UNPKG

caccl-lti

Version:

LTI launch validator for IMS-LTI standard launches.

github.com/gabeabrams/lti-launch-validator

gabeabrams/lti-launch-validator

130 lines (115 loc) 3.38 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
// Import libraries import express from 'express'; import oauth from 'oauth-signature'; import clone from 'fast-clone'; // Import caccl libs import CACCLStore from 'caccl-memory-store/lib/CACCLStore'; import NONCE_CACHE_LIFESPAN_SEC from './shared/constants/NONCE_LIFESPAN_SEC'; /** * Checks if an LTI launch request is valid. Throws an error if invalid * @author Gabe Abrams * @param opts object containing all arguments * @param opts.req Express request object to verify * @param opts.consumerSecret an LTI consumer secret to use for signature * signing * @param opts.store a nonce store to use for keeping track of used nonces * @param opts.startTimestamp time when store was created */ const validateLaunch = async ( opts: { req: express.Request, consumerSecret: string, store: CACCLStore, startTimestamp: number, }, ) => { const { req, consumerSecret, store, startTimestamp, } = opts; /*----------------------------------------*/ /* Parse request */ /*----------------------------------------*/ // Nonce if (!req.body?.oauth_nonce) { throw new Error('no nonce included'); } const nonce = String(req.body.oauth_nonce); // Timestamp if ( !req.body?.oauth_timestamp || Number.isNaN(Number.parseFloat(req.body.oauth_timestamp)) ) { throw new Error('no valid timestamp included'); } const timestamp = ( Number.parseFloat(req.body.oauth_timestamp) * 1000 ); // Signature if (!req.body?.oauth_signature) { throw new Error('no signature included'); } /*----------------------------------------*/ /* Check Nonce */ /*----------------------------------------*/ // Check if from before start if (timestamp <= startTimestamp) { throw new Error('nonce too old'); } // Check if expired const secDiff = Math.abs(Date.now() - timestamp) / 1000; if (secDiff > (NONCE_CACHE_LIFESPAN_SEC - 5)) { // Expired! throw new Error('nonce expired'); } // Add/replace in store const prevNonceOccurrence = await store.set( nonce, { timestamp }, ); if (prevNonceOccurrence) { // Nonce was already used throw new Error('nonce already used'); } /*----------------------------------------*/ /* Check Signature */ /*----------------------------------------*/ // Generate signature for verification // > Build URL const originalURL = (req.originalUrl || req.url); if (!originalURL) { // No url: cannot sign the request throw new Error('no URL to use in signature'); } // > Get path from original URL const urlNoQuery = originalURL.split('?')[0].split('#')[0]; const path = ( urlNoQuery // Remove protocol .replace(`${req.protocol}://`, '') // Remove host .replace(req.hostname, '') ); // Build another url const url = `https://${req.headers.host}${path}`; // > Remove oauth signature from body const body = clone(req.body); delete body.oauth_signature; // > Create signature const generatedSignature = decodeURIComponent( oauth.generate( req.method, url, body, consumerSecret, ) ); // Check the signature if (generatedSignature !== req.body.oauth_signature) { throw new Error('invalid signature'); } }; export default validateLaunch;