Module: PandaPal::Helpers::SessionReplacement

Extended by:
ActiveSupport::Concern
Included in:
ControllerHelper
Defined in:
lib/panda_pal/helpers/session_replacement.rb

Instance Method Summary collapse

Instance Method Details

#current_session(create_missing: true) ⇒ Object



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# File 'lib/panda_pal/helpers/session_replacement.rb', line 36

def current_session(create_missing: true)
  return @current_session if @current_session.present?

  if params[:session_token]
    payload = JSON.parse(session_cryptor.decrypt_and_verify(params[:session_token])).with_indifferent_access
    matched_session = find_or_create_session(key: payload[:session_key])
    if matched_session.present?
      if payload[:token_type] == 'nonce' && matched_session.data[:link_nonce] == payload[:nonce]
        @current_session = matched_session
        @current_session.data[:link_nonce] = nil
      elsif payload[:token_type] == 'fixed_ip' && matched_session.data[:remote_ip] == request.remote_ip &&
        DateTime.parse(matched_session.data[:last_ip_token_requested]) > session_expiration_period_minutes.minutes.ago
        @current_session = matched_session
      elsif payload[:token_type] == 'expiring' && DateTime.parse(matched_session.data[:last_token_requested]) > session_expiration_period_minutes.minutes.ago
        @current_session = matched_session
      end
    end
    raise SessionNonceMismatch, "Session Not Found" unless @current_session.present?
  elsif (session_key = params[:session_key] || session_key_header || flash[:session_key] || session[:session_key]).present?
    @current_session = find_or_create_session(key: session_key)
  end

  @current_session ||= find_or_create_session(key: :create) if create_missing

  @current_session
end

#current_session_dataObject

Deprecated.


64
65
66
# File 'lib/panda_pal/helpers/session_replacement.rb', line 64

def current_session_data
  current_session.data
end

#forbid_access_if_lacking_sessionObject



72
73
74
# File 'lib/panda_pal/helpers/session_replacement.rb', line 72

def forbid_access_if_lacking_session
  render plain: 'You should do an LTI Tool Launch.', status: :unauthorized unless valid_session?
end


105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# File 'lib/panda_pal/helpers/session_replacement.rb', line 105

def link_nonce(type: link_nonce_type)
  type = instance_exec(&type) if type.is_a?(Proc)
  type = type.to_s

  @cached_link_nonces ||= {}
  @cached_link_nonces[type] ||= begin
    payload = {
      token_type: type,
      session_key: current_session.session_key,
      organization_id: current_organization.id,
    }

    if type == 'nonce'
      current_session_data[:link_nonce] = SecureRandom.hex
      payload.merge!(nonce: current_session_data[:link_nonce])
    elsif type == 'fixed_ip'
      current_session_data[:remote_ip] ||= request.remote_ip
      current_session_data[:last_ip_token_requested] = DateTime.now.iso8601
    elsif type == 'expiring'
      current_session_data[:last_token_requested] = DateTime.now.iso8601
    else
      raise StandardError, "Unsupported link_nonce_type: '#{type}'"
    end

    session_cryptor.encrypt_and_sign(payload.to_json)
  end
end


133
134
135
# File 'lib/panda_pal/helpers/session_replacement.rb', line 133

def link_nonce_type
  self.class.link_nonce_type
end


93
94
95
# File 'lib/panda_pal/helpers/session_replacement.rb', line 93

def link_with_session_to(*args, **kwargs)
  helpers.link_to url_with_session(*args, **kwargs)
end

#redirect_with_session_to(*args, **kwargs) ⇒ Object

Redirect with the session key intact. In production, handle this by adding a one-time use encrypted token to the URL. Keeping it in the URL in development means that it plays nicely with webpack-dev-server live reloading (otherwise you get an access error everytime it tries to live reload).



89
90
91
# File 'lib/panda_pal/helpers/session_replacement.rb', line 89

def redirect_with_session_to(*args, **kwargs)
  redirect_to url_with_session(*args, **kwargs)
end

#save_sessionObject



32
33
34
# File 'lib/panda_pal/helpers/session_replacement.rb', line 32

def save_session
  current_session.try(:save)
end

#session_changed?Boolean

Returns:

  • (Boolean)


68
69
70
# File 'lib/panda_pal/helpers/session_replacement.rb', line 68

def session_changed?
  current_session.changed? && current_session.changes[:data].present?
end

#session_expiration_period_minutesObject



137
138
139
# File 'lib/panda_pal/helpers/session_replacement.rb', line 137

def session_expiration_period_minutes
  15
end

#session_url_for(*args, **kwargs) ⇒ Object



97
98
99
# File 'lib/panda_pal/helpers/session_replacement.rb', line 97

def session_url_for(*args, **kwargs)
  url_for(build_session_url_params(*args, **kwargs))
end

#url_with_session(location, *args, route_context: self, **kwargs) ⇒ Object



101
102
103
# File 'lib/panda_pal/helpers/session_replacement.rb', line 101

def url_with_session(location, *args, route_context: self, **kwargs)
  route_context.send(location, *build_session_url_params(*args, **kwargs))
end

#verify_authenticity_tokenObject



76
77
78
79
80
81
# File 'lib/panda_pal/helpers/session_replacement.rb', line 76

def verify_authenticity_token
  # No need to check CSRF when no cookies were sent. This fixes CSRF failures in Browsers
  # that restrict Cookie setting within an IFrame.
  return unless request.cookies.keys.length > 0
  super
end