panda_pal 5.0.0.beta.3 → 5.0.0.beta.4

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f40ed131f1e4a21e4b2f804bddb0df1500b7594fb7ddf07e5f8fca3bbe02a7c6
4
- data.tar.gz: e27d2f357d57b7dc72952acf7a3d345b39614a5a617a0888737046abbf3f2bae
3
+ metadata.gz: 689e3885a1cc8e9ae58ed8f07e0089af4d2b82668f8a6cf9f41e053530762d5d
4
+ data.tar.gz: eb7fea8c5df5b973db4dc0be811f3e5961a0e9b3efd4a012ffde72bdb36f6888
5
5
  SHA512:
6
- metadata.gz: f6b6dbbcf85c11363e459916df1f0569f9c905ac473d852681bb83e76ec00baa350c531150dc59760c5d0fdd498bcf2c50862f3dbfb5e3d5f0039624aa74d088
7
- data.tar.gz: de4c5fd317349625e49e826e622f91b245464f99b1301fe42fbb5ff0a2b8809e4e59f7babe13f0b73cc487db92440d9451d722b784f94d590b58b83ec19d8d7c
6
+ metadata.gz: 8b994a6c7a7bf474d7e38bfa36efc00d4bfb57913e684f626bf2f457615dcf37346ffed346f0937ebdf50bed19ca2875080f1b69a794358a94f4e7fcc7e518f3
7
+ data.tar.gz: 399ea543b5c5765348e0ea9f11517d48b384de5939556c25e780a9d312950b5e1bdb58da931b070151c68bdb4a6e574e9844d3977a4594481346aa6c76beaba1
data/README.md CHANGED
@@ -287,7 +287,7 @@ This will allow `PandaPal` to apply an iframe cookie fix that will allow CSRF va
287
287
  It has been a constant struggle to force safari to store and allow
288
288
  access to a rails session while the application is embedded in Canvas.
289
289
 
290
- As of PandaPal 5, a forced persistent session is now optional, and defaults to off.
290
+ As of PandaPal 5, a persistent session is no longer required by panda_pal.
291
291
 
292
292
  This means that safari will likely refuse to send info about your rails session
293
293
  back to the LTI, and the application will start up a new session each time the
@@ -299,29 +299,8 @@ You will want to watch out for a few scenarios:
299
299
  and have your PandaPal session_key persisted server side.
300
300
  2) Use the "Authorization" header with "token={session_key}" to send your
301
301
  PandaPal session info into api calls.
302
-
303
- You can force a persistent session with -
304
- PandaPal.lti_options = {
305
- require_persistent_session: true
306
- }
307
- in your config/initializer. With that setting, the user will be required to
308
- allow our application to store / access cookies in safari before they can use
309
- the LTI.
310
-
311
- # Notes on require_persistent_session
312
-
313
- IF you must have a persistent session this is the logical flow of how panda_pal
314
- attempts to set that up.
315
-
316
- 1) LTI laumches.
317
- 2) LTI will attempt to POST message from iframe to top window (canvas) telling
318
- canvas to relaunch in full screen so we aren't inhibited by safari.
319
- 3) LTI will setup session and cookies in full-screen mode. Session will be saved
320
- in browser.
321
- 4) LTI will redirect to an authorization page, that will require user to give
322
- access to the session store to our application.
323
- 5) Once the user gives access to the session store, we will reload the LTI
324
- and the cookie should now be persistent.
302
+ 3) If you use link_to and navigate in your LTI (apps that are not single page)
303
+ make sure you include an encrypted_session_key parameter in your links.
325
304
 
326
305
  # Upgrading from PandaPal 4 to 5:
327
306
 
@@ -42,29 +42,9 @@ module PandaPal::Helpers::ControllerHelper
42
42
  render plain: 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
43
43
  return authorized
44
44
  end
45
- if require_persistent_session
46
- if cookies_need_iframe_fix?(false)
47
- fix_iframe_cookies
48
- return false
49
- end
50
- # For safari we may have been launched temporarily full-screen by canvas. This allows us to set the session cookie.
51
- # In this case, we should make sure the session cookie is fixed and redirect back to canvas to properly launch the embedded LTI.
52
- if params[:platform_redirect_url]
53
- session[:safari_cookie_fixed] = true
54
- redirect_to params[:platform_redirect_url]
55
- return false
56
- end
57
- end
58
45
  return authorized
59
46
  end
60
47
 
