Merge pull request #293 from openedx/mroytman/LTI-1p3-fixes

LTI 1.3 Fixes: Clickjacking Protection Preventing Launch and Incorrect Authentication Response/Launch URL

Merge pull request #293 from openedx/mroytman/LTI-1p3-fixes
cca3ba31 · Michael Roytman · GitHub · 52dfb3ea · 55cb4174 · cca3ba31
Unverified Commit cca3ba31 authored 2 years ago by Michael Roytman Committed by GitHub 2 years ago
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -15,6 +15,13 @@ Please See the [releases tab](https://github.com/edx/xblock-lti-consumer/release

 Unreleased
 ~~~~~~~~~~
+5.0.1 - 2022-10-17
+------------------
+* Fixed a bug that prevented LTI 1.3 launches from occurring in the browser due to Django's clickjacking protection.
+
+  * Added the xframe_options_exempt view decorator to launch_gate_endpoint to allow loading response in an <iframe> tags
+* Fixed a bug in the URL used for an LTI 1.3 launch; the library now sends LTI 1.3 launches to the redirect_uri provided
+  by the Tool in the authentication request, instead of the preregistered target_link_uri. 

 5.0.0 - 2022-10-12
 ------------------
@@ -23,9 +30,10 @@ BREAKING CHANGE:
 Please note that additional breaking changes will be forthcoming in future versions of this library.

 * Modified Python API methods to take Lti1p3LaunchData as a required argument
-** get_lti_1p3_launch_info
-** get_lti_1p3_launch_start_url
-** get_lti_1p3_content_url
+
+  * get_lti_1p3_launch_info
+  * get_lti_1p3_launch_start_url
+  * get_lti_1p3_content_url

 * Added an Lti1p3LaunchData data class
 * Added caching for Lti1p3LaunchData to limit data sent in request query or form parameters

--- a/lti_consumer/__init__.py
+++ b/lti_consumer/__init__.py
@@ -4,4 +4,4 @@ Runtime will load the XBlock class from here.
 from .apps import LTIConsumerApp
 from .lti_xblock import LtiConsumerXBlock

-__version__ = '5.0.0'
+__version__ = '5.0.1'
--- a/lti_consumer/plugin/views.py
+++ b/lti_consumer/plugin/views.py
@@ -10,7 +10,7 @@ from django.http import JsonResponse, Http404
 from django.db import transaction
 from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.http import require_http_methods
-from django.views.decorators.clickjacking import xframe_options_sameorigin
+from django.views.decorators.clickjacking import xframe_options_exempt, xframe_options_sameorigin
 from django.shortcuts import render
 from django_filters.rest_framework import DjangoFilterBackend
 from opaque_keys import InvalidKeyError
@@ -138,6 +138,7 @@ def public_keyset_endpoint(request, usage_id=None, lti_config_id=None):


 @require_http_methods(["GET", "POST"])
+@xframe_options_exempt
 def launch_gate_endpoint(request, suffix=None):  # pylint: disable=unused-argument
    """
    Gate endpoint that triggers LTI launch endpoint XBlock handler
@@ -232,7 +233,7 @@ def launch_gate_endpoint(request, suffix=None):  # pylint: disable=unused-argume
        preflight_response = request_params.dict()

        # Set LTI Launch URL.
-        context.update({'launch_url': lti_consumer.launch_url})
+        context.update({'launch_url': preflight_response.get("redirect_uri")})

        # Modify LTI Launch URL depending on launch type.
        # Deep Linking Launch - Configuration flow launched by