Module: PandaPal::Helpers::ControllerHelper

Extended by:

ActiveSupport::Concern

Includes:

SessionReplacement

Defined in:

lib/panda_pal/helpers/controller_helper.rb

Instance Method Summary

• #current_lti_platform ⇒ Object
• #current_organization ⇒ Object
• #forbid_access_if_lacking_session ⇒ Object
• #lti_launch_params ⇒ Object
• #safari_override ⇒ Object
• #switch_tenant(organization = current_organization, &block) ⇒ Object
• #valid_session? ⇒ Boolean
• #validate_launch! ⇒ Object
• #validate_v1p0_launch ⇒ Object
• #validate_v1p3_launch ⇒ Object

Methods included from SessionReplacement

#current_session, #current_session_data, #link_nonce, #link_nonce_type, #link_with_session_to, #redirect_with_session_to, #save_session, #session_changed?, #session_expiration_period_minutes, #session_url_for, #url_with_session, #verify_authenticity_token

Instance Method Details

#current_lti_platform ⇒ Object

# File 'lib/panda_pal/helpers/controller_helper.rb', line 15

def current_lti_platform
  @current_lti_platform ||= current_organization.lti_platform
end

#current_organization ⇒ Object

# File 'lib/panda_pal/helpers/controller_helper.rb', line 9

def current_organization
  @organization ||= PandaPal::Organization.find_by!(key: organization_key) if organization_key
  @organization ||= PandaPal::Organization.find_by(id: organization_id) if organization_id
  @organization ||= PandaPal::Organization.find_by_name(Apartment::Tenant.current)
end

#forbid_access_if_lacking_session ⇒ Object

# File 'lib/panda_pal/helpers/controller_helper.rb', line 96

def forbid_access_if_lacking_session
  super
  safari_override
end

#lti_launch_params ⇒ Object

# File 'lib/panda_pal/helpers/controller_helper.rb', line 19

def lti_launch_params
  current_session_data[:launch_params]
end

#safari_override ⇒ Object

# File 'lib/panda_pal/helpers/controller_helper.rb', line 111

def safari_override
  use_secure_headers_override(:safari_override) if browser.safari?
end

#switch_tenant(organization = current_organization, &block) ⇒ Object

# File 'lib/panda_pal/helpers/controller_helper.rb', line 87

def switch_tenant(organization = current_organization, &block)
  return unless organization
  raise 'This method should be called in an around_action callback' unless block_given?

  Apartment::Tenant.switch(organization.name) do
    yield
  end
end

#valid_session? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/panda_pal/helpers/controller_helper.rb', line 101

def valid_session?
  return false unless current_session(create_missing: false)&.persisted?
  return false unless current_organization
  return false unless current_session.panda_pal_organization_id == current_organization.id
  return false unless Apartment::Tenant.current == current_organization.name
  true
rescue SessionNonceMismatch
  false
end

#validate_launch! ⇒ Object

# File 'lib/panda_pal/helpers/controller_helper.rb', line 23

def validate_launch!
  safari_override

  if params[:id_token].present?
    validate_v1p3_launch
  elsif params[:oauth_consumer_key].present?
    validate_v1p0_launch
  end
end

#validate_v1p0_launch ⇒ Object

# File 'lib/panda_pal/helpers/controller_helper.rb', line 33

def validate_v1p0_launch
  authorized = false
  # We should verify the timestamp is recent (within 5 minutes).  The approved timestamp is part of the signature,
  # so we don't need to worry about malicious users messing with it.  We should deny requests that come too long
  # after the approved timestamp.
  good_timestamp = params['oauth_timestamp'] && params['oauth_timestamp'].to_i > Time.now.to_i - 300
  if @organization = good_timestamp && params['oauth_consumer_key'] && PandaPal::Organization.find_by_key(params['oauth_consumer_key'])
    sanitized_params = request.request_parameters
    # These params come over with a safari-workaround launch.  The authenticator doesn't like them, so clean them out.
    safe_unexpected_params = ["full_win_launch_requested", "platform_redirect_url", "dummy_param"]
    safe_unexpected_params.each do |p|
      sanitized_params.delete(p)
    end
    tp = IMS::LTI::ToolProvider.new(@organization.key, @organization.secret, sanitized_params)
    authorized = tp.valid_request?(request)
  end

  if !authorized
    render plain: 'Invalid Credentials, please contact your Administrator.', :status => :unauthorized unless authorized
  end

  authorized
end

#validate_v1p3_launch ⇒ Object

# File 'lib/panda_pal/helpers/controller_helper.rb', line 57

def validate_v1p3_launch
  decoded_jwt = JSON::JWT.decode(params.require(:id_token), :skip_verification)
  raise JSON::JWT::VerificationFailed, 'error decoding id_token' if decoded_jwt.blank?

  client_id = decoded_jwt['aud']
  @organization = PandaPal::Organization.find_by!(key: client_id)
  raise JSON::JWT::VerificationFailed, 'Unrecognized Organization' unless @organization.present?

  decoded_jwt.verify!(current_lti_platform.public_jwks)

  params[:session_key] = params[:state]
  raise JSON::JWT::VerificationFailed, 'State is invalid' unless current_session_data[:lti_oauth_nonce] == decoded_jwt['nonce']

  jwt_verifier = PandaPal::LtiJwtValidator.new(decoded_jwt, client_id)
  raise JSON::JWT::VerificationFailed, jwt_verifier.errors unless jwt_verifier.valid?

  @decoded_lti_jwt = decoded_jwt
rescue JSON::JWT::VerificationFailed => e
  payload = Array(e.message)

  render json: {
    message: [
      { errors: payload },
      { id_token: params.require(:id_token) },
    ],
  }, status: :unauthorized

  false
end