panda_pal 4.0.2 → 4.0.3

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: afe38f771fc25a97396ec32fe2a0a9d2492026145469a1c6995c4d320eaff626
4
- data.tar.gz: 035e59312c1e871de23f1cd589810e4298d5bdf41252b6b1d7051c334ad02895
3
+ metadata.gz: 5417c78c9e0bcfbf54c14f734f2557bc404b2cd8468308dadec444990504ddae
4
+ data.tar.gz: 662611dc5ee5bdea1e9ed4fc288c0ba3ac9a2f719245d08666118f4254e46bd1
5
5
  SHA512:
6
- metadata.gz: 41a6fb8d81d599434f6103e8158bda1529a1cdf743af3b25e9b7dc66cf0b3c23a2cb053943a5b346a13f150b7ed8934c0cdfc42f50f598977263ddf6a6c97d8c
7
- data.tar.gz: 7a11d36cbf9ff16743896326e3b4a3fc04bbe85a4513fbd84593f357433a4e93b268eab8df771c241a1e3305d72e9e3dcd39c379beeca8b6fc8d6e0392b878c6
6
+ metadata.gz: af4e16b5a96d1aca7b4a5f427738ee3059668af3d66ec7f4d56cadf2bafa1b838296b3bbf17033b2893e5a9d7d9e8656d0e2483a09d96f8ddcdc34a278fbf5fd
7
+ data.tar.gz: fdd6010fa02960f3e9a613a3e4c0f28ee42c1b13318b61660b973ca1bd5611d88c1a96f2d17e7addc98505fb02a47b361a0665a8673c5694b07a46e3b75740ee
@@ -1,4 +1,12 @@
1
1
  <script nonce=<%= content_security_policy_script_nonce %>>
2
- var referrer = document.referrer;
3
- top.window.location='?safari_cookie_fix=true&return_to='.concat(encodeURI(referrer));
2
+ const mainWindow = window.parent;
3
+ var url = window.location.href;
4
+ // Until PLAT-4836 is resolved, we need to make sure our url has a "?" in it.
5
+ if (!(url.indexOf("?") > -1)) {
6
+ url = url + "?dummy_param=1"
7
+ }
8
+ mainWindow.postMessage({
9
+ messageType: "requestFullWindowLaunch",
10
+ data: url
11
+ }, '*');
4
12
  </script>
@@ -27,11 +27,32 @@ module PandaPal::Helpers::ControllerHelper
27
27
  def validate_launch!
28
28
  authorized = false
29
29
  if @organization = params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
30
- authenticator = IMS::LTI::Services::MessageAuthenticator.new(request.original_url, request.request_parameters, @organization.secret)
30
+ sanitized_params = request.request_parameters
31
+ # These params come over with a safari-workaround launch. The authenticator doesn't like them, so clean them out.
32
+ safe_unexpected_params = ["full_win_launch_requested", "platform_redirect_url", "dummy_param"]
33
+ safe_unexpected_params.each do |p|
34
+ sanitized_params.delete(p)
35
+ end
36
+ authenticator = IMS::LTI::Services::MessageAuthenticator.new(request.original_url, sanitized_params, @organization.secret)
31
37
  authorized = authenticator.valid_signature?
32
38
  end
33
- render plain: 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
34
- authorized
39
+ # short-circuit if we know the user is not authorized.
40
+ if !authorized
41
+ render plain: 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
42
+ return authorized
43
+ end
44
+ if cookies_need_iframe_fix?
45
+ fix_iframe_cookies
46
+ return false
47
+ end
48
+ # For safari we may have been launched temporarily full-screen by canvas. This allows us to set the session cookie.
49
+ # In this case, we should make sure the session cookie is fixed and redirect back to canvas to properly launch the embedded LTI.
50
+ if params[:platform_redirect_url]
51
+ session[:safari_cookie_fixed] = true
52
+ redirect_to params[:platform_redirect_url]
53
+ return false
54
+ end
55
+ return authorized
35
56
  end
36
57
 
37
58
  def switch_tenant(organization = current_organization, &block)
@@ -57,7 +78,7 @@ module PandaPal::Helpers::ControllerHelper
57
78
  end
58
79
 
59
80
  def cookies_need_iframe_fix?
60
- browser.safari? && !request.referrer&.include?('sessionless_launch') && !session[:safari_cookie_fixed]
81
+ browser.safari? && !request.referrer&.include?('sessionless_launch') && !session[:safari_cookie_fixed] && !params[:platform_redirect_url]
61
82
  end
62
83
 
63
84
  def forbid_access_if_lacking_session
@@ -1,3 +1,3 @@
1
1
  module PandaPal
2
- VERSION = "4.0.2"
2
+ VERSION = "4.0.3"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: panda_pal
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.0.2
4
+ version: 4.0.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Instructure ProServe
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-07-31 00:00:00.000000000 Z
11
+ date: 2019-08-28 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rails