Module: PandaPal::Helpers::SessionReplacement

Extended by:

ActiveSupport::Concern

Included in:

ControllerHelper

Defined in:

lib/panda_pal/helpers/session_replacement.rb

Class Method Summary

• .extract_panda_token(request, params = request.params) ⇒ Object deprecated Deprecated.

Instance Method Summary

• #current_panda_session ⇒ Object
• #current_session(create_missing: false) ⇒ Object deprecated Deprecated.

  • User current_panda_session instead

• #current_session_data ⇒ Object deprecated Deprecated.

  • Use current_session directly

• #forbid_access_if_lacking_session ⇒ Object
• #link_nonce(url = nil, type: link_nonce_type) ⇒ Object
• #link_nonce_type ⇒ Object
• #link_with_session_to(*args, **kwargs) ⇒ Object
• #redirect_with_session_to(*args, **kwargs) ⇒ Object

  Redirect with the session key intact.

• #save_session ⇒ Object
• #session_changed? ⇒ Boolean
• #session_expiration_period_minutes ⇒ Object
• #session_url_for(*args, **kwargs) ⇒ Object
• #start_panda_session! ⇒ Object
• #url_with_session(location, *args, route_context: self, nonce_type: link_nonce_type, **kwargs) ⇒ Object
• #verify_authenticity_token ⇒ Object

Class Method Details

.extract_panda_token(request, params = request.params) ⇒ Object

Deprecated.

# File 'lib/panda_pal/helpers/session_replacement.rb', line 184

def self.extract_panda_token(request, params = request.params)
  PandaPal::Session.extract_panda_token(request, params)
end

Instance Method Details

#current_panda_session ⇒ Object

# File 'lib/panda_pal/helpers/session_replacement.rb', line 41

def current_panda_session
  return @current_session if defined?(@current_session)

  if (panda_token = PandaPal::Session.extract_panda_token(request, params)).present?
    @current_session = PandaPal::Session.for_panda_token(panda_token, request: request)

  elsif (session_key = params[:session_key] || session_key_header || flash[:session_key] || session[:session_key]).present?
    # Legacy-format session_keys
    @current_session = PandaPal::Session.find_by(session_secret: session_key)
  end

  @current_session
end

#current_session(create_missing: false) ⇒ Object

Deprecated.

• User current_panda_session instead

# File 'lib/panda_pal/helpers/session_replacement.rb', line 56

def current_session(create_missing: false)
  current_panda_session

  if !@current_session && create_missing
    Rails.logger.warn("current_session(create_missing: true) is deprecated. Use start_panda_session! instead.") unless Rails.env.production?
    start_panda_session!
  end

  @current_session
end

#current_session_data ⇒ Object

Deprecated.

• Use current_session directly

# File 'lib/panda_pal/helpers/session_replacement.rb', line 68

def current_session_data
  current_session.data
end

#forbid_access_if_lacking_session ⇒ Object

# File 'lib/panda_pal/helpers/session_replacement.rb', line 76

def forbid_access_if_lacking_session
  render plain: 'You should do an LTI Tool Launch.', status: :unauthorized unless valid_session?
end

#link_nonce(url = nil, type: link_nonce_type) ⇒ Object

# File 'lib/panda_pal/helpers/session_replacement.rb', line 127

def link_nonce(url = nil, type: link_nonce_type)
  type = instance_exec(&type) if type.is_a?(Proc)
  type = type.to_s.downcase
  type = type[2..] if type.start_with?('t-')

  if type == 'url'
    raise StandardError, "URL is required" unless url.present?
    to_sign = PandaPal::Session.format_url_for_signing(url)
    payload.merge!(
      typ: 'T-URI',
      usig: current_session.sign_value(to_sign),
    )
  else
    @cached_link_nonces ||= {}
    @cached_link_nonces[type] ||= begin
      payload = {
        v: 1,
        o: current_organization.id,
        s: current_session.id,
      }

