Guessing at fixes for Shibboleth issues.

There are two problems with the Shibboleth authenticaiton that I have identified in discussion with @glarose together with analyzing code and the issues posted in the forums (see https://webwork.maa.org/moodle/mod/forum/discuss.php?d=8534#p21568). The first is that the Shibboleth module overrides the WeBWorK::Authen check_session method, and does not properly initialize the database session. This causes anything that uses the database session (which includes test proctor authentication) to fail. The second is that the WeBWorK::Controller session method returns undefined in the case that cookies are disabled (which the Shibboleth authentication module does). The Mojolicious::Plugin::DefaultHelpers _validation method then calls the session method expecting it to be an object or a hash reference. I have no way to test that this fixes the issues that have been reported, and can only write code that should work. So someone with a Shibboleth identity provider will need to test this.
drgrice1 · Oct 22, 2024 · 641ed8c · 641ed8c
1 parent 6d96fda
commit 641ed8c
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 11 deletions.
diff --git a/lib/WeBWorK/Authen/Shibboleth.pm b/lib/WeBWorK/Authen/Shibboleth.pm
@@ -167,20 +167,24 @@ sub check_session {
 	if ($ce->{shiboff}) {
 		return $self->SUPER::check_session(@_);
 	} else {
-		my $Key = $db->getKey($userID);    # checked
+		my $Key = $db->getKey($userID);
 		return 0 unless defined $Key;
 
-		my $keyMatches     = (defined $possibleKey and $possibleKey eq $Key->key);
-		my $timestampValid = (time <= $Key->timestamp() + $ce->{sessionTimeout});
-		if ($ce->{shibboleth}{manage_session_timeout}) {
-			# always valid to allow shib to take control of timeout
-			$timestampValid = 1;
-		}
+		my $currentTime = time;
+
+		my $keyMatches     = defined $possibleKey && $possibleKey eq $Key->key;
+		my $timestampValid = $currentTime <= $Key->timestamp() + $ce->{sessionTimeout};
+		# Allow shib to take control of timeout.
+		$timestampValid = 1 if $ce->{shibboleth}{manage_session_timeout};
 
-		if ($keyMatches and $timestampValid and $updateTimestamp) {
-			$Key->timestamp(time);
-			$db->putKey($Key);
+		if ($keyMatches && $timestampValid && $updateTimestamp) {
+			$Key->timestamp($currentTime);
+			$self->{c}->stash->{'webwork2.database_session'} = { $Key->toHash };
+			$self->{c}->stash->{'webwork2.database_session'}{session}{flash} =
+				delete $self->{c}->stash->{'webwork2.database_session'}{session}{new_flash}
+				if $self->{c}->stash->{'webwork2.database_session'}{session}{new_flash};
 		}
+
 		return (1, $keyMatches, $timestampValid);
 	}
 }

diff --git a/lib/WeBWorK/Controller.pm b/lib/WeBWorK/Controller.pm
@@ -63,7 +63,7 @@ sub param ($c, @opts) {
 # Override the Mojolicious::Controller session method to set the cookie parameters
 # from the course environment the first time it is called.
 sub session ($c, @args) {
-	return if $c->stash('disable_cookies');
+	return {} if $c->stash('disable_cookies');
 
 	# Initialize the cookie session the first time this is called.
 	unless ($c->stash->{'webwork2.cookie_session_initialized'}) {