panda_pal 5.13.4 → 5.14.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 394e082d23ea7e24a5a4fd854191ad33f34fb52acffa2dc805fd27f64119c683
-  data.tar.gz: 1a50f36b6aba5a71c4622824fc7fd47a6fc2331ab643831b75c45f28162f461a
+  metadata.gz: 7dca28a2b62bd99b38f8e03e56ff2ca800a9e4783e3758e3f111d724033ecac9
+  data.tar.gz: 50cca8089331c5e3ced69508bd36ce38d1950f36e24c32ddcfe8013c5d203b08
 SHA512:
-  metadata.gz: 833f7ec08c7778a5fcbbb810a2c887068aec0e55fb1131c24adee99ae6477c20f56181c90a37424fb31401fe280ee2340d330bf07635d367c4d104ce2fde2a3d
-  data.tar.gz: a03e818dcd00ca287f1454cfb29aa55e2037239d904dff16fd774c3b20d5b96803c699c899b20a29c32dece85c507c3077a1dd7bd312f219854cd0994f62ee40
+  metadata.gz: c311c03565a44e28c27824ee5577844ea6c0cf5b1270135dcd32f888aab9f8b06466af1c55d445d194c006d89cedad547dc84b70e6655cb5c2962d0968a7e030
+  data.tar.gz: 576674c1989edfdfb1f6bd6f8368c52be0bd9b6b92cf76cdc8ce6903650aec5fb41b4514f411ca2024fc6bc500d6e438a9e0fa901c4380acb6d3981eca082575

data/README.md

@@ -239,44 +239,69 @@ Controllers will automatically have access to a number of methods that can be he
 Because of the ever-increasing security around `<iframe>`s and cookies, a custom session implementation has been rolled into `PandaPal`.
 The implementation is mostly passive, but requires some changes and caveats as opposed to the native Rails implementation.
 
-The current session object can be accessed from any controller using `current_session`. This object isn't the actual data container (as `session` _is_ in Rails).
-Session data can be accessed and modified using `current_session.data[:key]` or `current_session_data[:key]`.
+The current session object can be accessed from any controller using `current_session`.
+Session data can be accessed and modified using `current_session[:key]`.
 
-Because cookies are unreliable, it becomes the responsibility of the LTI developer to ensure that a custom "cookie" is passed to the frontend with each response
-and returned to the backend with each request, otherwise the backend won't be able to access the current session. There are a few ways to do this.
+Because cookies are unreliable, it becomes the responsibility of the LTI developer to ensure that a custom "cookie" is passed to the frontend with each response and returned to the backend with each request, otherwise the backend won't be able to access the current session. There are a few ways to do this.
 
 Generally, the method for passing the session "cookie" to the frontend looks something like:
 ```html
 <meta name="session_key" content="<%= current_session.session_key %>">
 ```
 
