From 8dcf0a4b76cdf256fb6b72615f3cf81d89ad6df6 Mon Sep 17 00:00:00 2001 From: david-yz-liu Date: Fri, 2 Aug 2024 12:48:08 -0400 Subject: [PATCH] Do not enforce secure cookies in development for LTI deployments --- Changelog.md | 1 + app/controllers/lti_deployments_controller.rb | 6 ++++-- config/settings/development.yml | 6 ++---- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/Changelog.md b/Changelog.md index cdce2ab23a4..f5465fed481 100644 --- a/Changelog.md +++ b/Changelog.md @@ -48,6 +48,7 @@ - Fixed flaky test #creates groups for individual students in groups_controller_spec (#7145) - Switch from SyntaxHighlighter to Prism for syntax highlighting (#7122) - Move jquery-ui and ui-contextmenu dependencies to package.json and upgrade jquery-ui to v1.13.3 (#7149) +- Do not enforce secure cookies in development for LTI deployments (#7151) - Remove CI chromedriver version and Chrome dependency (#7170) - Update Jupyter notebook Javascript dependencies (require.js to v2.3.7, plotly.js to v2.34.0) (#7175) diff --git a/app/controllers/lti_deployments_controller.rb b/app/controllers/lti_deployments_controller.rb index 5e033e8df0e..8aaf7cae9de 100644 --- a/app/controllers/lti_deployments_controller.rb +++ b/app/controllers/lti_deployments_controller.rb @@ -7,6 +7,8 @@ class LtiDeploymentsController < ApplicationController before_action(except: [:get_config, :launch, :public_jwk, :redirect_login]) { authorize! } before_action :check_host, only: [:launch, :redirect_login] + USE_SECURE_COOKIES = !Rails.env.local? + def launch if params[:client_id].blank? || params[:login_hint].blank? || params[:target_link_uri].blank? || params[:lti_message_hint].blank? @@ -21,7 +23,7 @@ def launch lti_launch_data[:nonce] = nonce lti_launch_data[:state] = session_nonce cookies.permanent.encrypted[:lti_launch_data] = - { value: JSON.generate(lti_launch_data), expires: 1.hour.from_now, same_site: :none, secure: true } + { value: JSON.generate(lti_launch_data), expires: 1.hour.from_now, same_site: :none, secure: USE_SECURE_COOKIES } auth_params = { scope: 'openid', response_type: 'id_token', @@ -104,7 +106,7 @@ def redirect_login unless logged_in? lti_data[:lti_redirect] = request.url cookies.encrypted.permanent[:lti_data] = - { value: JSON.generate(lti_data), expires: 1.hour.from_now, same_site: :none, secure: true } + { value: JSON.generate(lti_data), expires: 1.hour.from_now, same_site: :none, secure: USE_SECURE_COOKIES } redirect_to root_path return end diff --git a/config/settings/development.yml b/config/settings/development.yml index dee3d11c083..7c2186f3b39 100644 --- a/config/settings/development.yml +++ b/config/settings/development.yml @@ -38,10 +38,8 @@ logging: autotest: max_batch_size: 10 -# The settings below are for an experimental feature that is not available -# in production yet. Please disregard for now. lti: course_filter_file: <%= "#{::Rails.root}/config/dummy_lti_config.rb" %> - domains: <%= %w[host.docker.internal localhost] %> - token_endpoint: "http://host.docker.internal:80/login/oauth2/token" + domains: <%= %w[host.docker.internal] %> + token_endpoint: "http://host.docker.internal:3100/login/oauth2/token" unpermitted_new_course_message: 'You are not permitted to create a new MarkUs course for %{course_name}. Please contact your system administrator.'