Module: PandaPal::Helpers::ControllerHelper

Extended by:
ActiveSupport::Concern
Includes:
SessionReplacement
Defined in:
lib/panda_pal/helpers/controller_helper.rb

Instance Method Summary collapse

Methods included from SessionReplacement

#current_panda_session, #current_session, #current_session_data, extract_panda_token, #link_nonce, #link_nonce_type, #link_with_session_to, #redirect_with_session_to, #save_session, #session_changed?, #session_expiration_period_minutes, #session_url_for, #start_panda_session!, #url_with_session, #verify_authenticity_token

Instance Method Details

#current_lti_platformObject 



16
17
18
 
# File 'lib/panda_pal/helpers/controller_helper.rb', line 16

def current_lti_platform
  @current_lti_platform ||= current_panda_session&.lti_platform
end

#current_organizationObject 



9
10
11
12
13
14
 
# File 'lib/panda_pal/helpers/controller_helper.rb', line 9

def current_organization
  @organization ||= current_session&.panda_pal_organization
  @organization ||= PandaPal::Organization.find_by!(key: organization_key) if organization_key # Deprecated
  @organization ||= PandaPal::Organization.find_by(id: organization_id) if organization_id # Deprecated
  @organization ||= PandaPal::Organization.for_apt_tenant(Apartment::Tenant.current)
end

#forbid_access_if_lacking_sessionObject 



134
135
136
137
 
# File 'lib/panda_pal/helpers/controller_helper.rb', line 134

def forbid_access_if_lacking_session
  super
  safari_override
end

#lti_launch_paramsObject 



20
21
22
 
# File 'lib/panda_pal/helpers/controller_helper.rb', line 20

def lti_launch_params
  current_panda_session[:launch_params]
end

#safari_overrideObject 



149
150
151
 
# File 'lib/panda_pal/helpers/controller_helper.rb', line 149

def safari_override
  use_secure_headers_override(:safari_override) if browser.safari?
end

#switch_tenant(organization = current_organization, &block) ⇒ Object 



128
129
130
131
132
 
# File 'lib/panda_pal/helpers/controller_helper.rb', line 128

def switch_tenant(organization = current_organization, &block)
  return unless organization
  raise 'This method should be called in an around_action callback' unless block_given?
  super
end

#valid_session?Boolean

Returns:

  • (Boolean) 


139
140
141
142
143
144
145
146
147
 
# File 'lib/panda_pal/helpers/controller_helper.rb', line 139

def valid_session?
  return false unless current_panda_session&.persisted?
  return false unless current_organization
  return false unless current_panda_session.panda_pal_organization_id == current_organization.id
  return false unless Apartment::Tenant.current == current_organization.tenant_name
  true
rescue PandaPal::Session::SessionNonceMismatch
  false
end

#validate_launch!(version: :any) ⇒ Object 



24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
# File 'lib/panda_pal/helpers/controller_helper.rb', line 24

def validate_launch!(version: :any)
  safari_override

  version = %i[v1p0 v1p3] if version == :any

  if version.is_a?(Array)
    version = case
    when params[:id_token].present?
      :v1p3
    when params[:oauth_consumer_key].present?
      :v1p0
    end
  end

  valmthd = :"validate_#{version}_launch"
  return send(valmthd) if respond_to?(valmthd)

  render plain: 'Failed to validate LTI launch', status: :unauthorized
end

#validate_v1p0_launchObject 



44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 
# File 'lib/panda_pal/helpers/controller_helper.rb', line 44

def validate_v1p0_launch
  authorized = false
  # We should verify the timestamp is recent (within 5 minutes).  The approved timestamp is part of the signature,
  # so we don't need to worry about malicious users messing with it.  We should deny requests that come too long
  # after the approved timestamp.
  good_timestamp = params['oauth_timestamp'] && params['oauth_timestamp'].to_i > Time.now.to_i - 300
  if @organization = good_timestamp && params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
    sanitized_params = request.request_parameters
    # These params come over with a safari-workaround launch.  The authenticator doesn't like them, so clean them out.
    safe_unexpected_params = ["full_win_launch_requested", "platform_redirect_url", "dummy_param"]
    safe_unexpected_params.each do |p|
      sanitized_params.delete(p)
    end
    tp = IMS::LTI::ToolProvider.new(@organization.key, @organization.secret, sanitized_params)
    authorized = tp.valid_request?(request)
  end

  if !authorized
    render plain: 'Failed to validate LTI v1p0 launch', :status => :unauthorized
    return false
  end

  start_panda_session!
end

#validate_v1p3_launchObject 



69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
 
# File 'lib/panda_pal/helpers/controller_helper.rb', line 69

def validate_v1p3_launch
  require "json/jwt"

  Apartment::Tenant.switch!("public")

  decoded_jwt = JSON::JWT.decode(params.require(:id_token), :skip_verification)
  raise JSON::JWT::VerificationFailed, 'error decoding id_token' if decoded_jwt.blank?

  client_id = decoded_jwt['aud']
  deployment_id = decoded_jwt['https://purl.imsglobal.org/spec/lti/claim/deployment_id']

  if deployment_id.present?
    @organization ||= PandaPal::Organization.find_by(key: "#{client_id}/#{deployment_id}")
    @organization ||= PandaPal::Organization.find_by(key: deployment_id)
  end

  @organization ||= PandaPal::Organization.find_by(key: client_id)

  params[:session_key] = params[:state]

  raise JSON::JWT::VerificationFailed, 'Unrecognized Organization' unless @organization.present?
  raise JSON::JWT::VerificationFailed, 'Organization does not trust platform' unless @organization.trusted_platform?(current_lti_platform)

  begin
    decoded_jwt.verify!(current_lti_platform.public_jwks)
  rescue JSON::JWK::Set::KidNotFound
    decoded_jwt.verify!(current_lti_platform.public_jwks(force: true))
  end

  raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_panda_session.panda_pal_organization_id == 0
  raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_panda_session[:lti_oauth_nonce] == decoded_jwt['nonce']

  jwt_verifier = PandaPal::LtiJwtValidator.new(decoded_jwt, client_id)
  raise JSON::JWT::VerificationFailed, jwt_verifier.errors unless jwt_verifier.valid?

  # Migrate the session to the correct tenant
   = current_panda_session
  .delete

  @organization.switch_tenant

  @current_session = .dup
  @current_session.panda_pal_organization = @organization
  @current_session.save!

  @decoded_lti_jwt = decoded_jwt
rescue JSON::JWT::VerificationFailed => e
  payload = Array(e.message)

  render json: {
    message: [
      { errors: payload },
      { id_token: params.require(:id_token) },
    ],
  }, status: :unauthorized

  false
end