nicholaswilson100
commented
3 years ago Looks okay (I'm not claiming expertise for this)
Closed buckett closed 3 years ago
nicholaswilson100
commented
3 years ago Looks okay (I'm not claiming expertise for this)
nicholaswilson100
commented
3 years ago How do you test it? Just regression?
nicholaswilson100
commented
3 years ago So this is just for those users who deliberately do not want cookies and we still want to do CSRF security checks for those users?
buckett
commented
3 years ago Safari (all platforms) doesn't allow cookies to be set in iframes so at the moment all Safari users can't use our LTI tools. It's looking like other browsers will also follow in this direction. While this library could do with tests it needs quite a bit of supporting code to get these useful. At the moment it's easiest to test when it gets built into a newer lti-auth-server release.
This adds CSRF protection to the cookieless login option. This means it's the browser that stores the state when the initial request is made and then checks it when the final request is done.
Also included in this change is better failure messaging and a little class renaming.