fix lti launches without user ID

sourcecode/apis/contentauthor/app/Http/Kernel.php

@@ -81,9 +81,10 @@ class Kernel extends HttpKernel
         'core.locale' => \App\Http\Middleware\LtiLocale::class,
         'core.behavior-settings' => \App\Http\Middleware\LtiBehaviorSettings::class,
         'signed.oauth10-request' => \App\Http\Middleware\SignedOauth10Request::class,
-        'lti.add-auth-to-session' => \App\Http\Middleware\LtiAddAuthToSession::class,
+        'lti.add-to-session' => \App\Http\Middleware\LtiAddToSession::class,
         'lti.question-set' => \App\Http\Middleware\LtiQuestionSet::class,
         'lti.qs-to-request' => \App\Http\Middleware\AddExtQuestionSetToRequestMiddleware::class,
+        'lti.signed-launch' => \App\Http\Middleware\LtiSignedLaunch::class,
         'lti.verify-auth' => \App\Http\Middleware\LtiVerifyAuth::class,
         'game-access' => GameAccess::class,
         'questionset-access' => QuestionSetAccess::class,
@@ -100,7 +101,8 @@ class Kernel extends HttpKernel
     protected $middlewarePriority = [
         \Illuminate\Session\Middleware\StartSession::class,
         \Illuminate\View\Middleware\ShareErrorsFromSession::class,
-        \App\Http\Middleware\LtiAddAuthToSession::class,
+        \App\Http\Middleware\LtiAddToSession::class,
+        \App\Http\Middleware\LtiSignedLaunch::class,
         \App\Http\Middleware\LtiVerifyAuth::class,
         \App\Http\Middleware\Authenticate::class,
         \Illuminate\Session\Middleware\AuthenticateSession::class,

sourcecode/apis/contentauthor/app/Http/Middleware/LtiAddAuthToSession.php → sourcecode/apis/contentauthor/app/Http/Middleware/LtiAddToSession.php

@@ -12,7 +12,7 @@
 /**
  * Add LTI parameters to session
  */
-class LtiAddAuthToSession
+final readonly class LtiAddToSession
 {
     public function __construct(
         private readonly H5pLti $h5pLti,
@@ -27,6 +27,7 @@ public function handle(Request $request, Closure $next): Response
         $ltiRequest = $this->h5pLti->getValidatedLtiRequest();
 
         if ($ltiRequest != null) {
+            Session::put('signedLaunch', true);
             Session::put('userId', $ltiRequest->getUserId());
 
             if ($ltiRequest->getUserId() != null) {

sourcecode/apis/contentauthor/app/Http/Middleware/LtiSignedLaunch.php

@@ -0,0 +1,34 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
+
+/**
+ * Verify that a signed LTI launch happened.
+ */
+final readonly class LtiSignedLaunch
+{
+    /**
+     * @param (Closure(Request): Response) $next
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        if (
+            $request->session()->get('signedLaunch') ||
+            // For backwards compat.
+            // Cannot be set without a signed launch also having occurred.
+            $request->session()->get('authId')
+        ) {
+            return $next($request);
+        }
+
+        throw new UnauthorizedHttpException(
+            challenge: 'OAuth',
+            message: 'A valid LTI launch is required to have occurred',
+        );
+    }
+}

sourcecode/apis/contentauthor/app/Http/Middleware/LtiVerifyAuth.php

@@ -1,26 +1,29 @@
 <?php
 
+declare(strict_types=1);
+
 namespace App\Http\Middleware;
 
 use Closure;
 use Illuminate\Http\Request;
-use Illuminate\Support\Facades\Session;
 use Symfony\Component\HttpFoundation\Response;
 
+use function abort;
+
 /**
  * Verify that the user is authenticated via LTI.
  */
-class LtiVerifyAuth
+final readonly class LtiVerifyAuth
 {
     /**
      * @param (Closure(Request): Response) $next
      */
     public function handle(Request $request, Closure $next): Response
     {
-        if (Session::get('authId')) {
-            return $next($request);
+        if (!$request->session()->get('authId')) {
+            abort(Response::HTTP_FORBIDDEN);
         }
 
-        return redirect('auth/login');
+        return $next($request);
     }
 }

sourcecode/apis/contentauthor/routes/admin.php

@@ -20,7 +20,7 @@
 
 Route::get('auth/login', [LoginController::class, 'showLoginForm'])->name('login');
 Route::get('sso-edlib-admin', [LoginController::class, 'ssoFromEdlibAdmin'])
-    ->middleware('lti.add-auth-to-session', 'lti.verify-auth', 'can:superadmin');
+    ->middleware('lti.add-to-session', 'lti.signed', 'lti.verify-auth', 'can:superadmin');
 Route::post('auth/login', [LoginController::class, 'login']);
 Route::post('auth/logout', [LoginController::class, 'logout'])->name('logout');
 

sourcecode/apis/contentauthor/routes/web.php

@@ -52,7 +52,7 @@
 Route::get('h5p/{h5p}/download', [H5PController::class, 'downloadContent'])->name('content-download')->middleware(['adaptermode']);
 Route::get('content/upgrade/library', [H5PController::class, 'contentUpgradeLibrary'])->name('content-upgrade-library');
 
-Route::group(['middleware' => ['core.return', 'lti.add-auth-to-session', 'lti.verify-auth', 'core.locale', 'adaptermode']], function () {
+Route::middleware(['core.return', 'lti.add-to-session', 'lti.signed-launch', 'core.locale', 'adaptermode'])->group(function () {
     Route::post('lti-content/create', [LtiContentController::class, 'create']);
     Route::post('lti-content/create/{type}', [LtiContentController::class, 'create']);
     Route::post('lti-content/{id}', [LtiContentController::class, 'show'])->middleware(['core.behavior-settings:view']);

sourcecode/apis/contentauthor/tests/Integration/Article/ArticleTest.php

@@ -300,8 +300,7 @@ public function testViewArticle()
 
     public function testMustBeLoggedInToCreateArticle()
     {
-        $_SERVER['QUERY_STRING'] = 'forTestingPurposes';
         $this->get(route('article.create'))
-            ->assertStatus(Response::HTTP_FOUND);
+            ->assertForbidden();
     }
 }