-### Returning to the backend
-The `session_key` can be passed to the backend in multiple ways:
-1. (Recommended) Via the `Authorization` Header (usually defining it as a default in your AJAX/XHR/`fetch` library):
-  ```http
-  Authorization: token=SESSION_KEY_HERE
-  ```
-2. Via a `session_key` parameter in a `POST` request (Useful for native HTML `<form>`s).
-3. (Used for Dev, but not highly discouraged in Prod) via a `GET`/URL Query parameter: `?session_key=SESSION_KEY_HERE`.
-
-The `session_key` does not contain any secrets itself, so it is safe to pass to the frontend, but it is encouraged to keep it away from the
-end-user as much as possible because it should not be shared.
+### Panda Token Format
+The `session_key` used to be a single value secret, but as of PandaPal 5.14, it is formatted as such (and referred to as a "Full-Key Panda Token"):
+`<Base64({ v: TOKEN FORMAT, o: ORG ID, s: SESSION ID, typ: "KEY" })>.<SESSION SECRET>`
+
+Additionally as of 5.14, "session_tokens" were dissolved into the Panda Token format (and now referred to as "Limited-Use Panda Tokens").
+These Limited-Use tokens are formatted as such:
+`<Base64({ v: TOKEN FORMAT, o: ORG ID, s: SESSION ID, typ: "X", ... })>.<HMAC(key: SESSION_SECRET, content: Base64(...))>`
+
+Currently, there is support for these `typ`es (also noted with any other params to be included in the B64 content):
+- `T-URL` `{ usig: HMAC(key: SESSION_SECRET, content: URL_PATH_AND_QUERY) }` - Use to authenticate `GET`ting a single URL.
+  - May be generated on the client using `@inst_proserv/toolkit/panda_tokens`
+- `T-NONCE` `{ nnc: NONCE }` - Stores a single-use nonce in the Session. Can only be used once and will expire as soon as another `T-NONCE` token is created in another request.
+- `T-IP` `{ ip: 1.2.3.4 }` - Token restricted to use by a single IP address
+- `T-EXP` `{ exp: }` - Basic, time-limited token
+
+All Limited-Use tokens may also include these parameters:
+- `exp` - ISO8601 Expiration timestamp
+
+### Passing the Session
+PandaPal looks for Session information in multiple places (in order of precedence):
+- `X-Panda-Token` Header
+- `Authorization: Bearer <PANDA TOKEN>` Header
+- `Authorization: token=<PANDA TOKEN>` Header (Deprecated; legacy-use only). Supports use of legacy or new-format
+- `panda_token` param
+- `session_key` param (Deprecated; legacy-use only). Supports use of legacy or new-format
+- `session_token` param (Deprecated; legacy-use only)
+
+Use of one of the supported HTTP Headers is preferred.
+`panda_token=<Full-Use Token>` param may be used for (non-`GET`) HTML `<form>`s.
+`panda_token=<Limited-Use Token>` param should be used for `GET` requests in-which you cannot control a Header.
 
 ### Redirecting and Multi-Page Applications
 Special instructions must be followed when using `link_to` or `redirect_to` to ensure that the Session is passed correctly:
 
 Add a `session_token:` (notice the use of _`_token`_ as opposed to _`_key`_!) parameter when using `link_to` or `redirect_to`:
 ```ruby
-  link_to "Link Name", somewhere_else_path(session_token: link_nonce)
-  redirect_to somewhere_else_path(session_token: link_nonce)
+  link_to "Link Name", somewhere_else_path(panda_token: link_nonce)
+  redirect_to somewhere_else_path(panda_token: link_nonce)
 ```
-You can also use the `redirect_with_session_to` helper, which will automatically add `organization_id:` and `session_token:` params:
+You can also use the `redirect_with_session_to` helper, which will automatically the `panda_token:` param (and, to support legacy apps, an `organization_id:` param if needed):
 ```ruby
   redirect_with_session_to :somewhere_else_path, other_param: 1
 ```
-For each request (not each call), `link_nonce` generates a nonce and stores it in the Session. The generated value can be used
-for at-most-one future request. This means that browser back-forward navigation **will not work** (if it actually ever worked for
-iframe-based LTIs in the first place).
+
+For each request (not each call), `link_nonce` Limited-Use Token.
+The default `typ`e is `T-NONCE`, but this can be controlled by passing a `type:` param, or by setting `link_nonce_type` in the controller, eg:
+```ruby
+link_nonce_type "T-IP"
+
+def action
+  redirect_to somewhere_else_path(panda_token: link_nonce(type: "T-IP"))
+end
+```
 
 ### Persisting the session
 The session is automatically saved using an `after_action` callback. This callback is poised to run last, but if that causes issues
@@ -484,6 +509,7 @@ For :fixed_ip and :expiring tokens you can override the default expiration perio
 
 See the following example of how to override the link_nonce_type and token expiration length.
 
+```ruby
 class ApplicationController < ActionController::Base
   link_nonce_type :fixed_ip
   def session_expiration_period_minutes
@@ -491,6 +517,7 @@ class ApplicationController < ActionController::Base
   end
 ...
 end
+```
 
