canvas-lms

History

Xander Moffatt 218ae2f239 fix: stop caching non-canvas PandataEvents tokens why: * Canvas mobile apps request a PandataEvents token for use on their end * with the introduction of PandataEvents sending for Canvas, this code was refactored, which included caching tokens for Canvas's use * caching auth tokens here means that the cached token expires in less than a day, but the expires_at passed in the response is always 1 day from now * if the mobile apps rely on expires_at to say "this token is valid until X", then they will be using expired tokens refs INTEROP-8391 flag=none test plan: * create an API-type developer key and enable it for your root account * get a token from that key - easiest way is in the Rails console: ``` u = User.find(<your admin user>) developer_key = DeveloperKey.last # your new key token = u.access_tokens.create!(developer_key:) token.full_token # copy this ``` * configure Canvas for PandataEvents by copying the config section for `pandata/events`from config/dynamic_settings.yml.example to config/dynamic_settings.yml, and the section for pandata_creds from config/vault_contents.yml.example to config/vault_contents.yml * in a Rails console: ``` Setting.set("pandata_events_token_allowed_developer_key_ids", developer_key.global_id.to_s) Setting.set("pandata_events_token_prefixes","canvas") ``` * restart your web container to pick up the config and settings changes * make a request to `/api/v1/users/self/pandata_events_token` and include the access token in the `Authorization: Bearer <token>` header, and include `app_key=CANVAS` in the params * the request should succeed and include an auth_token JWT and an expires_at * across multiple request to that endpoint, the exp from the JWT and expires_at should always change, and should always match each other Change-Id: I4cc215f6ddc64577815098eadf640d1df9ec6b55 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/338903 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Paul Gray <paul.gray@instructure.com> Reviewed-by: Ryan Hawkins <ryan.hawkins@instructure.com> QA-Review: Paul Gray <paul.gray@instructure.com> Product-Review: Xander Moffatt <xmoffatt@instructure.com>	2024-01-26 22:21:57 +00:00
..
credential_service.rb	fix: stop caching non-canvas PandataEvents tokens	2024-01-26 22:21:57 +00:00
errors.rb	…

Xander Moffatt 218ae2f239 fix: stop caching non-canvas PandataEvents tokens

why:
* Canvas mobile apps request a PandataEvents token for use on
their end
* with the introduction of PandataEvents sending for Canvas, this
code was refactored, which included caching tokens for Canvas's use
* caching auth tokens here means that the cached token expires in less than a day, but the expires_at passed in the response is always 1 day from now
* if the mobile apps rely on expires_at to say "this token is valid
until X", then they will be using expired tokens

refs INTEROP-8391
flag=none

test plan:
* create an API-type developer key and enable it for your root account
* get a token from that key - easiest way is in the Rails console:
```
u = User.find(<your admin user>)
developer_key = DeveloperKey.last # your new key
token = u.access_tokens.create!(developer_key:)
token.full_token # copy this
```
* configure Canvas for PandataEvents by copying the config
section for `pandata/events`from config/dynamic_settings.yml.example
to config/dynamic_settings.yml, and the section for pandata_creds
from config/vault_contents.yml.example to config/vault_contents.yml
* in a Rails console:
```
Setting.set("pandata_events_token_allowed_developer_key_ids", developer_key.global_id.to_s)
Setting.set("pandata_events_token_prefixes","canvas")
```
* restart your web container to pick up the config and settings changes
* make a request to `/api/v1/users/self/pandata_events_token`
and include the access token in the `Authorization: Bearer <token>`
header, and include `app_key=CANVAS` in the params
* the request should succeed and include an auth_token JWT
and an expires_at
* across multiple request to that endpoint, the exp from the JWT
and expires_at should always change, and should always match each other

Change-Id: I4cc215f6ddc64577815098eadf640d1df9ec6b55
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/338903
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Reviewed-by: Paul Gray <paul.gray@instructure.com>
Reviewed-by: Ryan Hawkins <ryan.hawkins@instructure.com>
QA-Review: Paul Gray <paul.gray@instructure.com>
Product-Review: Xander Moffatt <xmoffatt@instructure.com>

2024-01-26 22:21:57 +00:00

credential_service.rb

fix: stop caching non-canvas PandataEvents tokens

2024-01-26 22:21:57 +00:00

errors.rb

…