allow oauth to be up to 60 seconds in the future

fixes PLAT-1940 test plan: create a grade passback with the timestamp between 0 and 60 seconds in the future. it should not be rejected create a grade passback with the timestamp more then 60 seconds in the future it should be rejected Change-Id: Ica50c433efa0b7303a4031ab13f6edfebd5c73cd Reviewed-on: https://gerrit.instructure.com/94251 Tested-by: Jenkins QA-Review: August Thornton <august@instructure.com> Reviewed-by: Andrew Butterfield <abutterfield@instructure.com> Product-Review: Karl Lloyd <karl@instructure.com>
2016-11-02 12:02:13 -06:00 · 2016-11-02 12:02:13 -06:00 · f27fa72c45
parent 2209b532c0
commit f27fa72c45
2 changed files with 12 additions and 4 deletions
--- a/lib/lti/security.rb
+++ b/lib/lti/security.rb
@ -94,10 +94,11 @@ module Lti
    ## |---exp---now---timestamp---| INVALID
    ##
    def self.check_and_store_nonce(cache_key, timestamp, expiration)
+      allowed_future_skew = 1.minute
      valid = timestamp.to_i > expiration.ago.to_i
-      valid &&= timestamp.to_i <= Time.now.to_i
+      valid &&= timestamp.to_i <= (Time.now + allowed_future_skew).to_i
      valid &&= !Rails.cache.exist?(cache_key)
-      Rails.cache.write(cache_key, 'OK', expires_in: expiration) if valid
+      Rails.cache.write(cache_key, 'OK', expires_in: expiration + allowed_future_skew) if valid
      valid
    end

--- a/spec/lib/lti/security_spec.rb
+++ b/spec/lib/lti/security_spec.rb
@ -73,13 +73,20 @@ describe Lti::Security do
        expect(Lti::Security.check_and_store_nonce(cache_key, timestamp, expiration)).to be false
      end

-      it 'rejects a nonce in the future' do
+      it 'rejects a nonce more than 1 minute in the future' do
        cache_key = 'abcdefghijklmnopqrstuvwxyz'
        expiration = 5.minutes
-        timestamp = 5.minutes.from_now
+        timestamp = 61.seconds.from_now
        expect(Lti::Security.check_and_store_nonce(cache_key, timestamp, expiration)).to be false
      end

+      it 'accepts a nonce less than 1 minute in the future' do
+        cache_key = 'abcdefghijklmnopqrstuvwxyz'
+        expiration = 5.minutes
+        timestamp = 59.seconds.from_now
+        expect(Lti::Security.check_and_store_nonce(cache_key, timestamp, expiration)).to be true
+      end
+
    end

    it "generates a correct signature" do