 ### Previous Safari Instructions
 Safari is weird and you'll potentially run into issues getting `POST` requests to properly validate CSRF if you don't do the following:

data/app/controllers/panda_pal/lti_v1_p0_controller.rb

@@ -16,7 +16,8 @@ module PandaPal
       current_session.data.merge!({
         lti_version: 'v1p0',
         lti_launch_placement: params[:launch_type],
-        launch_params: params.to_unsafe_h,
+        launch_url_params: request.query_parameters.to_h,
+        launch_params: request.request_parameters.to_h,
       })
 
       redirect_with_session_to(:"#{LaunchUrlHelpers.launch_route(params[:launch_type])}_url", route_context: main_app)

data/app/controllers/panda_pal/lti_v1_p3_controller.rb

@@ -24,7 +24,7 @@ module PandaPal
       current_session[:lti_oauth_nonce] = SecureRandom.uuid
       current_session[:canvas_environment] = params['canvas_environment']
       current_session[:canvas_region] = params['canvas_region']
-      current_session.panda_pal_organization_id = -1
+      current_session.panda_pal_organization_id = 0
 
       @form_action = current_lti_platform.authentication_redirect_url
       @method = :post
@@ -49,6 +49,7 @@ module PandaPal
         current_session.data.merge!({
           lti_version: 'v1p3',
           lti_launch_placement: ltype,
+          launch_url_params: request.query_parameters.to_h,
           launch_params: @decoded_lti_jwt,
         })
 

data/app/models/panda_pal/platform/canvas.rb

@@ -297,6 +297,54 @@ module PandaPal
         _find_existing_installs(context)
       end
 
+      def canvas_lti_launch_url(placement_or_context, context: nil, host: nil, params: {}, lti_id: nil)
+        if placement_or_context.is_a?(String) && placement_or_context.include?('/')
+          context = placement_or_context
+          placement = nil
+          placement_or_context = nil
+        elsif placement_or_context.is_a?(Symbol) || placement_or_context.is_a?(String)
+          placement = placement_or_context.to_s
+        elsif !context
+          context = placement_or_context
+          placement_or_context = nil
+        else
+          raise ArgumentError, "context seems to have been passed twice"
+        end
+
+        if context.is_a?(String)
+          context_path = context
+        elsif context
+          context_name = context.class.name.downcase
+          placement ||= context_name + "_navigation"
+          context_path = "#{context_name}s/#{context.canvas_id}"
+        else
+          placement ||= "account_navigation"
+          context_path = "accounts/#{current_organization.canvas_account_id}"
+        end
+
+        if %w[global account course user].include?(placement)
+          placement = "#{placement}_navigation"
+        end
+
+        canvas_uri = URI.parse(self.canvas_url)
+        lti_id ||= self.settings.dig(:canvas, :external_tool_id)
+        canvas_uri.path = "/#{context_path}/external_tools/#{lti_id}"
+
+        canvas_params = {}
+        canvas_params[:launch_type] = placement if placement == "global_navigation"
+        if params.present?
+          host = "#{host.scheme}://#{host.host_with_port}" if host.is_a?(ActionDispatch::Request)
+          canvas_params[:launch_url] = PandaPal::Engine.routes.url_helpers.v1p3_resource_link_request_url(
+            host: host,
+            **params,
+          ).to_s
+        end
+
+        canvas_uri.query = URI.encode_www_form(canvas_params)
+
+        canvas_uri
+      end
+
       def canvas_url
         PandaPal::Platform.find_org_setting([
           "canvas.base_url",

data/app/models/panda_pal/session.rb

@@ -3,10 +3,36 @@ module PandaPal
     belongs_to :panda_pal_organization, class_name: 'PandaPal::Organization', optional: true
 
     after_initialize do
-      self.session_key ||= SecureRandom.urlsafe_base64(60)
+      self.session_secret ||= SecureRandom.urlsafe_base64(60)
       self.data ||= {}.with_indifferent_access
     end
 
+    delegate :dig, to: :data
+
+    def session_key
+      # <B64({ v: TOKEN FORMAT, o: ORG ID, s: SESSION ID, typ: "KEY" })>.<SESSION SECRET>
+      payload = {
+        v: 1,
+        o: panda_pal_organization_id,
+        s: id,
+        typ: "KEY",
+      }
+      base64_payload = Base64.urlsafe_encode64(payload.to_json)
+      "#{base64_payload}.#{session_secret}"
+    end
+
+    def signing_key
+      session_secret
+    end
+
+    def sign_value(data)
+      OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), signing_key, data)
+    end
+
+    def validate_signature(data, signature)
+      signature == sign_value(data)
+    end
+
     def [](key)
       if self.class.column_names.include?(key.to_s)
         super

data/config/initializers/apartment.rb

@@ -200,7 +200,7 @@ end
 
 Apartment.configure do |config|
   config.excluded_models ||= []
-  config.excluded_models |= ['PandaPal::Organization', 'PandaPal::Session']
+  config.excluded_models |= ['PandaPal::Organization']
 
   config.with_multi_server_setup = true unless Rails.env.test?
 