61
- def require_persistent_session
62
- if PandaPal.lti_options.has_key?(:require_persistent_session) && PandaPal.lti_options[:require_persistent_session] == true
63
- return true
64
- end
65
- return false
66
- end
67
-
68
48
  def switch_tenant(organization = current_organization, &block)
69
49
  return unless organization
70
50
  raise 'This method should be called in an around_action callback' unless block_given?
@@ -74,35 +54,8 @@ module PandaPal::Helpers::ControllerHelper
74
54
  end
75
55
  end
76
56
 
77
- # Browsers that prevent 3rd party cookies by default (Safari and IE) run into problems
78
- # with CSRF handling because the Rails session cookie isn't set. To fix this, we
79
- # redirect the current page to the LTI using JavaScript, which will set the cookie,
80
- # and then immediately redirect back to Canvas.
81
- def fix_iframe_cookies
82
- if params[:safari_cookie_authorized].present?
83
- session[:safari_cookie_authorized] = true
84
- redirect_to params[:return_to]
85
- elsif (session[:safari_cookie_fixed] && !params[:safari_cookie_authorized])
86
- render 'panda_pal/lti/iframe_cookie_authorize', layout: false
87
- else
88
- render 'panda_pal/lti/iframe_cookie_fix', layout: false
89
- end
90
- end
91
-
92
- def cookies_need_iframe_fix?(check_authorized=true)
93
- if check_authorized
94
- return browser.safari? && !request.referrer&.include?('sessionless_launch') && !(session[:safari_cookie_fixed] && session[:safari_cookie_authorized]) && !params[:platform_redirect_url]
95
- else
96
- return browser.safari? && !request.referrer&.include?('sessionless_launch') && !session[:safari_cookie_fixed] && !params[:platform_redirect_url]
97
- end
98
- end
99
-
100
57
  def forbid_access_if_lacking_session
101
- if require_persistent_session && cookies_need_iframe_fix?(true)
102
- fix_iframe_cookies
103
- else
104
- render plain: 'You should do an LTI Tool Launch.', status: :unauthorized unless valid_session?
105
- end
58
+ render plain: 'You should do an LTI Tool Launch.', status: :unauthorized unless valid_session?
106
59
  safari_override
107
60
  end
108
61
 
@@ -1,3 +1,3 @@
1
1
  module PandaPal
2
- VERSION = "5.0.0.beta.3"
2
+ VERSION = "5.0.0.beta.4"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: panda_pal
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.0.0.beta.3
4
+ version: 5.0.0.beta.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Instructure ProServe
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-05-21 00:00:00.000000000 Z
11
+ date: 2020-06-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rails
@@ -165,8 +165,6 @@ files:
165
165
  - app/models/panda_pal/organization.rb
166
166
  - app/models/panda_pal/session.rb
167
167
  - app/views/layouts/panda_pal/application.html.erb
168
- - app/views/panda_pal/lti/iframe_cookie_authorize.html.erb
169
- - app/views/panda_pal/lti/iframe_cookie_fix.html.erb
170
168
  - app/views/panda_pal/lti/launch.html.erb
171
169
  - config/initializers/apartment.rb
172
170
  - config/routes.rb
@@ -1,19 +0,0 @@
1
- <html>
2
- <p>Safari requires your consent to access session information when applications are hosted inside of Canvas. Please consent by clicking the following button.</p>
3
- <button id="myButton">Authorize application to use browser session</button>
4
- <script nonce=<%= content_security_policy_script_nonce %>>
5
- function makeRequestWithUserGesture() {
6
- var promise = document.requestStorageAccess();
7
- promise.then(
8
- function () {
9
- var referrer = document.referrer;
10
- window.location='?safari_cookie_authorized=true&return_to='.concat(encodeURI(window.location));
11
- },
12
- function () {
13
- // If the user doesn't consent, then do nothing.
14
- }
15
- );
16
- }
17
- document.getElementById("myButton").addEventListener("click", makeRequestWithUserGesture);
18
- </script>
19
- </html>
@@ -1,12 +0,0 @@
1
- <script nonce=<%= content_security_policy_script_nonce %>>
2
- const mainWindow = window.parent;
3
- var url = window.location.href;
4
- // Until PLAT-4836 is resolved, we need to make sure our url has a "?" in it.
5
- if (!(url.indexOf("?") > -1)) {
6
- url = url + "?dummy_param=1"
7
- }
8
- mainWindow.postMessage({
9
- messageType: "requestFullWindowLaunch",
10
- data: url
11
- }, '*');
12
- </script>