rev

2026-02-04 14:32:59 -05:00 · 2026-01-29 12:57:40 +02:00
parent 8646bd70dc
commit ca6dbf3740
2 changed files with 12 additions and 81 deletions
--- a/lti/adapters.py
+++ b/lti/adapters.py
@@ -95,75 +95,39 @@ class DjangoMessageLaunch:


 class DjangoSessionService:
-    """Launch data storage using Django sessions with cache fallback for state"""
+    """Launch data storage using Django sessions"""

    def __init__(self, request):
        self.request = request
        self._session_key_prefix = 'lti1p3_'
-        self._cache_prefix = 'lti1p3_cache_'

    def get_launch_data(self, key):
-        """Get launch data from session or cache (for state keys)"""
-        # For state keys, try cache first (more reliable for cross-site flows)
-        if key.startswith('state-'):
-            cache_key = self._cache_prefix + key
-            cached_data = cache.get(cache_key)
-            if cached_data:
-                return json.loads(cached_data) if isinstance(cached_data, str) else cached_data
-
-        # Try session
+        """Get launch data from session"""
        session_key = self._session_key_prefix + key
        data = self.request.session.get(session_key)
        return json.loads(data) if data else None

    def save_launch_data(self, key, data):
-        """Save launch data to session and cache (for state keys)"""
-        # Always save to session first
+        """Save launch data to session"""
        session_key = self._session_key_prefix + key
        self.request.session[session_key] = json.dumps(data)
        self.request.session.modified = True
-
-        # For state keys, ALSO save to cache as backup (for cross-site cookie issues)
-        if key.startswith('state-'):
-            cache_key = self._cache_prefix + key
-            # Store in cache for 10 minutes (longer than typical LTI flow)
-            cache.set(cache_key, json.dumps(data), timeout=600)
-
        return True

    def check_launch_data_storage_exists(self, key):
-        """Check if launch data exists in session or cache"""
-        # For state keys, check cache first
-        if key.startswith('state-'):
-            cache_key = self._cache_prefix + key
-            if cache.get(cache_key) is not None:
-                return True
-
-        # Check session
+        """Check if launch data exists in session"""
        session_key = self._session_key_prefix + key
        return session_key in self.request.session

    def check_state_is_valid(self, state, nonce):
        """Check if state is valid - state is for CSRF protection, nonce is validated separately by JWT"""
-        import logging
-
-        logger = logging.getLogger(__name__)
-
        state_key = f'state-{state}'
-        logger.error(f"[STATE VALIDATION] Checking state: {state}")
-        logger.error(f"[STATE VALIDATION] Looking for session key: {self._session_key_prefix + state_key}")
-
-        # List all session keys for debugging
-        all_keys = [k for k in self.request.session.keys() if k.startswith(self._session_key_prefix)]
-        logger.error(f"[STATE VALIDATION] All LTI session keys: {all_keys}")

        state_data = self.get_launch_data(state_key)

        if not state_data:
-            logger.error("[STATE VALIDATION] State NOT found in session")
            return False

-        logger.error(f"[STATE VALIDATION] State found successfully: {state_data}")
        # State exists - that's sufficient for CSRF protection
        # Nonce validation is handled by PyLTI1p3 through JWT signature and claims validation
        return True
@@ -172,25 +136,12 @@ class DjangoSessionService:
        """Check if nonce is valid (not used before) and mark it as used"""
        nonce_key = f'nonce-{nonce}'

-        # Use cache for nonce checking (more reliable for cross-site flows)
-        cache_key = self._cache_prefix + nonce_key
-
        # Check if nonce was already used
-        if cache.get(cache_key) is not None:
+        if self.check_launch_data_storage_exists(nonce_key):
            return False

-        # Mark nonce as used in cache (expires in 10 minutes)
-        cache.set(cache_key, json.dumps({'used': True}), timeout=600)
-
-        # Also save to session for redundancy
-        try:
-            session_key = self._session_key_prefix + nonce_key
-            self.request.session[session_key] = json.dumps({'used': True})
-            self.request.session.modified = True
-        except Exception:
-            # If session fails, cache is sufficient
-            pass
-
+        # Mark nonce as used
+        self.save_launch_data(nonce_key, {'used': True})
        return True

    def set_state_valid(self, state, id_token_hash):