search

Cvmcosta / ltijs

Turn your application into a fully integratable LTI 1.3 tool provider.
https://cvmcosta.github.io/ltijs/
Apache License 2.0
296 stars 65 forks source link

/keys URL breaks if multiple LTIs are registered - error:1C800064:Provider routines::bad decrypt #201

Open adam-nielsen opened 1 year ago

adam-nielsen commented 1 year ago

Describe the bug If you have two or more LTIs registered, when you access /keys on on of the LTIs, you get this error:

provider:main Error: error:1C800064:Provider routines::bad decrypt
  provider:main     at Decipheriv.final (node:internal/crypto/cipher:199:29)
  provider:main     at Database.Decrypt (node_modules/ltijs-sequelize/dist/DB.js:680:52)
  provider:main     at Database.Get (node_modules/ltijs-sequelize/dist/DB.js:523:38)
  provider:main     at processTicksAndRejections (node:internal/process/task_queues:95:5)
  provider:main     at async Function.build (node_modules/ltijs/dist/Utils/Keyset.js:14:19)
  provider:main     at async Provider.value (node_modules/ltijs/dist/Provider/Provider.js:249:26)

Expected behavior /keys should return some JSON. It works fine with only one LTI in the database, but as soon as you add a second LTI with a different encryption key, the /keys URL fails.

Additional context This is using ltijs-sequelize with a MySQL database.

The problem seems to be in https://github.com/Cvmcosta/ltijs/blob/master/src/Utils/Keyset.js#L11 where it retrieves all public keys for all LTIs instead of only the keys belonging to the current LTI. When it tries to decrypt the values for the other LTIs, the decryption fails, assuming each LTI you deploy is using a different key.

Cvmcosta commented 1 year ago

Hello! This error happens if you change the encryption key after registering a tool. Since we'll try to decrypt with the wrong key. Can you please remove the platforms and try again? Or clean the platforms table.

adam-nielsen commented 1 year ago

Yes we cleared the platform table and registered the LTIs again and the problem returns.

If you register all the LTIs with the same key then it works, but if you register LTI 1 with key 1, and LTI 2 with key 2, then both LTIs fail when /keys is accessed.

lcundiff commented 5 months ago

For anyone else experiencing this issue: The fix for me (like @Cvmcosta stated), was clearing my platforms table in my LTI database and re-registering the LTI platform (didn't need to recreate the LTI key in Canvas though). Removing only the private and public keys affiliated to the old encryption key didn't work for me, it wasn't until I cleaned my platform tables that it worked again.

The actual problem here is different than the error message, so I would suggest that the error gets caught before calling Decrypt in the DB script. Maybe checking for copies of same client id on same platform? Or, even easier, could catch this issue, and give some additional info, stating the encryption key does not match the encryption key registered initially?