ToolProvider.consumer_secret is not set in some cases which prevents the signing of outcome requests' XML
rghostin opened this issue · comments
In some cases, the ToolProvider.consumer_secret is not set. This prevents the signing of outcome requests' XML.
Code snippets below help reproduce the events.
- In a launch view:
def lti_launch(request):
if request.method == "POST":
tool_provider = DjangoToolProvider.from_django_request(request=request)
# tool_provider.consumer_key was set from the oauth_consumer_key post parameter; consumer_secret is still None
oauth_validator = SigOnlyRequestValidator()
is_valid_oauth = tool_provider.is_valid_request(oauth_validator)
[...]
- In the method
ToolProvider.is_valid_request:
validator = ProxyValidator(validator)
valid, request = endpoint.validate_request([...])
# At this point the proxy contains the secret in validator.secret, though the tool_provider.consumer_secret is still None
if valid and not self.consumer_key and not self.consumer_secret: # ! Potentially faulty line ! Condition is False, so tool_provider.consumer_secret stays to None
self.consumer_key = self.launch_params['oauth_consumer_key']
self.consumer_secret = validator.secret
return valid
- Problems arise later on during the usage of the
ToolProviderinstance:
tool_provider.post_replace_result(score=1) # unable to sign the request since consumer_secret is None (OutcomeRequest.has_required_attributes returns False)
Solution:
In the method ToolProvider.is_valid_request, the condition should be formulated as:
if valid:
# Gather the key and secret
if not self.consumer_key:
self.consumer_key = self.launch_params['oauth_consumer_key']
if not self.consumer_secret:
self.consumer_secret = validator.secret
Edit: A pull request has been made.