panda_pal 5.0.0.beta.3 → 5.0.0.beta.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f40ed131f1e4a21e4b2f804bddb0df1500b7594fb7ddf07e5f8fca3bbe02a7c6
-  data.tar.gz: e27d2f357d57b7dc72952acf7a3d345b39614a5a617a0888737046abbf3f2bae
+  metadata.gz: 689e3885a1cc8e9ae58ed8f07e0089af4d2b82668f8a6cf9f41e053530762d5d
+  data.tar.gz: eb7fea8c5df5b973db4dc0be811f3e5961a0e9b3efd4a012ffde72bdb36f6888
 SHA512:
-  metadata.gz: f6b6dbbcf85c11363e459916df1f0569f9c905ac473d852681bb83e76ec00baa350c531150dc59760c5d0fdd498bcf2c50862f3dbfb5e3d5f0039624aa74d088
-  data.tar.gz: de4c5fd317349625e49e826e622f91b245464f99b1301fe42fbb5ff0a2b8809e4e59f7babe13f0b73cc487db92440d9451d722b784f94d590b58b83ec19d8d7c
+  metadata.gz: 8b994a6c7a7bf474d7e38bfa36efc00d4bfb57913e684f626bf2f457615dcf37346ffed346f0937ebdf50bed19ca2875080f1b69a794358a94f4e7fcc7e518f3
+  data.tar.gz: 399ea543b5c5765348e0ea9f11517d48b384de5939556c25e780a9d312950b5e1bdb58da931b070151c68bdb4a6e574e9844d3977a4594481346aa6c76beaba1

data/README.md

@@ -287,7 +287,7 @@ This will allow `PandaPal` to apply an iframe cookie fix that will allow CSRF va
 It has been a constant struggle to force safari to store and allow
 access to a rails session while the application is embedded in Canvas.
 
-As of PandaPal 5, a forced persistent session is now optional, and defaults to off.
+As of PandaPal 5, a persistent session is no longer required by panda_pal.
 
 This means that safari will likely refuse to send info about your rails session
 back to the LTI, and the application will start up a new session each time the
@@ -299,29 +299,8 @@ You will want to watch out for a few scenarios:
    and have your PandaPal session_key persisted server side.
 2) Use the "Authorization" header with "token={session_key}" to send your
    PandaPal session info into api calls.
-
-You can force a persistent session with -
-PandaPal.lti_options = {
-  require_persistent_session: true
-}
-in your config/initializer.  With that setting, the user will be required to
-allow our application to store / access cookies in safari before they can use
-the LTI.
-
-# Notes on require_persistent_session
-
-IF you must have a persistent session this is the logical flow of how panda_pal
-attempts to set that up.
-
-1) LTI laumches.
-2) LTI will attempt to POST message from iframe to top window (canvas) telling
-   canvas to relaunch in full screen so we aren't inhibited by safari.
-3) LTI will setup session and cookies in full-screen mode.  Session will be saved
-   in browser.
-4) LTI will redirect to an authorization page, that will require user to give
-   access to the session store to our application.
-5) Once the user gives access to the session store, we will reload the LTI
-   and the cookie should now be persistent.
+3) If you use link_to and navigate in your LTI (apps that are not single page)
+   make sure you include an encrypted_session_key parameter in your links.
 
 # Upgrading from PandaPal 4 to 5:
 

data/lib/panda_pal/helpers/controller_helper.rb

@@ -42,29 +42,9 @@ module PandaPal::Helpers::ControllerHelper
       render plain: 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
       return authorized
     end
-    if require_persistent_session
-      if cookies_need_iframe_fix?(false)
-        fix_iframe_cookies
-        return false
-      end
-      # For safari we may have been launched temporarily full-screen by canvas.  This allows us to set the session cookie.
-      # In this case, we should make sure the session cookie is fixed and redirect back to canvas to properly launch the embedded LTI.
-      if params[:platform_redirect_url]
-        session[:safari_cookie_fixed] = true
-        redirect_to params[:platform_redirect_url]
-        return false
-      end
-    end
     return authorized
   end
 
