Skip to content

v7.27

Choose a tag to compare

View all tags
@cpl-automation cpl-automation released this 10 Mar 03:37
v1142+srv577.web406
a960165
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release Notes

This update introduces a refreshed design, along with important bug fixes and improvements.

UI

New Features

  • The main PingPong app adopts the new designed introduced for Canvas Connect featuring a more responsive interface that puts conversations front and center, with more space for threads, messages, and content that matters most.

Updates & Improvements

  • In larger screen sizes, the sidebar is expanded, with the option to collapse it always available.
  • In larger screen sizes, thread conversations remain centered with a maximum width.
  • The expand/collapse button icons in the sidebar have been replaced, and a helper tooltip was added.

Notes

  • Share Link anonymous sessions and viewing public pages when unauthenticated retain the existing design.

Canvas Connect

New Features

  • URL validation is now configured through a structured [lti.security] section, with optional per-endpoint overrides for OpenID configuration, authorization, token, JWKS, Names and Role, and registration endpoints.
  • Use the new structured [lti.security] configuration section with allow/deny pattern lists. Host patterns support wildcards for subdomain matching (e.g. *.instructure.com matches school.instructure.com) and path patterns support glob matching (e.g. /api/lti/*).
  • Use the new deny configuration lists for explicitly blocking specific hosts or paths. Deny rules are evaluated before allow rules.
  • Redirect handling for fetched LTI endpoints is now validated hop-by-hop against the configured host/path rules for that endpoint.

Updates & Improvements

  • Defaults for hosts and paths reflect the default behavior in PingPong 7.20 or earlier (allow = ["*"]) instead of requiring an explicit allowlist, reducing setup friction for new deployments.
  • Canvas Connect now normalizes the token endpoint before both requesting the token and building the client assertion audience, preventing aud mismatches when http:// endpoints are upgraded to https://.

Resolved Issues

  • Fixed: Already percent-encoded LTI path bytes may be double-encoded during URL sanitization, which can corrupt canonicalized or redirect URLs before allow/deny checks.
  • Fixed: OpenID discovery URL validation may ignore configured global lti.security.paths rules when deprecated LTI keys are still present.
  • Fixed: LTI launches may accept and persist invalid NRPS context_memberships_url values without validation.

Deprecations

  • The following LTI config keys are deprecated and will be removed in the next major release (PingPong 8.0): lti.platform_url_allowlist, lti.openid_configuration_paths, lti.dev_http_hosts.
    • The deprecated LTI config keys have been replaced by a structured [lti.security] section that supports allow/deny patterns for both hosts and paths. The deprecated LTI config keys will continue to work until the next major PingPong release but will emit a warning at startup.
    • New fields map as follows:
      • lti.platform_url_allowlist -> lti.security.openid_configuration.hosts.allow
      • lti.openid_configuration_paths -> lti.security.openid_configuration.paths.allow
      • lti.dev_http_hosts -> lti.security.allow_http_in_development
    • Existing configs using the old keys will be automatically migrated at startup. A deprecation warning will be logged with migration instructions. Update your config before the upgrading to PingPong 8.0.
  • The lti suggest-config-from-db CLI command has been removed with no replacement. If you relied on the CLI command to derive allowlist entries from existing registrations, check the deprecation warnings for migration instructions or configure hosts.allow manually.

Notes

  • See below for a migration example from the deprecated LTI keys setup to the new [lti.security] configuration:

    Before (deprecated):

    [lti]
platform_url_allowlist = ["canvas.example.edu"]
dev_http_hosts = ["localhost", "canvas.docker"]

[lti.openid_configuration_paths]
mode = "append"
paths = ["/custom/openid-config"]

    After (new):

    [lti.security]
allow_http_in_development = true

[lti.security.hosts]
allow = ["canvas.example.edu", "localhost", "canvas.docker"]
deny = []

[lti.security.paths]
allow = ["*"]
deny = []

[lti.security.openid_configuration.paths]
allow = [
  "/.well-known/openid-configuration",
  "/.well-known/openid",
  "/api/lti/security/openid-configuration",
  "/custom/openid-config",
]
deny = []

    Key Differences:

    • platform_url_allowlist now maps to the global hosts.allow list, not just OpenID discovery.
    • openid_configuration_paths is replaced by lti.security.openid_configuration.paths.allow.
    • Legacy-only configs keep the legacy default OpenID discovery paths. If you used mode = "append", merge the default paths with your custom ones into paths.allow.
    • dev_http_hosts is replaced by the boolean allow_http_in_development (defaults to true). Per-host HTTP control is no longer supported.
    • Both hosts and paths now support wildcard patterns (["*"] allows all).
    • If both legacy and new keys are provided, the new lti.security.openid_configuration.* values take precedence.

Internal

Updates & Improvements

  • Dependency updates.
  • Updated permissions for Claude workflows to allow writing comments in PRs and issues, and allowing Claude to read CI results on PRs.
  • Add progress tracker for Claude code review workflow.

Resolved Issues

  • Fixed: Claude code reviews triggered by @claude review may fail because track_progress is unconditionally requested including in unsupported events.

Deployment Information

Schema Upgrade Migration Script Permissions Update Task Definition Update Configuration Update
No No No No YES

Deployment Details

  • Configuration Update: Use the new structured [lti.security] configuration section.

Related PRs

  • deps(web-dev): bump the development-dependencies group in /web/pingpong with 7 updates by @dependabot[bot] in #1510
  • deps(gha): bump the github-actions group with 4 updates by @dependabot[bot] in #1508
  • deps(web): bump the production-dependencies group in /web/pingpong with 4 updates by @dependabot[bot] in #1509
  • feat(ui): expand LTI redesign to main app by @ekassos in #1512
  • feat(lti): streamline LTI endpoint checks by @ekassos in #1513
  • fix(lti): validate NRPS URLs during launch and other fixes by @ekassos in #1514
  • chore: update claude workflow permissions by @ekassos in #1515
  • fix: claude's track_progress not always supported by @ekassos in #1516
  • deps(py): update pytz requirement from <2026.0,>=2025.2 to >=2025.2,<2027.0 in the production-dependencies group by @dependabot[bot] in #1507

Full Changelog: v1135+srv574.web403...v1142+srv577.web406

Contributors

dependabot and ekassos
Assets 2
Loading