Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor LTI 1.1 validator #44

Merged
merged 2 commits into from
May 17, 2021
Merged

Refactor LTI 1.1 validator #44

merged 2 commits into from
May 17, 2021

Conversation

jgwerner
Copy link
Collaborator

The LTI 1.3 validator has more validation requirements than LTI 1.1. This PR refactors the validator to establish a more common pattern between both LTI versions.

Related to #39

yuvipanda
yuvipanda requested changes Apr 14, 2021
View reviewed changes
Copy link
Collaborator

@yuvipanda yuvipanda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a delight to review :)

ltiauthenticator/lti11/auth.py

launch_url = protocol + "://" + handler.request.host + handler.request.uri
self.log.debug(
"Original arguments received in request: %s" % handler.request.arguments
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will these be sensitive?

Copy link
Collaborator Author

@jgwerner jgwerner Apr 15, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yuvipanda Not that I am aware of. The launch request arguments could contain sensitive information if the integration with the LMS is set to public, in which case the username is fetched from one of the personally identifiable arguments, such as email. When the application is set to private, the user_id is an opaque identifier and not considered personally identifiable information (PII). But in these cases the arguments that would contain PII values are empty. The other arguments are related to context (courses) or assignments/modules (resources), etc. Lastly, there are oauth_* arguments but these shouldn't be that sensitive. We could obfuscate some or all arguments from the request for logging, what do you think?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that it's debug logging I think it's ok. We already log user_ids elsewhere in JupyterHub.

ltiauthenticator/lti11/auth.py Show resolved Hide resolved
ltiauthenticator/utils.py Outdated Show resolved Hide resolved
ltiauthenticator/utils.py Outdated Show resolved Hide resolved
jgwerner
jgwerner commented Apr 15, 2021
View reviewed changes
Copy link
Collaborator Author

@jgwerner jgwerner left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yuvipanda thanks for the review and the suggestions! Perhaps we could contribute a PR to add a feature to esapism so users can truncate the string to a predetermined number of characters and have the string length default to 253, although it's unlikely that it would be longer. I don't see that option in the esapism package. We can truncate the string length based on the specific needs for Kubernetes / Docker names separately.

@jgwerner jgwerner mentioned this pull request Apr 15, 2021
Merged
@jgwerner
Copy link
Collaborator Author

@yuvipanda PR #43 is now updated to replace the custom utility functions with escapism.

@jgwerner
Copy link
Collaborator Author

@yuvipanda to make the review process a little simpler for you I rebased this branch with #43.

@jgwerner
refactor authenticator, validator, and add tests
dea788a 
Signed-off-by: Greg Werner <werner.greg@gmail.com>
@jgwerner
remove unused fixtures
1a52ee6 
Signed-off-by: Greg Werner <werner.greg@gmail.com>
@yuvipanda yuvipanda mentioned this pull request May 17, 2021
Open
@yuvipanda
Copy link
Collaborator

Thank you very much for your patience, @jgwerner!

@yuvipanda yuvipanda merged commit 98fe61a into jupyterhub:master May 17, 2021
@yuvipanda yuvipanda mentioned this pull request May 17, 2021
Closed
@consideRatio
Copy link
Member

Wieeee thank you for your effort on this @jgwerner ❤️ 🎉 🌻 !!

@jgwerner jgwerner mentioned this pull request May 20, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuvipanda yuvipanda yuvipanda approved these changes

Assignees
No one assigned
Labels
maintenance
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jgwerner @yuvipanda @consideRatio