panda_pal 5.12.9 → 5.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a8f1101fcff4fef0cb7d541ab3bab4cc55073e8c31ed1605990efe8a561c389b
-  data.tar.gz: aa35bbe30ae591094643f584b2840d5ff0404cc7655882f0f436761ba82bc9e1
+  metadata.gz: bde41047ef682bd599b2ee621fdb050dc3d4269eca64272f1415c667dbbbffe2
+  data.tar.gz: 9a3cb2ccab6721ceae849e29a7080685575578997fa310e0f912c2cb2888a4ea
 SHA512:
-  metadata.gz: 2d22eeeef183b3f16c3000a312e57308fc432b558096f69c5ee63df9fafb3d60c09d5b253f3675257e7539a9e5ca54c464954be6e753058c6e6a01d4f765ccdb
-  data.tar.gz: 466e22660f22fe7d79a86d46576f1e0704d35b88332324b1f444e5b4d892c758d9331628d05153bd521489275f08d4ed00f6b12799bc491809fe791d5a784f39
+  metadata.gz: 11e6da03b76101f436cf2581192df1d68308e2568fd193e58ec64ada4d95305cfc5ed96994ce0fa5e718dd1f135c2975605179515dc53210429d5e1c8c5d2b64
+  data.tar.gz: e349ae30482529c6df4137b856f3383a58b4a4244e4ac0735790fe41ae69dd2af7a25839931b8d5adbdbad4af8f64df45e64d2e5e4e4acd62ff00900d30bb7a7

data/README.md

@@ -218,7 +218,7 @@ namespace :lti_tasks do
   desc 'some rake task'
   task some_rake_task: :environment do
     PandaPal::Organization.all.each do |org|
-      switch_tenant(org.name) do
+      org.switch_tenant do
         SomeJob.perform_later
       end
     end
@@ -231,7 +231,6 @@ Controllers will automatically have access to a number of methods that can be he
 
 * `validate_launch!` - should be used in any tool launch points, and will verify that the launch request received from Canvas is legitimate based on the saved key and secret.
 * `current_session` - PandaPal provides support to use database persisted sessions, rather than the standard rails variety, as these play better when the tool is launched in an `iframe`.  The `session_key` attribute from the returned object needs to be served to the client at some point during the launch and during subsequent requests.  The benefit from this is that sessions will exist entirely in the frame used to launch the tool, and will not be visible should the user be accessing the tool in other contexts simultaneously.  See section below for more information about this method.
-* `current_session_data` - Shortcut method to access the `data` hash given by the above method.
 * `current_organization` - Used to return the organization related to the currently selected tenant.  See section below for more information about this method.
 * `session_changed?` - returns true if the session given by `current_session` has been modified during the request.
 * `save_session` - Saves the session given by `current_session` to the database.
@@ -558,13 +557,13 @@ class LaunchController < ApplicationController
   # request, and Canvas wouldn't know anything about the CSRF
   skip_before_action :verify_authenticity_token
   skip_before_action :forbid_access_if_lacking_session # We don't have a session yet
-  around_action :switch_tenant
   before_action :validate_launch!
+  around_action :switch_tenant
   before_action :handle_launch
 
   def handle_launch
-    current_session_data[:canvas_user_id] = params[:custom_canvas_user_id]
-    current_session_data[:canvas_course_id] = params[:custom_canvas_course_id]
+    current_session[:canvas_user_id] = params[:custom_canvas_user_id]
+    current_session[:canvas_course_id] = params[:custom_canvas_course_id]
   end
 
   def account

data/app/controllers/panda_pal/lti_v1_p0_controller.rb

@@ -8,8 +8,12 @@ module PandaPal
       skip_before_action :verify_authenticity_token, raise: false
     end
 
+    before_action ->{ validate_launch!(version: :v1p0) }, only: [:launch]
+    around_action :switch_tenant, only: [:launch]
+
+    # LTI v1 Auto-Launch Action
     def launch
-      current_session_data.merge!({
+      current_session.data.merge!({
         lti_version: 'v1p0',
         lti_launch_placement: params[:launch_type],
         launch_params: params.to_unsafe_h,

data/app/controllers/panda_pal/lti_v1_p3_controller.rb

@@ -8,7 +8,7 @@ module PandaPal
       skip_before_action :verify_authenticity_token, raise: false
     end
 
-    before_action :validate_launch!, only: [:resource_link_request]
+    before_action ->{ validate_launch!(version: :v1p3) }, only: [:resource_link_request]
     around_action :switch_tenant, only: [:resource_link_request]
     before_action :enforce_environment!, only: [:resource_link_request]
 
@@ -18,10 +18,12 @@ module PandaPal
     def login
       @current_lti_platform = PandaPal::Platform.resolve_platform(params)
 