@@ -224,6 +224,11 @@ Rails.application.config.middleware.use Apartment::Elevators::Generic, lambda {
     PandaPal::Organization.find_by(id: match[1]).try(:tenant_name)
   elsif match = request.path.match(/\/(?:orgs?|organizations?|o)\/(\w+)/)
     PandaPal::Organization.find_by(name: match[1]).try(:tenant_name)
+  elsif (panda_token = PandaPal::Helpers::SessionReplacement.extract_panda_token(request)).present?
+    header, sig = panda_token.split('.')
+    # This is just switching the tenant. Auth should be performed elsewhere (eg via `forbid_access_if_lacking_session`/`valid_session?`).
+    decoded_header = JSON.parse(Base64.urlsafe_decode64(header))
+    PandaPal::Organization.find_by(id: decoded_header['o']).try(:tenant_name)
   elsif request.path.start_with?('/rails/active_storage/blobs/')
     PandaPal::Organization.find_by(id: request.params['organization_id']).try(:tenant_name)
   end

data/db/migrate/20250401214421_rename_session_session_key.rb

@@ -0,0 +1,5 @@
+class RenameSessionSessionKey < ActiveRecord::Migration[7.1]
+  def change
+    rename_column :panda_pal_sessions, :session_key, :session_secret
+  end
+end

data/lib/panda_pal/helpers/controller_helper.rb

@@ -93,12 +93,21 @@ module PandaPal::Helpers
         decoded_jwt.verify!(current_lti_platform.public_jwks(force: true))
       end
 
+      raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_panda_session.panda_pal_organization_id == 0
       raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_panda_session[:lti_oauth_nonce] == decoded_jwt['nonce']
 
       jwt_verifier = PandaPal::LtiJwtValidator.new(decoded_jwt, client_id)
       raise JSON::JWT::VerificationFailed, jwt_verifier.errors unless jwt_verifier.valid?
 
-      current_panda_session.update(panda_pal_organization: @organization)
+      # Migrate the session to the correct tenant
+      login_session = current_panda_session
+      login_session.delete
+
+      @organization.switch_tenant
+
+      @current_session = login_session.dup
+      @current_session.panda_pal_organization = @organization
+      @current_session.save!
 
       @decoded_lti_jwt = decoded_jwt
     rescue JSON::JWT::VerificationFailed => e

data/lib/panda_pal/helpers/session_replacement.rb

@@ -35,29 +35,71 @@ module PandaPal::Helpers
 
     def start_panda_session!
       raise "Session already started" if @current_session.present?
-      @current_session = PandaPal::Session.new(panda_pal_organization_id: current_organization&.id)
+      @current_session = PandaPal::Session.new(panda_pal_organization_id: current_organization&.id).tap do |session|
+        session.save!
+      end
     end
 
     def current_panda_session
       return @current_session if defined?(@current_session)
 
