Open dinoboff opened 7 years ago
Best workout around I found was from @FeynmanDNA https://github.com/NUS-ALSET/firebase-lti/blob/master/functions/lib/server.js
The important details are here extracted here:
//line 7
const _HmacSha1 = require('@dinoboff/ims-lti/lib/hmac-sha1');
//line 54
class HmacSha1 extends _HmacSha1 {
protocol(req) {
if (req.headers['x-appengine-https'] === 'on') {
return 'https';
}
return super.protocol(req);
}
}
//line 108
const provider = new lti.Provider(key, secret, {
// Firebase functions is accessed via a reverse proxy. The lti signature
// validation needs to use the original hostname and not the functions
// server one.
signer: new HmacSha1({trustProxy: true}),
// Save nonces in datastore and ensure the request oauth1 nonce cannot be
// used twice.
nonceStore: database.nonceStore(key)
});
AFAIK,
ims-lti
relies onreq
values beingx-forwarded-*
aware; withexpress
it involves setting 'trust proxy' to a truthy value.It works for https proxy but it won't affect the host value. Although,
express
will setreq.hostname
but it doesn't include the port.ims-lti
usesreq.headers.host
to sign the request.If
ims-lti
has to use header values, there should be the option to lookupx-forwarded-*
values instead.