-      current_session_data[:lti_platform] = @current_lti_platform&.serialize
-      current_session_data[:lti_oauth_nonce] = SecureRandom.uuid
-      current_session_data[:canvas_environment] = params['canvas_environment']
-      current_session_data[:canvas_region] = params['canvas_region']
+      start_panda_session!
+
+      current_session[:lti_platform] = @current_lti_platform&.serialize
+      current_session[:lti_oauth_nonce] = SecureRandom.uuid
+      current_session[:canvas_environment] = params['canvas_environment']
+      current_session[:canvas_region] = params['canvas_region']
       current_session.panda_pal_organization_id = -1
 
       @form_action = current_lti_platform.authentication_redirect_url
@@ -36,7 +38,7 @@ module PandaPal
         login_hint: params.require(:login_hint),
         lti_message_hint: params.require(:lti_message_hint),
         state: current_session.session_key,
-        nonce: current_session_data[:lti_oauth_nonce]
+        nonce: current_session[:lti_oauth_nonce]
       }
     end
 
@@ -44,7 +46,7 @@ module PandaPal
       ltype = @decoded_lti_jwt['https://www.instructure.com/placement']
 
       if ltype
-        current_session_data.merge!({
+        current_session.data.merge!({
           lti_version: 'v1p3',
           lti_launch_placement: ltype,
           launch_params: @decoded_lti_jwt,
@@ -140,7 +142,7 @@ module PandaPal
     end
 
     def enforce_environment!
-      canvas_env = current_session_data[:canvas_environment]
+      canvas_env = current_session[:canvas_environment]
       return unless canvas_env.present?
 
       org_canvas_url = current_organization.canvas_url

data/app/models/panda_pal/organization.rb

@@ -80,8 +80,8 @@ module PandaPal
       # production environment might not have loaded secret_key_base yet.
       # In that case, just read it from env.
       secret_key_base = Rails.application.try(:secret_key_base)
-      secret_key_base ||= Rails.Rails.application.credentials.secret_key_base if Rails.version > "7.0"
-      secret_key_base ||= Rails.Rails.application.secrets.secret_key_base if Rails.version < "7.2"
+      secret_key_base ||= Rails.application.credentials.secret_key_base if Rails.version > "7.0"
+      secret_key_base ||= Rails.application.secrets.secret_key_base if Rails.version < "7.2"
       secret_key_base ||= ENV["SECRET_KEY_BASE"]
 
       secret_key_base[0,32]

data/app/models/panda_pal/organization_concerns/task_scheduling.rb

@@ -199,7 +199,7 @@ module PandaPal
           task = Organization._schedule_descriptors[task_key]
           worker = task[:worker]
 
-          Apartment::Tenant.switch(org.name) do
+          org.switch_tenant do
             if worker.is_a?(Proc)
               return org.instance_exec(&worker)
             elsif worker.is_a?(Symbol)

data/config/initializers/apartment.rb

@@ -215,11 +215,11 @@ end
 
 Rails.application.config.middleware.use Apartment::Elevators::Generic, lambda { |request|
   if match = request.path.match(/\/(?:orgs?|organizations?)\/(\d+)/)
-    PandaPal::Organization.find_by(id: match[1]).try(:name)
+    PandaPal::Organization.find_by(id: match[1]).try(:tenant_name)
   elsif match = request.path.match(/\/(?:orgs?|organizations?|o)\/(\w+)/)
-    PandaPal::Organization.find_by(name: match[1]).try(:name)
+    PandaPal::Organization.find_by(name: match[1]).try(:tenant_name)
   elsif request.path.start_with?('/rails/active_storage/blobs/')
-    PandaPal::Organization.find_by(id: request.params['organization_id']).try(:name)
+    PandaPal::Organization.find_by(id: request.params['organization_id']).try(:tenant_name)
   end
 }
 

data/lib/panda_pal/concerns/ability_helper.rb

@@ -30,7 +30,7 @@ module PandaPal::Concerns
         raise "Ability class needs to set @panda_pal_session or @controller to use this feature"
       end
 
-      @panda_pal_session = @controller.current_session(create_missing: false) unless defined?(@panda_pal_session)
+      @panda_pal_session = @controller.current_panda_session unless defined?(@panda_pal_session)
 
       if @panda_pal_session.is_a?(Hash)
         # This is a breaking-change to CanvasSync, but not to PandaPal

data/lib/panda_pal/engine.rb

@@ -58,21 +58,19 @@ module PandaPal
       class ::Object
         unless defined?(switch_tenant)
           def switch_tenant(tenant, &block)
-            if block_given?
-              Apartment::Tenant.switch(tenant, &block)
+            if tenant.to_s.include?(":")
+              if block_given?
+                Apartment::Tenant.switch(tenant, &block)
+              else
+                Apartment::Tenant.switch!(tenant)
+              end
             else
-              Apartment::Tenant.switch!(tenant)
+              org = PandaPal::Organization.find_by(name: tenant)
+              org.switch_tenant(&block)
             end
           end
         end
 