-      if params[:session_token]
-        payload = JSON.parse(session_cryptor.decrypt_and_verify(params[:session_token])).with_indifferent_access
-        matched_session = PandaPal::Session.find_by(session_key: payload[:session_key])
-        if matched_session.present?
-          if payload[:token_type] == 'nonce' && matched_session.data[:link_nonce] == payload[:nonce]
-            @current_session = matched_session
-            @current_session.data[:link_nonce] = nil
-          elsif payload[:token_type] == 'fixed_ip' && matched_session.data[:remote_ip] == request.remote_ip &&
-            DateTime.parse(matched_session.data[:last_ip_token_requested]) > session_expiration_period_minutes.minutes.ago
-            @current_session = matched_session
-          elsif payload[:token_type] == 'expiring' && DateTime.parse(matched_session.data[:last_token_requested]) > session_expiration_period_minutes.minutes.ago
-            @current_session = matched_session
+      if (panda_token = SessionReplacement.extract_panda_token(request, params)).present?
+        # <B64({ v: TOKEN FORMAT, o: ORG ID, s: SESSION ID, typ: TYPE, exp?: EXPIRE, usig?: URL SIGNATURE, nnc?: NONCE })>.<HMAC(<B64HEADER>) | KEY>
+        # TYPE = KEY | T-URI | T-IP | T-NONCE | T-EXP
+
+        header, sig = panda_token.split('.')
+        decoded_header = JSON.parse(Base64.urlsafe_decode64(header))
+
+        org_id = decoded_header['o'].to_i
+        session_id = decoded_header['s']
+        type = decoded_header['typ']
+
+        # raise SessionNonceMismatch, "Session Not Found" unless org_id < 1 || org_id == current_organization.id
+
+        if type == 'KEY'
+          @current_session = PandaPal::Session.find_by(session_secret: sig)
+          raise SessionNonceMismatch, "Session Not Found" if session_id && @current_session.id != session_id
+        else
+          session_record = PandaPal::Session.find_by(id: session_id)
+          raise SessionNonceMismatch, "Session Not Found" unless session_record.present?
+
+          # Validate the header against the signature
+          raise SessionNonceMismatch, "Invalid Signature" unless session_record.validate_signature(header, sig)
+
+          # Check expiration
+          if (expr = decoded_header['exp']).present?
+            raise SessionNonceMismatch, "Expired" unless expr > DateTime.now.iso8601
+          end
+
+          if type == "T-URI"
+            # Signed URLs only support GET requests
+            raise SessionNonceMismatch, "Invalid Method" unless request.method == :get
+
+            # Verify the signature against the request URL
+            resigned = generate_signed_url(session_record.signing_key, request.url)
+            raise SessionNonceMismatch, "Invalid Signature" unless resigned == decoded_header['usig']
+
+            # TODO Support single-use tokens via Redis?
+
+            @current_session = session_record
+          elsif type == "T-NONCE"
+            raise SessionNonceMismatch, "Invalid Nonce" unless session_record.data[:link_nonce] == decoded_header['nnc']
+            @current_session = session_record
+          elsif type == "T-IP"
+            raise SessionNonceMismatch, "Invalid IP" unless decoded_header["ip"] == request.remote_ip
+            @current_session = session_record
+          elsif type == "T-EXP"
+            # Expiration itself is checked above, but enforce that an expiration is set
+            raise SessionNonceMismatch, "Invalid Expiration" unless decoded_header["exp"].present?
+            @current_session = session_record
           end
         end
+
         raise SessionNonceMismatch, "Session Not Found" unless @current_session.present?
+
       elsif (session_key = params[:session_key] || session_key_header || flash[:session_key] || session[:session_key]).present?
-        @current_session = PandaPal::Session.find_by(session_key: session_key)
+        # Legacy-format session_keys
+        @current_session = PandaPal::Session.find_by(session_secret: session_key)
       end
 
       @current_session
@@ -110,39 +152,76 @@ module PandaPal::Helpers
     end
 
     def session_url_for(*args, **kwargs)
-      url_for(build_session_url_params(*args, **kwargs))
+      url_with_session(:url_for, *args, **kwargs)
     end
 
-    def url_with_session(location, *args, route_context: self, **kwargs)
-      route_context.send(location, *build_session_url_params(*args, **kwargs))
+    def url_with_session(location, *args, route_context: self, nonce_type: link_nonce_type, **kwargs)
+      # Stay compatible with older Ruby/Rails :/
+      if args[-1].is_a?(Hash)
+        args[-1] = args[-1].dup
+      else
+        args.push({})
+      end
+
+      args[-1].merge!(
+        panda_token: Rails.env.development? ? current_session.session_key : link_nonce(type: nonce_type),
+      )
+
+      args[-1].merge!(kwargs)
+
+      begin
+        route_context.send(location, *args)
+      rescue ActionController::UrlGenerationError => ex
+        args[-1].merge!(organization_id: current_organization.id)
+        route_context.send(location, *args)
+      end
     end
 
