In my Rails 3.1.5 application, I am using the ims-lti gem to perform third-party authentication. To perform the authentication, three things must be done:
- Check that the request signature is correct
- Check if the timestamp is too old
- Check that the nonce has not been used
The first two are done, but I am having trouble with the nonce check. Most questions I have found deal with generating nonces in Rails, not checking them.
There are several related questions that use the oauth-plugin gem to check the nonce:
Rails oauth-plugin: multiple strategies causes duplicate nonce error
OAuth signature verification fails
return false unless OauthNonce.remember(nonce, timestamp)
Unfortunately, the oauth-plugin gem hasn't been updated since 2013, and is not compatible with the version of the oauth gem required by the lms-lti gem.
It does not appear that the oauth gem supports validating nonces.
Is there a canned way to check the nonce, whether in native Rails or through a gem, or am I relegated to:
- Creating a nonce table
- Checking that the nonce is not already in the table
- Storing the nonce and timestamp in the table
- Cycling the table to drop entries with an expired timestamp
Aucun commentaire:
Enregistrer un commentaire