Support x-forwarded-host header

omsmith / ims-lti

A node.js library implementing the IMS LTI tool providers' standards

Other

111 stars 94 forks source link

Support x-forwarded-host header #67

Open dinoboff opened 7 years ago

dinoboff commented 7 years ago

AFAIK, ims-lti relies on req values being x-forwarded-* aware; with express it involves setting 'trust proxy' to a truthy value.

It works for https proxy but it won't affect the host value. Although, express will set req.hostname but it doesn't include the port. ims-lti uses req.headers.host to sign the request.

If ims-lti has to use header values, there should be the option to lookup x-forwarded-* values instead.

borrey commented 6 years ago

Best workout around I found was from @FeynmanDNA https://github.com/NUS-ALSET/firebase-lti/blob/master/functions/lib/server.js

The important details are here extracted here:

//line 7
const _HmacSha1 = require('@dinoboff/ims-lti/lib/hmac-sha1');
//line 54
class HmacSha1 extends _HmacSha1 {
  protocol(req) {
    if (req.headers['x-appengine-https'] === 'on') {
      return 'https';
    }
    return super.protocol(req);
  }
}
//line 108
const provider = new lti.Provider(key, secret, {
      // Firebase functions is accessed via a reverse proxy. The lti signature
      // validation needs to use the original hostname and not the functions
      // server one.
      signer: new HmacSha1({trustProxy: true}),
      // Save nonces in datastore and ensure the request oauth1 nonce cannot be
      // used twice.
      nonceStore: database.nonceStore(key)
 });