-  def require_persistent_session
-    if PandaPal.lti_options.has_key?(:require_persistent_session) && PandaPal.lti_options[:require_persistent_session] == true
-      return true
-    end
-    return false
-  end
-
   def switch_tenant(organization = current_organization, &block)
     return unless organization
     raise 'This method should be called in an around_action callback' unless block_given?
@@ -74,35 +54,8 @@ module PandaPal::Helpers::ControllerHelper
     end
   end
 
-  # Browsers that prevent 3rd party cookies by default (Safari and IE) run into problems
-  # with CSRF handling because the Rails session cookie isn't set. To fix this, we
-  # redirect the current page to the LTI using JavaScript, which will set the cookie,
-  # and then immediately redirect back to Canvas.
-  def fix_iframe_cookies
-    if params[:safari_cookie_authorized].present?
-      session[:safari_cookie_authorized] = true
-      redirect_to params[:return_to]
-    elsif (session[:safari_cookie_fixed] && !params[:safari_cookie_authorized])
-      render 'panda_pal/lti/iframe_cookie_authorize', layout: false
-    else
-      render 'panda_pal/lti/iframe_cookie_fix', layout: false
-    end
-  end
-
-  def cookies_need_iframe_fix?(check_authorized=true)
-    if check_authorized
-      return browser.safari? && !request.referrer&.include?('sessionless_launch') && !(session[:safari_cookie_fixed] && session[:safari_cookie_authorized]) && !params[:platform_redirect_url]
-    else
-      return browser.safari? && !request.referrer&.include?('sessionless_launch') && !session[:safari_cookie_fixed] && !params[:platform_redirect_url]
-    end
-  end
-
   def forbid_access_if_lacking_session
-    if require_persistent_session && cookies_need_iframe_fix?(true)
-      fix_iframe_cookies
-    else
-      render plain: 'You should do an LTI Tool Launch.', status: :unauthorized unless valid_session?
-    end
+    render plain: 'You should do an LTI Tool Launch.', status: :unauthorized unless valid_session?
     safari_override
   end
 

data/lib/panda_pal/version.rb

@@ -1,3 +1,3 @@
 module PandaPal
-  VERSION = "5.0.0.beta.3"
+  VERSION = "5.0.0.beta.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: panda_pal
 version: !ruby/object:Gem::Version
-  version: 5.0.0.beta.3
+  version: 5.0.0.beta.4
 platform: ruby
 authors:
 - Instructure ProServe
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-21 00:00:00.000000000 Z
+date: 2020-06-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -165,8 +165,6 @@ files:
 - app/models/panda_pal/organization.rb
 - app/models/panda_pal/session.rb
 - app/views/layouts/panda_pal/application.html.erb
-- app/views/panda_pal/lti/iframe_cookie_authorize.html.erb
-- app/views/panda_pal/lti/iframe_cookie_fix.html.erb
 - app/views/panda_pal/lti/launch.html.erb
 - config/initializers/apartment.rb
 - config/routes.rb

data/app/views/panda_pal/lti/iframe_cookie_authorize.html.erb

@@ -1,19 +0,0 @@
-<html>
-  <p>Safari requires your consent to access session information when applications are hosted inside of Canvas.  Please consent by clicking the following button.</p>
-  <button id="myButton">Authorize application to use browser session</button>
-  <script nonce=<%= content_security_policy_script_nonce %>>
-    function makeRequestWithUserGesture() {
-      var promise = document.requestStorageAccess();
-      promise.then(
-        function () {
-          var referrer = document.referrer;
-          window.location='?safari_cookie_authorized=true&return_to='.concat(encodeURI(window.location));
-        },
-        function () {
-          // If the user doesn't consent, then do nothing.
-        }
-      );
-    }
-    document.getElementById("myButton").addEventListener("click", makeRequestWithUserGesture);
-  </script>
-</html>

data/app/views/panda_pal/lti/iframe_cookie_fix.html.erb

@@ -1,12 +0,0 @@
-<script nonce=<%= content_security_policy_script_nonce %>>
-  const mainWindow = window.parent;
-  var url = window.location.href;
-  // Until PLAT-4836 is resolved, we need to make sure our url has a "?" in it.
-  if (!(url.indexOf("?") > -1)) {
-    url = url + "?dummy_param=1"
-  }
-  mainWindow.postMessage({
-    messageType: "requestFullWindowLaunch",
-    data: url
-  }, '*');
-</script>