panda_pal 5.3.4 → 5.3.5

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6c598919f88d72cc23c02724fe9689b051ee82d553b8328e528253ec8e4f6622
4
- data.tar.gz: 24b76f1904796d1672cb060482f63fc76fa56d34e8b248aad9480ac01e21fa3c
3
+ metadata.gz: 751203d046fbd547e8f194feabb335a81a08be96f6a557712f1673d139576a29
4
+ data.tar.gz: b06b642432ce0d1e4a42a4bc93520b3782c6d8cce801e91508b296be60501482
5
5
  SHA512:
6
- metadata.gz: 75ea92798635fa208e51fc29d492c37fc8b75429b97a8e9e814e07b95e393d26aa03fe1599c42ed4a5dcbd1cb85b2d438a4d8a99ae17d885b7791c0458c4c749
7
- data.tar.gz: 2cabc475ece25dadd88da19d3667e80a0f2d94d875d85cf05b244d692b0438771140cf4b9cc9d355f46c46aeca98583cb96323d7ee58c81eed8074cc7a7b87b8
6
+ metadata.gz: cc338a137cec8f7abb900b801ace89f1588b265d534babf98f6bb940307289b8a3175a9ce0d5d70a5ddeb520f3525d13e1ba0f7e52df34e75c6fda40ca03a3de
7
+ data.tar.gz: 717e7355ae2cfb990f40c589df6c29c138f55d660fa0095367a275e000a7041e98e99ec631f6dd1bf9e9f3068c7a01006d4a3580ac017cb358a18b9c9711a87f
data/README.md CHANGED
@@ -376,6 +376,24 @@ You will want to watch out for a few scenarios:
376
376
  link_to "Name", url_with_session(:somewhere_else_path, arg, kwarg: 1)
377
377
  ```
378
378
 
379
+ Persistent sessions have session_tokens as a way to safely communicate a session key in a way that is hopefully not too persistent in case it is logged somewhere.
380
+ Options for communicating session_token -
381
+ :nonce (default) - each nonce is good for exactly one communication with the backend server. Once the nonce is used, it is no longer valid.
382
+ :fixed_ip - each session_token is good until it expires. It must be used from the same ip the LTI launched from.
383
+ :expiring - this is the least secure. Each token is good until it expires.
384
+
385
+ For :fixed_ip and :expiring tokens you can override the default expiration period of 15 minutes.
386
+
387
+ See the following example of how to override the link_nonce_type and token expiration length.
388
+
389
+ class ApplicationController < ActionController::Base
390
+ link_nonce_type :fixed_ip
391
+ def session_expiration_period_minutes
392
+ 120
393
+ end
394
+ ...
395
+ end
396
+
379
397
  ### Previous Safari Instructions
380
398
  Safari is weird and you'll potentially run into issues getting `POST` requests to properly validate CSRF if you don't do the following:
381
399
 
@@ -62,7 +62,7 @@ module PandaPal::Helpers
62
62
  raise JSON::JWT::VerificationFailed, 'error decoding id_token' if decoded_jwt.blank?
63
63
 
64
64
  client_id = decoded_jwt['aud']
65
- @organization = PandaPal::Organization.find_by!(key: 'PandaPal') # client_id)
65
+ @organization = PandaPal::Organization.find_by!(key: client_id)
66
66
  raise JSON::JWT::VerificationFailed, 'Unrecognized Organization' unless @organization.present?
67
67
 
68
68
  decoded_jwt.verify!(current_lti_platform.public_jwks)
@@ -32,13 +32,14 @@ module PandaPal::Helpers
32
32
  if params[:session_token]
33
33
  payload = JSON.parse(session_cryptor.decrypt_and_verify(params[:session_token])).with_indifferent_access
34
34
  matched_session = find_or_create_session(key: payload[:session_key])
35
-
36
35
  if matched_session.present?
37
36
  if payload[:token_type] == 'nonce' && matched_session.data[:link_nonce] == payload[:nonce]
38
37
  @current_session = matched_session
39
38
  @current_session.data[:link_nonce] = nil
40
39
  elsif payload[:token_type] == 'fixed_ip' && matched_session.data[:remote_ip] == request.remote_ip &&
41
- DateTime.parse(matched_session.data[:last_ip_token_requested]) > 15.minutes.ago
40
+ DateTime.parse(matched_session.data[:last_ip_token_requested]) > session_expiration_period_minutes.minutes.ago
41
+ @current_session = matched_session
42
+ elsif payload[:token_type] == 'expiring' && DateTime.parse(matched_session.data[:last_token_requested]) > session_expiration_period_minutes.minutes.ago
42
43
  @current_session = matched_session
43
44
  end
44
45
  end
@@ -111,6 +112,8 @@ module PandaPal::Helpers
111
112
  elsif type == 'fixed_ip'
112
113
  current_session_data[:remote_ip] ||= request.remote_ip
113
114
  current_session_data[:last_ip_token_requested] = DateTime.now.iso8601
115
+ elsif type == 'expiring'
116
+ current_session_data[:last_token_requested] = DateTime.now.iso8601
114
117
  else
115
118
  raise StandardError, "Unsupported link_nonce_type: '#{type}'"
116
119
  end
@@ -123,6 +126,10 @@ module PandaPal::Helpers
123
126
  self.class.link_nonce_type
124
127
  end
125
128
 
129
+ def session_expiration_period_minutes
130
+ 15
131
+ end
132
+
126
133
  private
127
134
 
128
135
  def session_cryptor
@@ -1,3 +1,3 @@
1
1
  module PandaPal
2
- VERSION = "5.3.4"
2
+ VERSION = "5.3.5"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: panda_pal
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.3.4
4
+ version: 5.3.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Instructure ProServe
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-09-30 00:00:00.000000000 Z
11
+ date: 2020-10-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rails