mahara-contributors team mailing list archive

[Kristina Hoeppner <1954958@xxxxxxxxxxxxxxxxxx>]

** Changed in: mahara
       Status: Confirmed => In Progress

** Changed in: mahara
    Milestone: None => 22.04.0

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1954958

Title:
  oauth-php not taking account of proxy setting

Status in Mahara:
  In Progress

Bug description:
  There is an issue getting LTI working between Moodle and Mahara in the
  oauth-php library as it doesn't take Mahara's sslproxy configuration
  into consideration when generating the URI for $base_string

  I'd like to propose a patch for Mahara that looks something like a change on line 92 of htdocs/webservice/rest/locallib.php 
  From this...

   $this->oauth_server = new OAuthServer();

  To this...

   // Instantiating OAuthServer() with get_full_script_path() ensures that
   // the locally generated signature will contain a URI using the correct
   // protocol if this server is behind an sslproxy.
   // Otherwise OAuthServer() determines the protocol based only on a
   // check for $_SERVER['HTTPS'] and signature verification will fail.
   $this->oauth_server = new OAuthServer(get_full_script_path());

  
  Essentially the OAuthRequest() class assumes that because the web container is not using SSL directly then the request URI should be prefixed with http:// rather than https://...

  $proto = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ?
  'https' : 'http';

  But it seems OK to instantiate OAuthServer() with a $uri to bypass
  this, so that could be done in webservice_rest_server::parse_request()
  rather than having to patch oauth-php directly, I think
  get_full_script_path() seems OK to use for this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1954958/+subscriptions