-    def link_nonce(type: link_nonce_type)
+    def link_nonce(url = nil, type: link_nonce_type)
       type = instance_exec(&type) if type.is_a?(Proc)
-      type = type.to_s
-
-      @cached_link_nonces ||= {}
-      @cached_link_nonces[type] ||= begin
-        payload = {
-          token_type: type,
-          session_key: current_session.session_key,
-          organization_id: current_organization.id,
-        }
-
-        if type == 'nonce'
-          current_session[:link_nonce] = SecureRandom.hex
-          payload.merge!(nonce: current_session[:link_nonce])
-        elsif type == 'fixed_ip'
-          current_session[:remote_ip] ||= request.remote_ip
-          current_session[:last_ip_token_requested] = DateTime.now.iso8601
-        elsif type == 'expiring'
-          current_session[:last_token_requested] = DateTime.now.iso8601
-        else
-          raise StandardError, "Unsupported link_nonce_type: '#{type}'"
+      type = type.to_s.downcase
+      type = type[2..] if type.start_with?('t-')
+
+      if type == 'url'
+        raise StandardError, "URL is required" unless url.present?
+        payload.merge!(
+          typ: 'T-URI',
+          usig: generate_signed_url(current_session.signing_key, url.to_s),
+        )
+      else
+        @cached_link_nonces ||= {}
+        @cached_link_nonces[type] ||= begin
+          payload = {
+            v: 1,
+            o: current_organization.id,
+            s: current_session.id,
+          }
+
+          if type == 'nonce'
+            current_session[:link_nonce] = SecureRandom.hex
+            payload.merge!(
+              typ: 'T-NONCE',
+              nnc: current_session[:link_nonce],
+            )
+          elsif type == 'ip' || type == 'fixed_ip'
+            payload.merge!(
+              typ: 'T-IP',
+              ip: request.remote_ip,
+              exp: session_expiration_period_minutes.minutes.from_now.iso8601,
+            )
+          elsif type == "exp" || type == 'expiring'
+            payload.merge!(
+              typ: 'T-EXP',
+              exp: session_expiration_period_minutes.minutes.from_now.iso8601,
+            )
+          else
+            raise StandardError, "Unsupported link_nonce_type: '#{type}'"
+          end
         end
-
-        session_cryptor.encrypt_and_sign(payload.to_json)
       end
+
+      b64 = Base64.urlsafe_encode64(payload.to_json)
+      "#{b64}.#{current_session.sign_value(b64)}"
     end
 
     def link_nonce_type
@@ -153,6 +232,22 @@ module PandaPal::Helpers
       15
     end
 
+    def self.extract_panda_token(request, params = request.params)
+      headers = request.respond_to?(:headers) ? request.headers : request.env
+      auth_header = headers['HTTP_X_PANDA_TOKEN'] || headers['X-Panda-Token']
+      auth_header ||= headers['HTTP_AUTHORIZATION'] || headers['Authorization']
+
+      if auth_header.present?
+        match = auth_header.match(/Bearer (.+)/)
+        match ||= auth_header.match(/token=(.+)/) # Legacy Support
+        token = match[1] if match && match[1].include?('.')
+      end
+      token ||= params["panda_token"]
+      token ||= params["session_token"] if params["session_token"]&.include?('.') # Legacy Support
+      token ||= params["session_key"] if params["session_key"]&.include?('.') # Legacy Support
+      token.presence
+    end
+
     private
 
     def session_cryptor
@@ -166,34 +261,24 @@ module PandaPal::Helpers
       end
     end
 
-    def build_session_url_params(*args, nonce_type: link_nonce_type, **kwargs)
-      if args[-1].is_a?(Hash)
-        args[-1] = args[-1].dup
-      else
-        args.push({})
-      end
-
-      if Rails.env.development?
-        args[-1].merge!(
-          session_key: current_session.session_key,
-          organization_id: current_organization.id,
-        )
-      else
-        args[-1].merge!(
-          session_token: link_nonce(type: nonce_type),
-          organization_id: current_organization.id,
-        )
-      end
-
-      args[-1].merge!(kwargs)
-      args
-    end
-
     def auto_save_session
       yield if block_given?
       save_session if @current_session && session_changed?
     end
 
