From ca6dbf3740d067bb24c9907517656d2694203a2e Mon Sep 17 00:00:00 2001 From: Markos Gogoulos Date: Thu, 29 Jan 2026 12:57:40 +0200 Subject: [PATCH] rev --- lti/adapters.py | 63 ++++++------------------------------------------- lti/views.py | 30 ++++------------------- 2 files changed, 12 insertions(+), 81 deletions(-) diff --git a/lti/adapters.py b/lti/adapters.py index 40fe5bd1..7336e17c 100644 --- a/lti/adapters.py +++ b/lti/adapters.py @@ -95,75 +95,39 @@ class DjangoMessageLaunch: class DjangoSessionService: - """Launch data storage using Django sessions with cache fallback for state""" + """Launch data storage using Django sessions""" def __init__(self, request): self.request = request self._session_key_prefix = 'lti1p3_' - self._cache_prefix = 'lti1p3_cache_' def get_launch_data(self, key): - """Get launch data from session or cache (for state keys)""" - # For state keys, try cache first (more reliable for cross-site flows) - if key.startswith('state-'): - cache_key = self._cache_prefix + key - cached_data = cache.get(cache_key) - if cached_data: - return json.loads(cached_data) if isinstance(cached_data, str) else cached_data - - # Try session + """Get launch data from session""" session_key = self._session_key_prefix + key data = self.request.session.get(session_key) return json.loads(data) if data else None def save_launch_data(self, key, data): - """Save launch data to session and cache (for state keys)""" - # Always save to session first + """Save launch data to session""" session_key = self._session_key_prefix + key self.request.session[session_key] = json.dumps(data) self.request.session.modified = True - - # For state keys, ALSO save to cache as backup (for cross-site cookie issues) - if key.startswith('state-'): - cache_key = self._cache_prefix + key - # Store in cache for 10 minutes (longer than typical LTI flow) - cache.set(cache_key, json.dumps(data), timeout=600) - return True def check_launch_data_storage_exists(self, key): - """Check if launch data exists in session or cache""" - # For state keys, check cache first - if key.startswith('state-'): - cache_key = self._cache_prefix + key - if cache.get(cache_key) is not None: - return True - - # Check session + """Check if launch data exists in session""" session_key = self._session_key_prefix + key return session_key in self.request.session def check_state_is_valid(self, state, nonce): """Check if state is valid - state is for CSRF protection, nonce is validated separately by JWT""" - import logging - - logger = logging.getLogger(__name__) - state_key = f'state-{state}' - logger.error(f"[STATE VALIDATION] Checking state: {state}") - logger.error(f"[STATE VALIDATION] Looking for session key: {self._session_key_prefix + state_key}") - - # List all session keys for debugging - all_keys = [k for k in self.request.session.keys() if k.startswith(self._session_key_prefix)] - logger.error(f"[STATE VALIDATION] All LTI session keys: {all_keys}") state_data = self.get_launch_data(state_key) if not state_data: - logger.error("[STATE VALIDATION] State NOT found in session") return False - logger.error(f"[STATE VALIDATION] State found successfully: {state_data}") # State exists - that's sufficient for CSRF protection # Nonce validation is handled by PyLTI1p3 through JWT signature and claims validation return True @@ -172,25 +136,12 @@ class DjangoSessionService: """Check if nonce is valid (not used before) and mark it as used""" nonce_key = f'nonce-{nonce}' - # Use cache for nonce checking (more reliable for cross-site flows) - cache_key = self._cache_prefix + nonce_key - # Check if nonce was already used - if cache.get(cache_key) is not None: + if self.check_launch_data_storage_exists(nonce_key): return False - # Mark nonce as used in cache (expires in 10 minutes) - cache.set(cache_key, json.dumps({'used': True}), timeout=600) - - # Also save to session for redundancy - try: - session_key = self._session_key_prefix + nonce_key - self.request.session[session_key] = json.dumps({'used': True}) - self.request.session.modified = True - except Exception: - # If session fails, cache is sufficient - pass - + # Mark nonce as used + self.save_launch_data(nonce_key, {'used': True}) return True def set_state_valid(self, state, id_token_hash): diff --git a/lti/views.py b/lti/views.py index 20cb78ea..c3496b56 100644 --- a/lti/views.py +++ b/lti/views.py @@ -116,15 +116,8 @@ class OIDCLoginView(View): if cmid: launch_data['cmid'] = cmid - logger.error(f"[OIDC LOGIN DEBUG] Generated state: {state}") - logger.error(f"[OIDC LOGIN DEBUG] Saving launch data with media_friendly_token: {launch_data.get('media_friendly_token')}") - session_service.save_launch_data(f'state-{state}', launch_data) - # Verify state was saved - saved_data = session_service.get_launch_data(f'state-{state}') - logger.error(f"[OIDC LOGIN DEBUG] Verified saved state data: {saved_data}") - params = { 'response_type': 'id_token', 'redirect_uri': target_link_uri, @@ -180,10 +173,6 @@ class LaunchView(View): try: id_token = request.POST.get('id_token') - state = request.POST.get('state') - - logger.error(f"[LTI LAUNCH DEBUG] Received state: {state}") - if not id_token: raise ValueError("Missing id_token in launch request") @@ -202,12 +191,6 @@ class LaunchView(View): session_service = DjangoSessionService(request) cookie_service = DjangoSessionService(request) - # Retrieve stored OIDC login data using state parameter - stored_oidc_data = None - if state: - stored_oidc_data = session_service.get_launch_data(f'state-{state}') - logger.error(f"[LTI LAUNCH DEBUG] Retrieved stored OIDC data: {stored_oidc_data}") - class CustomMessageLaunch(MessageLaunch): def _get_request_param(self, key): """Override to properly get request parameters""" @@ -252,17 +235,14 @@ class LaunchView(View): create_lti_session(request, user, message_launch, platform) - # Check for media_friendly_token in multiple places: - # 1. Custom claims (from Moodle LTI configuration) + # Check for media_friendly_token in custom claims media_token = custom_claims.get('media_friendly_token') logger.error(f"[LTI LAUNCH DEBUG] media_token from custom_claims: {media_token}") + if media_token: + logger.error(f"[LTI LAUNCH DEBUG] Found media_friendly_token in custom claims: {media_token}") - # 2. Stored OIDC data (from filter-based launches) - if not media_token and stored_oidc_data: - media_token = stored_oidc_data.get('media_friendly_token') - logger.error(f"[LTI LAUNCH DEBUG] media_token from stored OIDC data: {media_token}") - - # 3. Target link URI query parameters (fallback) + # Check if media token was passed via target_link_uri query parameter (from filter launch) + logger.error(f"[LTI LAUNCH DEBUG] About to check target_link_uri, media_token is: {media_token}") if not media_token: target_link_uri = launch_data.get('https://purl.imsglobal.org/spec/lti/claim/target_link_uri', '') logger.error(f"[LTI LAUNCH DEBUG] target_link_uri: {target_link_uri}")