add jti to the inst-fs tokens

flag = none refs SAS-1578 test plan: * inst-fs should still work * there should be a jti in the verifier token Change-Id: I8970bd6b4e4f54bb6e27a994250fdd2bd4ff75f7 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/253771 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Jonathan Featherstone <jfeatherstone@instructure.com> QA-Review: Nathan Mills <nathanm@instructure.com> Product-Review: Nathan Mills <nathanm@instructure.com>
2020-11-25 15:05:28 -07:00 · 2020-11-25 15:05:28 -07:00 · e2e4408995
parent 75d9270384
commit e2e4408995
2 changed files with 25 additions and 17 deletions
--- a/lib/inst_fs.rb
+++ b/lib/inst_fs.rb
@ -63,6 +63,7 @@ module InstFS
    end

    def authenticated_url(attachment, options={})
+      options[:jti]= SecureRandom.uuid
      query_params = { token: access_jwt(access_path(attachment), options) }
      query_params[:download] = 1 if options[:download]
      access_url(attachment, query_params)
@ -357,7 +358,6 @@ module InstFS
      whole, remainder = number.divmod(step)
      whole * step
    end
-
    # If we just say every token was created at Time.now, since that token
    # is included in the url, every time we make a url it will be a new url and no browser
    # will never be able to get it from their cache. Which means, for example: every time you
@ -400,6 +400,7 @@ module InstFS
        resource: resource,
        host: options[:oauth_host]
      }
+      claims[:jti] = options[:jti] if options.has_key? :jti
      if options[:acting_as] && options[:acting_as] != options[:user]
        claims[:acting_as_user_id] = options[:acting_as].global_id.to_s
      end
--- a/spec/lib/inst_fs_spec.rb
+++ b/spec/lib/inst_fs_spec.rb
@ -136,22 +136,6 @@ describe InstFS do
        end
      end

-      it "generates the same url within a cache window of time so it's not unique every time" do
-        url1 = InstFS.authenticated_url(@attachment)
-        url2 = InstFS.authenticated_url(@attachment)
-        expect(url1).to eq(url2)
-
-        Timecop.freeze(1.day.from_now) do
-          url3 = InstFS.authenticated_url(@attachment)
-          expect(url1).to_not eq(url3)
-
-          first_token = url1.split(/token=/).last
-          expect(->{
-            Canvas::Security.decode_jwt(first_token, [ secret ])
-          }).to raise_error(Canvas::Security::TokenExpired)
-        end
-      end
-
      it "retries if imperium is timing out" do
        times_called = 0
        allow(Canvas::DynamicSettings).to receive(:find).with(service: "inst-fs", default_ttl: 5.minutes) do
@ -212,6 +196,12 @@ describe InstFS do
          expect(claims[:user_id]).to be_nil
        end

+        it "includes a jti in the token" do
+          url = InstFS.authenticated_url(@attachment, expires_in: 1.hour)
+          token = url.split(/token=/).last
+          expect(Canvas::Security.decode_jwt(token, [ secret ])).to have_key(:jti)
+        end
+
        describe "legacy api claims" do
          let(:root_account) { Account.default }
          let(:access_token) { instance_double("AccessToken", global_developer_key_id: 106) }
@ -283,6 +273,23 @@ describe InstFS do
          }).to raise_error(Canvas::Security::TokenExpired)
        end
      end
+
+      it "generates the same url within a cache window of time so it's not unique every time" do
+        url1 = InstFS.authenticated_thumbnail_url(@attachment)
+        url2 = InstFS.authenticated_thumbnail_url(@attachment)
+        expect(url1).to eq(url2)
+
+        Timecop.freeze(1.day.from_now) do
+          url3 = InstFS.authenticated_thumbnail_url(@attachment)
+          expect(url1).to_not eq(url3)
+
+          first_token = url1.split(/token=/).last
+          expect(->{
+            Canvas::Security.decode_jwt(first_token, [ secret ])
+          }).to raise_error(Canvas::Security::TokenExpired)
+        end
+      end
+
    end

    context "upload_preflight_json" do