-        unless defined?(switch_org)
-          def switch_org(org, &block)
-            org = PandaPal::Organization.for_apt_tenant(org) if org.is_a?(String)
-            org.switch_tenant(&block)
-          end
-        end
-
         unless defined?(current_organization)
           def current_organization
             PandaPal::Organization.for_apt_tenant(Apartment::Tenant.current)
@@ -185,7 +183,7 @@ module PandaPal
 
               if org
                 org.switch_tenant
-                puts "PandaPal: Auto Switched to tenant '#{org.name}'"
+                puts "PandaPal: Auto Switched to tenant '#{org.tenant_name}'"
               end
             rescue => err
               puts "PandaPal: Error occurred auto-switching tenant: #{err}"

data/lib/panda_pal/helpers/controller_helper.rb

@@ -7,27 +7,38 @@ module PandaPal::Helpers
     include SessionReplacement
 
     def current_organization
-      @organization ||= PandaPal::Organization.find_by!(key: organization_key) if organization_key
-      @organization ||= PandaPal::Organization.find_by(id: organization_id) if organization_id
-      @organization ||= PandaPal::Organization.find_by_name(Apartment::Tenant.current)
+      @organization ||= current_session&.panda_pal_organization
+      @organization ||= PandaPal::Organization.find_by!(key: organization_key) if organization_key # Deprecated
+      @organization ||= PandaPal::Organization.find_by(id: organization_id) if organization_id # Deprecated
+      @organization ||= PandaPal::Organization.for_apt_tenant(Apartment::Tenant.current)
     end
 
     def current_lti_platform
-      @current_lti_platform ||= current_session(create_missing: false)&.lti_platform
+      @current_lti_platform ||= current_panda_session&.lti_platform
     end
 
     def lti_launch_params
-      current_session_data[:launch_params]
+      current_panda_session[:launch_params]
     end
 
-    def validate_launch!
+    def validate_launch!(version: :any)
       safari_override
 
-      if params[:id_token].present?
-        validate_v1p3_launch
-      elsif params[:oauth_consumer_key].present?
-        validate_v1p0_launch
+      version = %i[v1p0 v1p3] if version == :any
+
+      if version.is_a?(Array)
+        version = case
+        when params[:id_token].present?
+          :v1p3
+        when params[:oauth_consumer_key].present?
+          :v1p0
+        end
       end
+
+      valmthd = :"validate_#{version}_launch"
+      return send(valmthd) if respond_to?(valmthd)
+
+      render plain: 'Failed to validate LTI launch', status: :unauthorized
     end
 
     def validate_v1p0_launch
@@ -48,10 +59,11 @@ module PandaPal::Helpers
       end
 
       if !authorized
-        render plain: 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
+        render plain: 'Failed to validate LTI v1p0 launch', :status => :unauthorized
+        return false
       end
 
-      authorized
+      start_panda_session!
     end
 
     def validate_v1p3_launch
@@ -81,12 +93,12 @@ module PandaPal::Helpers
         decoded_jwt.verify!(current_lti_platform.public_jwks(force: true))
       end
 
-      raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_session_data[:lti_oauth_nonce] == decoded_jwt['nonce']
+      raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_panda_session[:lti_oauth_nonce] == decoded_jwt['nonce']
 
       jwt_verifier = PandaPal::LtiJwtValidator.new(decoded_jwt, client_id)
       raise JSON::JWT::VerificationFailed, jwt_verifier.errors unless jwt_verifier.valid?
 
-      current_session.update(panda_pal_organization: @organization)
+      current_panda_session.update(panda_pal_organization: @organization)
 
       @decoded_lti_jwt = decoded_jwt
     rescue JSON::JWT::VerificationFailed => e
@@ -106,9 +118,7 @@ module PandaPal::Helpers
       return unless organization
       raise 'This method should be called in an around_action callback' unless block_given?
 