      if type == 'nonce'
        current_session[:link_nonce] = SecureRandom.hex
        payload.merge!(
          typ: 'T-NONCE',
          nnc: current_session[:link_nonce],
        )
      elsif type == 'ip' || type == 'fixed_ip'
        payload.merge!(
          typ: 'T-IP',
          ip: request.remote_ip,
          exp: session_expiration_period_minutes.minutes.from_now.iso8601,
        )
      elsif type == "exp" || type == 'expiring'
        payload.merge!(
          typ: 'T-EXP',
          exp: session_expiration_period_minutes.minutes.from_now.iso8601,
        )
      else
        raise StandardError, "Unsupported link_nonce_type: '#{type}'"
      end
    end
  end

  b64 = Base64.urlsafe_encode64(payload.to_json)
  "#{b64}.#{current_session.sign_value(b64)}"
end

#link_nonce_type ⇒ Object

# File 'lib/panda_pal/helpers/session_replacement.rb', line 175

def link_nonce_type
  self.class.link_nonce_type
end

#link_with_session_to(*args, **kwargs) ⇒ Object

# File 'lib/panda_pal/helpers/session_replacement.rb', line 97

def link_with_session_to(*args, **kwargs)
  helpers.link_to url_with_session(*args, **kwargs)
end

#redirect_with_session_to(*args, **kwargs) ⇒ Object

Redirect with the session key intact. In production, handle this by adding a one-time use encrypted token to the URL. Keeping it in the URL in development means that it plays nicely with webpack-dev-server live reloading (otherwise you get an access error everytime it tries to live reload).

# File 'lib/panda_pal/helpers/session_replacement.rb', line 93

def redirect_with_session_to(*args, **kwargs)
  redirect_to url_with_session(*args, **kwargs)
end

#save_session ⇒ Object

# File 'lib/panda_pal/helpers/session_replacement.rb', line 30

def save_session
  current_session.try(:save)
end

#session_changed? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/panda_pal/helpers/session_replacement.rb', line 72

def session_changed?
  current_session.changed? && current_session.changes[:data].present?
end

#session_expiration_period_minutes ⇒ Object

# File 'lib/panda_pal/helpers/session_replacement.rb', line 179

def session_expiration_period_minutes
  15
end

#session_url_for(*args, **kwargs) ⇒ Object

# File 'lib/panda_pal/helpers/session_replacement.rb', line 101

def session_url_for(*args, **kwargs)
  url_with_session(:url_for, *args, **kwargs)
end

#start_panda_session! ⇒ Object

# File 'lib/panda_pal/helpers/session_replacement.rb', line 34

def start_panda_session!
  raise "Session already started" if @current_session.present?
  @current_session = PandaPal::Session.new(panda_pal_organization_id: current_organization&.id).tap do |session|
    session.save!
  end
end

#url_with_session(location, *args, route_context: self, nonce_type: link_nonce_type, **kwargs) ⇒ Object

# File 'lib/panda_pal/helpers/session_replacement.rb', line 105

def url_with_session(location, *args, route_context: self, nonce_type: link_nonce_type, **kwargs)
  # Stay compatible with older Ruby/Rails :/
  if args[-1].is_a?(Hash)
    args[-1] = args[-1].dup
  else
    args.push({})
  end

  args[-1].merge!(
    panda_token: Rails.env.development? ? current_session.session_key : link_nonce(type: nonce_type),
  )

  args[-1].merge!(kwargs)

  begin
    route_context.send(location, *args)
  rescue ActionController::UrlGenerationError => ex
    args[-1].merge!(organization_id: current_organization.id)
    route_context.send(location, *args)
  end
end

#verify_authenticity_token ⇒ Object

# File 'lib/panda_pal/helpers/session_replacement.rb', line 80

def verify_authenticity_token
  # No need to check CSRF when no cookies were sent. This fixes CSRF failures in Browsers
  # that restrict Cookie setting within an IFrame.
  return unless request.cookies.keys.length > 0
  super
end