+    def generate_signed_url(key, uri)
+      uri = URI.parse(uri) if uri.is_a?(String)
+      signable = "#{uri.path}?#{uri.query}"
+      OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, signable)
+    end
+
+    def validate_url_signature(key, uri, signature)
+      uri = URI.parse(uri) if uri.is_a?(String)
+      signable = uri.path + '?' + uri.query
+      signable.gsub!(/[&?](session_key|session_token|panda_token)=.*?(&.*)?$/, "")
+      signature == OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, signable)
+    end
+
     def monkeypatch_flash
       if valid_session? && (value = current_session['flashes']).present?
         flashes = value["flashes"]

data/lib/panda_pal/version.rb

@@ -1,3 +1,3 @@
 module PandaPal
-  VERSION = "5.13.4"
+  VERSION = "5.14.0.beta1"
 end

data/spec/dummy/db/schema.rb

@@ -2,16 +2,15 @@
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
 #
-# Note that this schema.rb definition is the authoritative source for your
-# database schema. If you need to create the application database on another
-# system, you should be using db:schema:load, not running all the migrations
-# from scratch. The latter is a flawed and unsustainable approach (the more migrations
-# you'll amass, the slower it'll run and the greater likelihood for issues).
+# This file is the source Rails uses to define your schema when running `bin/rails
+# db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to
+# be faster and is potentially less error prone than running all of your
+# migrations from scratch. Old migrations may fail to apply correctly if those
+# migrations use external dependencies or application code.
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2022_07_21_095653) do
-
+ActiveRecord::Schema[7.1].define(version: 2025_04_01_214421) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -19,8 +18,8 @@ ActiveRecord::Schema.define(version: 2022_07_21_095653) do
     t.text "logic"
     t.string "expiration"
     t.integer "uses_remaining"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
   end
 
   create_table "panda_pal_organizations", id: :serial, force: :cascade do |t|
@@ -28,8 +27,8 @@ ActiveRecord::Schema.define(version: 2022_07_21_095653) do
     t.string "key"
     t.string "secret"
     t.string "canvas_account_id"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
     t.string "salesforce_id"
     t.text "encrypted_settings"
     t.string "encrypted_settings_iv"
@@ -38,13 +37,13 @@ ActiveRecord::Schema.define(version: 2022_07_21_095653) do
   end
 
   create_table "panda_pal_sessions", id: :serial, force: :cascade do |t|
-    t.string "session_key"
+    t.string "session_secret"
     t.text "data"
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
     t.integer "panda_pal_organization_id"
     t.index ["panda_pal_organization_id"], name: "index_panda_pal_sessions_on_panda_pal_organization_id"
-    t.index ["session_key"], name: "index_panda_pal_sessions_on_session_key", unique: true
+    t.index ["session_secret"], name: "index_panda_pal_sessions_on_session_secret", unique: true
   end
 
 end

data/spec/factories/panda_pal_sessions.rb

@@ -1,6 +1,6 @@
 FactoryGirl.define do
   factory :panda_pal_session, class: 'PandaPal::Session' do
-    session_key "MyString"
+    session_secret "MyString"
     organization nil
     data "MyText"
   end

data/spec/models/panda_pal/session_spec.rb

@@ -2,8 +2,8 @@ require 'rails_helper'
 
 module PandaPal
   RSpec.describe Session, type: :model do
-    it 'is initialized with a session_key' do
-      expect(PandaPal::Session.new.session_key).to_not be_nil
+    it 'is initialized with a session_secret' do
+      expect(PandaPal::Session.new.session_secret).to_not be_nil
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: panda_pal
 version: !ruby/object:Gem::Version
-  version: 5.13.4
+  version: 5.14.0.beta1
 platform: ruby
 authors:
 - Instructure CustomDev
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-03 00:00:00.000000000 Z
+date: 2025-04-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -334,6 +334,7 @@ files:
 - db/migrate/20171205183457_encrypt_organization_settings.rb
 - db/migrate/20171205194657_remove_old_organization_settings.rb
 - db/migrate/20220721095653_create_panda_pal_api_calls.rb
+- db/migrate/20250401214421_rename_session_session_key.rb
 - lib/panda_pal.rb
 - lib/panda_pal/concerns/ability_helper.rb
 - lib/panda_pal/engine.rb