page
       end
+    end
 
-      if (current_session_data['user_id'] && current_session_data['uri'])
-        uri = BearcatUri.new(current_session_data['uri'])
-        api_auth = CanvasApiAuth.find_by('user_id = ? and api_domain = ?', current_session_data['user_id'], uri.api_domain)
-        if api_auth && !api_auth.expired?
-          @client = Bearcat::Client.new(token: api_auth.api_token, prefix: uri.prefix)
-          @client.user_profile 'self'
+    def user_api_client
+      @user_api_client ||= begin
+        user_id = current_session_data.dig(:launch_params, :user_id)
+        puri = URI.parse(canvas_api_uri)
+        api_auth = CanvasApiAuth.find_by('user_id = ? and api_domain = ?', user_id, puri.host)
+        if api_auth
+          begin
+            refresh_token(api_auth) if api_auth.expired?
+            client = Bearcat::Client.new(token: api_auth.api_token, prefix: canvas_api_uri)
+            client.user_profile('self')
+            client
+          rescue Footrest::HttpError::BadRequest, Footrest::HttpError::Unauthorized
+            # If we can't retrieve our own user profile, or the token refresh fails, something is awry on the canvas end
+            # and we'll need to go through the oauth flow again
+            nil
+          end
         end
       end
-
-      @lti_account = LtiAccount.find_by_key(current_session_data['oauth_consumer_key']) if current_session_data['oauth_consumer_key']
-
-      !!@client
-    rescue Footrest::HttpError::Unauthorized
-      false
     end
 
     def validate_launch!
@@ -111,23 +93,39 @@ module CoalescingPanda
     end
 
     def lti_authorize!(*roles)
+      return true if valid_session?
+
       authorized = false
       if (@lti_account = params['oauth_consumer_key'] && LtiAccount.find_by_key(params['oauth_consumer_key']))
         sanitized_params = sanitize_params
         @tp = IMS::LTI::ToolProvider.new(@lti_account.key, @lti_account.secret, sanitized_params)
         authorized = @tp.valid_request?(request)
       end
+
       logger.info 'not authorized on tp valid request' unless authorized
-      authorized = authorized && (roles.count == 0 || (roles & lti_roles).count > 0)
-      logger.info 'not authorized on roles' unless authorized
-      authorized = authorized && @lti_account.validate_nonce(params['oauth_nonce'], DateTime.strptime(params['oauth_timestamp'], '%s'))
-      logger.info 'not authorized on nonce' unless authorized
+
+      if authorized && !(authorized = (roles.count == 0 || (roles & lti_roles).count > 0))
+        logger.info 'not authorized on roles'
+      end
+
+      if authorized && !(authorized = @lti_account.validate_nonce(params['oauth_nonce'], DateTime.strptime(params['oauth_timestamp'], '%s')))
+        logger.info 'not authorized on nonce'
+      end
+
       render :text => 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
+
       # create session on first launch
       current_session
       authorized
     end
 
+    def valid_session?
+      return false unless current_session(create_missing: false)&.persisted?
+      true
+    rescue SessionNonceMismatch
+      false
+    end
+
     # code for method taken from panda_pal v 4.0.8
     # used for safari workaround
     def sanitize_params
@@ -161,11 +159,27 @@ module CoalescingPanda
       end
     end
 
-    def valid_session?
-      return false unless current_session(create_missing: false)&.persisted?
-      true
-    rescue SessionNonceMismatch
-      false
+    def canvas_api_uri
+      @canvas_api_uri ||= begin
+        launch_params = current_session_data[:launch_params] || {}
+        uri = 'canvas.instructure.com'
+        if launch_params[:custom_canvas_api_domain].present?
+          uri = launch_params[:custom_canvas_api_domain]
+        else
+          uri = current_lti_account.settings[:launch_presentation_return_url] || launch_params[:launch_presentation_return_url]
+          unless uri.include?('://')
+            referrer = URI.parse(request.env["HTTP_REFERER"])
+            referrer.path = ''
+            uri = [referrer.to_s, uri].join
+          end
+        end
+
+        uri = ((Rails.env.test? or Rails.env.development?) ? 'http' : 'https') + '://' + uri unless uri.include?('://')
+
+        uri = URI.parse(uri)
+        uri.path = ''
+        uri.to_s
+      end
     end
 
     private

data/lib/coalescing_panda/version.rb

@@ -1,3 +1,3 @@
 module CoalescingPanda
-  VERSION = '5.1.10'
+  VERSION = '5.2.0.beta1'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: coalescing_panda
 version: !ruby/object:Gem::Version
-  version: 5.1.10
+  version: 5.2.0.beta1
 platform: ruby
 authors:
 - Nathan Mills
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-07-21 00:00:00.000000000 Z
+date: 2021-11-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -590,9 +590,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.0.3
 signing_key: