Add setting to change ttl on AccessVerifier

5 minutes sometimes just isn't enough. This makes it so it is configurable and not hard coded. Test Plan: * Add a video to a course * insert a video tag into the html of a page. ie: ``` <p><video style="border: 2px solid black;" width="450" height="225" controls="controls"> <source src="/courses/<course_id>/files/<file_id>/download" /></video></p> ``` * Inspect the network traffic while watching the video. * Obtain the jwt used to download the video. * Inspect that jwt and the exp should be the minutes out of what ever is set in the Setting, default 5 minutes.
instructure · Mar 21, 2022 · 3426305 · 3426305
1 parent 3515d7e
commit 3426305
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 5 deletions.
diff --git a/app/models/users/access_verifier.rb b/app/models/users/access_verifier.rb
@@ -21,8 +21,6 @@
 
 module Users
   module AccessVerifier
-    TTL_MINUTES = 5
-
     class InvalidVerifier < RuntimeError
     end
 
@@ -40,7 +38,7 @@ def self.generate(claims)
       jwt_claims[:root_account_id] = root_account.global_id.to_s if root_account
       jwt_claims.merge!(claims.slice(:oauth_host, :return_url, :fallback_url))
 
-      expires = TTL_MINUTES.minutes.from_now
+      expires = Setting.get("access_verifier.ttl_minutes", "5").to_i.minutes.from_now
       key = nil # use default key
       { sf_verifier: Canvas::Security.create_jwt(jwt_claims, expires, key, :HS512) }
     end

diff --git a/spec/controllers/files_controller_spec.rb b/spec/controllers/files_controller_spec.rb
@@ -367,7 +367,7 @@ def file_with_path(path)
 
       # second use after verifier expiration but before session expiration.
       # expired verifier should be ignored but session should still be extended
-      Timecop.freeze((Users::AccessVerifier::TTL_MINUTES + 1).minutes.from_now) do
+      Timecop.freeze((Setting.get("access_verifier.ttl_minutes", "5").to_i + 1).minutes.from_now) do
         get "show", params: verifier.merge(id: file.id)
       end
       expect(response).to be_successful

diff --git a/spec/models/users/access_verifier_spec.rb b/spec/models/users/access_verifier_spec.rb
@@ -91,7 +91,7 @@ module Users
 
       it "raises InvalidVerifier if too old" do
         verifier = Users::AccessVerifier.generate(user: user)
-        Timecop.freeze(10.minutes.from_now) do
+        Timecop.freeze((Setting.get("access_verifier.ttl_minutes", "5").to_i + 1).minutes.from_now) do
           expect { Users::AccessVerifier.validate(verifier) }.to raise_exception(Canvas::Security::TokenExpired)
         end
       end