-      Apartment::Tenant.switch(organization.name) do
-        yield
-      end
+      organization.switch_tenant(&block)
     end
 
     def forbid_access_if_lacking_session
@@ -117,10 +127,10 @@ module PandaPal::Helpers
     end
 
     def valid_session?
-      return false unless current_session(create_missing: false)&.persisted?
+      return false unless current_panda_session&.persisted?
       return false unless current_organization
-      return false unless current_session.panda_pal_organization_id == current_organization.id
-      return false unless Apartment::Tenant.current == current_organization.name
+      return false unless current_panda_session.panda_pal_organization_id == current_organization.id
+      return false unless Apartment::Tenant.current == current_organization.tenant_name
       true
     rescue SessionNonceMismatch
       false
@@ -132,20 +142,14 @@ module PandaPal::Helpers
 
     private
 
-    def find_or_create_session(key:)
-      if key == :create
-        PandaPal::Session.new(panda_pal_organization_id: current_organization&.id)
-      else
-        PandaPal::Session.find_by(session_key: key)
-      end
-    end
-
+    # Deprecated
     def organization_key
       org_key ||= params[:oauth_consumer_key]
       org_key ||= session[:organization_key]
       org_key
     end
 
+    # Deprecated
     def organization_id
       params[:organization_id]
     end

data/lib/panda_pal/helpers/session_replacement.rb

@@ -33,12 +33,17 @@ module PandaPal::Helpers
       current_session.try(:save)
     end
 
-    def current_session(create_missing: true)
-      return @current_session if @current_session.present?
+    def start_panda_session!
+      raise "Session already started" if @current_session.present?
+      @current_session = PandaPal::Session.new(panda_pal_organization_id: current_organization&.id)
+    end
+
+    def current_panda_session
+      return @current_session if defined?(@current_session)
 
       if params[:session_token]
         payload = JSON.parse(session_cryptor.decrypt_and_verify(params[:session_token])).with_indifferent_access
-        matched_session = find_or_create_session(key: payload[:session_key])
+        matched_session = PandaPal::Session.find_by(session_key: payload[:session_key])
         if matched_session.present?
           if payload[:token_type] == 'nonce' && matched_session.data[:link_nonce] == payload[:nonce]
             @current_session = matched_session
@@ -52,15 +57,23 @@ module PandaPal::Helpers
         end
         raise SessionNonceMismatch, "Session Not Found" unless @current_session.present?
       elsif (session_key = params[:session_key] || session_key_header || flash[:session_key] || session[:session_key]).present?
-        @current_session = find_or_create_session(key: session_key)
+        @current_session = PandaPal::Session.find_by(session_key: session_key)
       end
+    end
 
-      @current_session ||= find_or_create_session(key: :create) if create_missing
+    # @deprecated - User current_panda_session instead
+    def current_session(create_missing: false)
+      current_panda_session
+
+      if !@current_session && create_missing
+        Rails.logger.warn("current_session(create_missing: true) is deprecated. Use start_panda_session! instead.") unless Rails.env.production?
+        start_panda_session!
+      end
 
       @current_session
     end
 
-    # @deprecated
+    # @deprecated - Use current_session[:key] directly
     def current_session_data
       current_session.data
     end
@@ -115,13 +128,13 @@ module PandaPal::Helpers
         }
 
         if type == 'nonce'
-          current_session_data[:link_nonce] = SecureRandom.hex
-          payload.merge!(nonce: current_session_data[:link_nonce])
+          current_session[:link_nonce] = SecureRandom.hex
+          payload.merge!(nonce: current_session[:link_nonce])
         elsif type == 'fixed_ip'
-          current_session_data[:remote_ip] ||= request.remote_ip
-          current_session_data[:last_ip_token_requested] = DateTime.now.iso8601
+          current_session[:remote_ip] ||= request.remote_ip
+          current_session[:last_ip_token_requested] = DateTime.now.iso8601
         elsif type == 'expiring'
-          current_session_data[:last_token_requested] = DateTime.now.iso8601
+          current_session[:last_token_requested] = DateTime.now.iso8601
         else
           raise StandardError, "Unsupported link_nonce_type: '#{type}'"
         end
@@ -180,7 +193,7 @@ module PandaPal::Helpers
     end
 
     def monkeypatch_flash
-      if valid_session? && (value = current_session_data['flashes']).present?
+      if valid_session? && (value = current_session['flashes']).present?
         flashes = value["flashes"]
         if discard = value["discard"]
           flashes.except!(*discard)
@@ -192,7 +205,7 @@ module PandaPal::Helpers
       yield
 
       if @current_session.present?
-        current_session_data['flashes'] = flash.to_session_value
+        current_session['flashes'] = flash.to_session_value
         flash.discard()
       end
     end

data/lib/panda_pal/version.rb

@@ -1,3 +1,3 @@
 module PandaPal
-  VERSION = "5.12.9"
+  VERSION = "5.13.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: panda_pal
 version: !ruby/object:Gem::Version
-  version: 5.12.9
+  version: 5.13.0
 platform: ruby
 authors:
 - Instructure CustomDev
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-03-11 00:00:00.000000000 Z
+date: 2025-03-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails