code-dot-org · artem-vavilov · Apr 16, 2024 · Apr 15, 2024 · Apr 16, 2024 · carl-codeorg
diff --git a/dashboard/app/assets/stylesheets/errors.scss b/dashboard/app/assets/stylesheets/errors.scss
@@ -1,7 +1,7 @@
 @import "color";
 @import "font";
 
-.not-found-page {
+.error-page, .not-found-page {
   body {
     @include main-font-regular;
     font-size: 14px;
@@ -102,3 +102,9 @@
     line-height: 1.2em;
   }
 }
+
+#lti-unsupported-message-type.error-page {
+  & .error-child {
+    max-width: 450px;
+  }
+}
diff --git a/dashboard/app/controllers/lti_v1_controller.rb b/dashboard/app/controllers/lti_v1_controller.rb
@@ -135,8 +135,12 @@ def authenticate
     jwt_verifier = JwtVerifier.new(decoded_jwt, integration)
 
     if jwt_verifier.verify_jwt
-      message_type = decoded_jwt[:'https://purl.imsglobal.org/spec/lti/claim/message_type']
-      return wrong_resource_type unless message_type == 'LtiResourceLinkRequest'
+      message_type = decoded_jwt[Policies::Lti::MessageType::CLAIM]
+      if Policies::Lti::MessageType::SUPPORTED.exclude?(message_type)
+        return render status: :not_acceptable, template: 'lti/v1/authenticate/unsupported_message_type', locals: {
+          message_type: message_type,
+        }
+      end
 
       user = Queries::Lti.get_user(decoded_jwt)
       target_link_uri = decoded_jwt[:'https://purl.imsglobal.org/spec/lti/claim/target_link_uri']
@@ -424,10 +428,6 @@ def confirm_upgrade_account
     render(status: :unauthorized, json: {error: 'Unauthorized'})
   end
 
-  private def wrong_resource_type
-    render(status: :not_acceptable, json: {error: I18n.t('lti.error.wrong_resource_type')})
-  end
-
   private def create_state_and_nonce
     state = generate_random_string 10
     nonce = Digest::SHA2.hexdigest(generate_random_string(10))

diff --git a/dashboard/app/views/lti/v1/authenticate/unsupported_message_type.html.haml b/dashboard/app/views/lti/v1/authenticate/unsupported_message_type.html.haml
@@ -0,0 +1,12 @@
+#lti-unsupported-message-type.error-page
+  .error-parent
+    .error-child
+      = image_tag '/shared/images/sad-bee-avatar.png'
+      %br
+      .error-message
+        %h1= t('lti.error.unsupported_message_type')
+        != t('lti.error.unsupported_message_type_desc', message_type: message_type, supported_methods_url: SharedConstants::LMS_LINKS.SUPPORTED_METHODS_URL, markdown: true)
+        %br
+        %br
+        %a{href: root_url}
+          %button= I18n.t(:page_not_found_button)
@@ -1423,7 +1423,11 @@ en:
       integration_exists: "Lti Integration already exists for this Client ID"
       missing_params: "Missing required param(s): School/District name, Client ID, LMS, Email"
       unsupported_lms_type: "Unsupported LMS platform type"
-      wrong_resource_type: "Only LtiResourceLink is supported right now"
+      unsupported_message_type: Unsupported LTI message type
+      unsupported_message_type_desc: |
+        Sorry! It looks like you are trying to launch the Code.org Integration via a %{message_type}.
+        This isn't currently supported.
+        Please try launching Code.org again from a [supported method](%{supported_methods_url}).
       missing_tool_config: 'Your LTI Tool configuration is missing the required "%{field}" field'
     iframe_button: "Open in New Tab"
     iframe_message: "Code.org cannot be run in an embedded window. Please open it in a new tab."

diff --git a/dashboard/lib/policies/lti.rb b/dashboard/lib/policies/lti.rb
@@ -7,6 +7,13 @@ module AccessTokenScopes
     CONTEXT_MEMBERSHIP = 'https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly'.freeze
   end
 
+  module MessageType
+    CLAIM = :'https://purl.imsglobal.org/spec/lti/claim/message_type'
+    SUPPORTED = [
+      RESOURCE_LINK_REQUEST = 'LtiResourceLinkRequest'.freeze,
+    ].freeze
+  end
+
   ALL_SCOPES = AccessTokenScopes.constants.map do |scope|
     AccessTokenScopes.const_get(scope)
   end

diff --git a/dashboard/test/controllers/lti_v1_controller_test.rb b/dashboard/test/controllers/lti_v1_controller_test.rb
@@ -456,6 +456,9 @@ def create_valid_jwt_raise_error
     jwt = create_jwt(payload)
     post '/lti/v1/authenticate', params: {id_token: jwt, state: @state}
     assert_response :not_acceptable
+    assert_match 'Unsupported LTI message type', @response.body
+    assert_match 'Sorry! It looks like you are trying to launch the Code.org Integration via a file.', @response.body
+    assert_match 'Please try launching Code.org again from a <a href="https://github.com/code-dot-org/code-dot-org/blob/staging/docs/lti-integration.md#option-2-manual-entry">supported method</a>.', @response.body
   end
 
   test 'auth - error raised in decoding jwt' do

diff --git a/lib/cdo/shared_constants.rb b/lib/cdo/shared_constants.rb
@@ -692,6 +692,8 @@ module SharedConstants
       INTEGRATION_EARLY_ACCESS_URL: 'https://docs.google.com/forms/d/e/1FAIpQLScjfVR4CZs8Utf5vI4mz3e1q8vdH6RNIgTUWygZXN0oovBSQg/viewform',
       INTEGRATION_BUG_REPORT_URL: 'https://support.code.org/hc/en-us/requests/new?ticket_form_id=14998494738829&tf_23889708=lms_eaf',
       ADDITIONAL_FEEDBACK_URL: 'https://studio.code.org/form/lms_integration_modal_feedback',
+      # TODO(P20-873): Replace SUPPORTED_METHODS_URL with the link to the supported methods documentation
+      SUPPORTED_METHODS_URL: 'https://github.com/code-dot-org/code-dot-org/blob/staging/docs/lti-integration.md#option-2-manual-entry',
     }
   ).freeze