Skip to content
Commit 20d6180d authored by Brian Palmer's avatar Brian Palmer
Browse files

enforce nonce and timestamp in lti outcome requests 

This uses redis to store the nonces as locks that expire after 90
minutes. Timestamps are epoch UTC values, as per the oauth spec.

testplan: send oauth requests to the api endpoint with the same nonce
more than once, or with a too-old timestamp

refs #5892

Change-Id: Id6130c2a07e206dad716673aa6adbe9d36565a7c
Reviewed-on: https://gerrit.instructure.com/6683


Tested-by: default avatarHudson <hudson@instructure.com>
Reviewed-by: default avatarBrian Whitmer <brian@instructure.com>
parent a67b9af9
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment