Do not enforce secure cookies in development for LTI deployments

MarkUsProject · Aug 9, 2024 · 07012b3 · 07012b3
1 parent 84027e0
commit 07012b3
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 7 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -50,6 +50,7 @@
 - Fixed flaky test #creates groups for individual students in groups_controller_spec (#7145)
 - Switch from SyntaxHighlighter to Prism for syntax highlighting (#7122)
 - Move jquery-ui and ui-contextmenu dependencies to package.json and upgrade jquery-ui to v1.13.3 (#7149)
+- Do not enforce secure cookies in development for LTI deployments (#7151)
 - Remove CI chromedriver version and Chrome dependency (#7170)
 - Update Jupyter notebook Javascript dependencies (require.js to v2.3.7, plotly.js to v2.34.0) (#7175)
 

diff --git a/app/controllers/lti_deployments_controller.rb b/app/controllers/lti_deployments_controller.rb
@@ -7,6 +7,8 @@ class LtiDeploymentsController < ApplicationController
   before_action(except: [:get_config, :launch, :public_jwk, :redirect_login]) { authorize! }
   before_action :check_host, only: [:launch, :redirect_login]
 
+  USE_SECURE_COOKIES = !Rails.env.local?
+
   def launch
     if params[:client_id].blank? || params[:login_hint].blank? ||
       params[:target_link_uri].blank? || params[:lti_message_hint].blank?
@@ -21,7 +23,7 @@ def launch
     lti_launch_data[:nonce] = nonce
     lti_launch_data[:state] = session_nonce
     cookies.permanent.encrypted[:lti_launch_data] =
-      { value: JSON.generate(lti_launch_data), expires: 1.hour.from_now, same_site: :none, secure: true }
+      { value: JSON.generate(lti_launch_data), expires: 1.hour.from_now, same_site: :none, secure: USE_SECURE_COOKIES }
     auth_params = {
       scope: 'openid',
       response_type: 'id_token',
@@ -104,7 +106,7 @@ def redirect_login
       unless logged_in?
         lti_data[:lti_redirect] = request.url
         cookies.encrypted.permanent[:lti_data] =
-          { value: JSON.generate(lti_data), expires: 1.hour.from_now, same_site: :none, secure: true }
+          { value: JSON.generate(lti_data), expires: 1.hour.from_now, same_site: :none, secure: USE_SECURE_COOKIES }
         redirect_to root_path
         return
       end

diff --git a/config/initializers/config.rb b/config/initializers/config.rb
@@ -190,7 +190,7 @@
       end
       optional(:lti).hash do
         optional(:course_filter_file).filled(:string)
-        optional(:domains).array(:str?)
+        required(:domains).array(:str?)
         required(:token_endpoint).filled(:string)
         optional(:unpermitted_new_course_message).filled(:string)
       end

diff --git a/config/settings/development.yml b/config/settings/development.yml
@@ -38,10 +38,8 @@ logging:
 autotest:
   max_batch_size: 10
 
-# The settings below are for an experimental feature that is not available
-# in production yet. Please disregard for now.
 lti:
   course_filter_file: <%= "#{::Rails.root}/config/dummy_lti_config.rb" %>
-  domains: <%= %w[host.docker.internal localhost] %>
-  token_endpoint: "http://host.docker.internal:80/#/oauth2/token"
+  domains: <%= %w[host.docker.internal] %>
+  token_endpoint: "http://host.docker.internal:3100/#/oauth2/token"
   unpermitted_new_course_message: 'You are not permitted to create a new MarkUs course for %{course_name}. Please contact your system administrator.'