Skip to content
Browse files

added pretend nonce security

  • Loading branch information...
1 parent 0257b09 commit d6a103bba8cf794378eb63e7a88d929ccb3c084c @bracken bracken committed Mar 14, 2012
Showing with 23 additions and 5 deletions.
  1. +1 −1 Gemfile
  2. +22 −4 tool_consumer.rb
View
2 Gemfile
@@ -1,5 +1,5 @@
gem 'sinatra'
-gem 'ims-lti'
+gem 'ims-lti', "~>1.0.2"
group :development do
gem 'shotgun'
View
26 tool_consumer.rb
@@ -81,10 +81,19 @@
req = IMS::LTI::OutcomeRequest.from_post_request(request)
sourcedid = req.lis_result_sourcedid
- # todo - create some key management system
+ # todo - create some simple key management system
consumer = IMS::LTI::ToolConsumer.new('test', 'secret')
if consumer.valid_request?(request)
+ if consumer.request_oauth_timestamp.to_i - Time.now.utc.to_i > 60*60
+ throw_oauth_error
+ end
+ # this isn't actually checking anything like it should, just want people
+ # implementing real tools to be aware they need to check the nonce
+ if was_nonce_used_in_last_x_minutes?(consumer.request_oauth_nonce, 60)
+ throw_oauth_error
+ end
+
res = IMS::LTI::OutcomeResponse.new
res.message_ref_identifier = req.message_identifier
res.operation = req.operation
@@ -107,7 +116,16 @@
headers 'Content-Type' => 'text/xml'
res.generate_response_xml
else
- response['WWW-Authenticate'] = "OAuth realm=\"http://#{request.env['HTTP_HOST']}\""
- throw(:halt, [401, "Not authorized\n"])
+ throw_oauth_error
end
-end
+end
+
+def throw_oauth_error
+ response['WWW-Authenticate'] = "OAuth realm=\"http://#{request.env['HTTP_HOST']}\""
+ throw(:halt, [401, "Not authorized\n"])
+end
+
+def was_nonce_used_in_last_x_minutes?(nonce, minutes=60)
+ # some kind of caching solution or something to keep a short-term memory of used nonces
+ false
+end

0 comments on commit d6a103b

Please sign in to comment.
Something went wrong with that request. Please try again.