It was found out that LTI validation process has mixes of checking and validating methods.
This PR clarify LTI validation process and remove redundant methods.
All client_key validation process is moved to validate_client_key method.
Method check_client_key was removed as redundant one.
In validate_timestamp_and_nonce is added timestamp checking that cannot be less than previous request's timestamp received from the certain LTI consumer. And nonce checking that cannot be duplicated.
Timestamp and nonce are storing in the cache with the TIMEOUT option which is by default set to 10 seconds and it is fair enough to prevent replay-attack through the LTI.
annagav
commented
7 years ago
It was found out that LTI validation process has mixes of checking and validating methods.
This PR clarify LTI validation process and remove redundant methods.
All client_key validation process is moved to
validate_client_keymethod. Methodcheck_client_keywas removed as redundant one.In
validate_timestamp_and_nonceis added timestamp checking that cannot be less than previous request's timestamp received from the certain LTI consumer. And nonce checking that cannot be duplicated.Timestamp and nonce are storing in the cache with the TIMEOUT option which is by default set to 10 seconds and it is fair enough to prevent replay-attack through the LTI.
Add README file with the link to documentation.