/**
* Extract all of the post data, set up data in tables, and set up session.
*/
public static function setupSession()
{
global $CFG, $PDOX;
if (!LTI::isRequest()) {
return false;
}
// Pull LTI data out of the incoming $_POST and map into the same
// keys that we use in our database (i.e. like $row)
$post = self::extractPost();
if ($post === false) {
$pdata = safe_var_dump($_POST);
error_log('Missing post data: ' . $pdata);
require 'lti/nopost.php';
return;
}
if ($post['key'] == '12345' && !$CFG->DEVELOPER) {
die_with_error_log('You can only use key 12345 in developer mode');
}
// We make up a Session ID Key because we don't want a new one
// each time the same user launches the same link.
$session_id = self::getCompositeKey($post, $CFG->sessionsalt);
session_id($session_id);
session_start();
header('Content-Type: text/html; charset=utf-8');
// Since we might reuse session IDs, clean everything out
session_unset();
$_SESSION['LAST_ACTIVITY'] = time();
// update last activity time stamp
// Read all of the data from the database with a very long
// LEFT JOIN and get all the data we have back in the $row variable
// $row = loadAllData($CFG->dbprefix, false, $post);
$row = self::loadAllData($CFG->dbprefix, $CFG->dbprefix . 'profile', $post);
$delta = 0;
if (isset($_POST['oauth_timestamp'])) {
$server_time = $_POST['oauth_timestamp'] + 0;
$delta = abs(time() - $server_time);
if ($delta > 480) {
// More than four minutes is getting close
error_log('Warning: Time skew, delta=' . $delta . ' sever_time=' . $server_time . ' our_time=' . time());
}
}
// Check the nonce to make sure there is no reuse
if ($row['nonce'] !== null) {
die_with_error_log('OAuth nonce error key=' . $post['key'] . ' nonce=' . $row['nonce']);
}
// Use returned data to check the OAuth signature on the
// incoming data - returns true or an array
$valid = LTI::verifyKeyAndSecret($post['key'], $row['secret']);
// If there is a new_secret it means an LTI2 re-registration is in progress and we
// need to check both the current and new secret until the re-registration is committed
if ($valid !== true && strlen($row['new_secret']) > 0 && $row['new_secret'] != $row['secret']) {
$valid = LTI::verifyKeyAndSecret($post['key'], $row['new_secret']);
if ($valid) {
$row['secret'] = $row['new_secret'];
}
$row['new_secret'] = null;
}
if ($valid !== true) {
print "<pre>\n";
print_r($valid);
print "</pre>\n";
die_with_error_log('OAuth validation fail key=' . $post['key'] . ' delta=' . $delta . ' error=' . $valid[0]);
}
$actions = self::adjustData($CFG->dbprefix, $row, $post);
// Record the nonce but first probabilistically check
if ($CFG->noncecheck > 0) {
if (time() % $CFG->noncecheck == 0) {
$PDOX->queryDie("DELETE FROM {$CFG->dbprefix}lti_nonce WHERE\n created_at < DATE_ADD(CURRENT_TIMESTAMP(), INTERVAL -{$CFG->noncetime} SECOND)");
// error_log("Nonce table cleanup done.");
}
$PDOX->queryDie("INSERT INTO {$CFG->dbprefix}lti_nonce\n (key_id, nonce) VALUES ( :key_id, :nonce)", array(':nonce' => $post['nonce'], ':key_id' => $row['key_id']));
}
// If there is an appropriate role override variable, we use that role
if (isset($row['role_override']) && isset($row['role']) && $row['role_override'] > $row['role']) {
$row['role'] = $row['role_override'];
}
// Put the information into the row variable
// TODO: do AES on the secret
$_SESSION['lti'] = $row;
$_SESSION['lti_post'] = $_POST;
if (isset($_SERVER['HTTP_USER_AGENT'])) {
$_SESSION['HTTP_USER_AGENT'] = $_SERVER['HTTP_USER_AGENT'];
}
if (isset($_SERVER['REMOTE_ADDR'])) {
$_SESSION['REMOTE_ADDR'] = $_SERVER['REMOTE_ADDR'];
}
$_SESSION['CSRF_TOKEN'] = uniqid();
// Save this to make sure the user does not wander unless we launched from the root
$scp = getScriptPath();
if (strlen($scp) > 0) {
$_SESSION['script_path'] = getScriptPath();
}
// Check if we can auto-login the system user
if (Settings::linkGet('dologin', false) && isset($PDOX) && $PDOX !== false) {
loginSecureCookie();
}
// Set up basic custom values (legacy)
if (isset($_POST['custom_due'])) {
$when = strtotime($_POST['custom_due']);
if ($when === false) {
echo '<p>Error, bad setting for custom_due=' . htmlentities($_POST['custom_due']) . '</p>';
error_log('Bad custom_due=' . $_POST['custom_due']);
flush();
} else {
$_SESSION['due'] = $_POST['custom_due'];
}
}
if (isset($_POST['custom_timezone'])) {
$_SESSION['timezone'] = $_POST['custom_timezone'];
}
if (isset($_POST['custom_penalty_time'])) {
if ($_POST['custom_penalty_time'] + 0 == 0) {
echo '<p>Error, bad setting for custom_penalty_time=' . htmlentities($_POST['custom_penalty_time']) . '</p>';
error_log('Bad custom_penalty_time=' . $_POST['custom_penalty_time']);
flush();
} else {
$_SESSION['penalty_time'] = $_POST['custom_penalty_time'];
}
}
if (isset($_POST['custom_penalty_cost'])) {
if ($_POST['custom_penalty_cost'] + 0 == 0) {
echo '<p>Error, bad setting for custom_penalty_cost=' . htmlentities($_POST['custom_penalty_cost']) . '</p>';
error_log('Bad custom_penalty_cost=' . $_POST['custom_penalty_cost']);
flush();
} else {
$_SESSION['penalty_cost'] = $_POST['custom_penalty_cost'];
}
}
$breadcrumb = 'Launch,';
$breadcrumb .= isset($row['key_id']) ? $row['key_id'] : '';
$breadcrumb .= ',';
$breadcrumb .= isset($row['user_id']) ? $row['user_id'] : '';
$breadcrumb .= ',';
$breadcrumb .= isset($_POST['user_id']) ? str_replace(',', ';', $_POST['user_id']) : '';
$breadcrumb .= ',';
$breadcrumb .= $session_id;
$breadcrumb .= ',';
$breadcrumb .= curPageURL();
$breadcrumb .= ',';
$breadcrumb .= isset($_SESSION['email']) ? $_SESSION['email'] : '';
error_log($breadcrumb);
return $session_id;
}
echo "</pre>\n";
die;
}
require_once "sanity.php";
$PDOX = false;
try {
define('PDO_WILL_CATCH', true);
require_once "pdo.php";
} catch (PDOException $ex) {
$PDOX = false;
// sanity-db-will re-check this below
}
header('Content-Type: text/html; charset=utf-8');
session_start();
if ($PDOX !== false) {
loginSecureCookie();
}
$OUTPUT->header();
$OUTPUT->bodyStart();
require_once "sanity-db.php";
$OUTPUT->topNav();
?>
<div>
<?php
$OUTPUT->flashMessages();
if ($CFG->DEVELOPER) {
echo '<div class="alert alert-danger" style="margin-top: 10px;">' . _m('Note: Currently this server is running in developer mode.') . "\n</div>\n";
}
?>
<p>
Hello and welcome to <b><?php
