Make LTI11 validation fail non-fatal

tsugiproject · Aug 3, 2024 · 4c3816d · 4c3816d
1 parent 8b3a0a8
commit 4c3816d
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 16 deletions.
diff --git a/composer.json b/composer.json
@@ -38,7 +38,7 @@
         "react/dns" : ">=1.12.0",
         "react/socket" : ">=1.15.0",
 
-        "tsugi/lib": "dev-master#aaebe57fed058ea36a1d94b834e7e647acb51f4d",
+        "tsugi/lib": "dev-master#5457d480421839a53f5823dd653becd613407346",
         "koseu/lib": "dev-master#b9a31b7875108196dbdf284e685b813d424f2def"
     },
     "config": {

diff --git a/composer.lock b/composer.lock
diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json
@@ -7708,12 +7708,12 @@
             "source": {
                 "type": "git",
                 "url": "https://github.com/tsugiproject/tsugi-php.git",
-                "reference": "aaebe57fed058ea36a1d94b834e7e647acb51f4d"
+                "reference": "5457d480421839a53f5823dd653becd613407346"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/tsugiproject/tsugi-php/zipball/aaebe57fed058ea36a1d94b834e7e647acb51f4d",
-                "reference": "aaebe57fed058ea36a1d94b834e7e647acb51f4d",
+                "url": "https://api.github.com/repos/tsugiproject/tsugi-php/zipball/5457d480421839a53f5823dd653becd613407346",
+                "reference": "5457d480421839a53f5823dd653becd613407346",
                 "shasum": ""
             },
             "require": {
@@ -7727,7 +7727,7 @@
                 "phpunit/php-timer": "v5.0.3",
                 "phpunit/phpunit": "9.*"
             },
-            "time": "2024-07-31T18:44:36+00:00",
+            "time": "2024-08-03T03:52:28+00:00",
             "default-branch": true,
             "type": "library",
             "installation-source": "dist",

diff --git a/vendor/composer/installed.php b/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => '__root__',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '7dd9f6ee4fe4d1c18f9d4d32cc5b6bf5243f0aa3',
+        'reference' => '8b3a0a88baf7c40138314ac7513dfd96d3d49704',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         '__root__' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '7dd9f6ee4fe4d1c18f9d4d32cc5b6bf5243f0aa3',
+            'reference' => '8b3a0a88baf7c40138314ac7513dfd96d3d49704',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
@@ -1078,7 +1078,7 @@
         'tsugi/lib' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => 'aaebe57fed058ea36a1d94b834e7e647acb51f4d',
+            'reference' => '5457d480421839a53f5823dd653becd613407346',
             'type' => 'library',
             'install_path' => __DIR__ . '/../tsugi/lib',
             'aliases' => array(

diff --git a/vendor/tsugi/lib/src/Core/LTIX.php b/vendor/tsugi/lib/src/Core/LTIX.php
@@ -612,14 +612,21 @@ public static function setupSession($needed=self::ALL, $session_object=null, $re
                 self::abort_with_error_log('JWT validation fail key='.$issuer_key.' error='.$e->getMessage());
             }
 
-            // Check validity of LTI 1.1 transition data if it exists
+            // Check validity of LTI 1.1 transition data if it exists, if validation fails,
+            // just ignore it - don't fail.  Some LMS's seem to drop in an LTI 1.1 transition claim
+            // with not real data "just in case".  It it verifies, we are cool, if not ignore it.
             $lti11_transition_user_id = U::get($post, 'lti11_transition_user_id');
             if ( U::isNotEmpty($lti11_transition_user_id) ) {
                 $lti11_oauth_consumer_key = $row['key_key'];  // From the join
                 $lti11_oauth_consumer_secret = self::decrypt_secret($row['secret']);
                 $check = LTI13::checkLTI11Transition($jwt->body, $lti11_oauth_consumer_key, $lti11_oauth_consumer_secret);
-                if ( is_string($check) ) self::abort_with_error_log('LTI 1.1 Transition error: '.$check);
-                if ( ! $check ) self::abort_with_error_log('LTI 1.1 Transition signature mis-match key='.$lti11_oauth_consumer_key);
+                if ( is_string($check) ) {
+                    error_log('LTI 1.1 Transition error: '.$check);
+                    unset($post['lti11_transition_user_id']);
+                } else if ( ! $check ) {
+                    error_log('LTI 1.1 Transition signature mis-match key='.$lti11_oauth_consumer_key);
+                    unset($post['lti11_transition_user_id']);
+                }
             }
 
             $row['lti13_token_url'] = $token_url;