From 34263055a272a3cbd19314e798bb8c5ea645000f Mon Sep 17 00:00:00 2001
From: bfcoder <jamescarbine@gmail.com>
Date: Mon, 21 Mar 2022 11:53:22 -0600
Subject: [PATCH] Add setting to change ttl on AccessVerifier

5 minutes sometimes just isn't enough. This makes it so it is configurable and not hard coded.

Test Plan:

* Add a video to a course
* insert a video tag into the html of a page. ie:
```
<p><video style="border: 2px solid black;" width="450" height="225" controls="controls">
<source src="/courses/<course_id>/files/<file_id>/download" /></video></p>
```
* Inspect the network traffic while watching the video.
* Obtain the jwt used to download the video.
* Inspect that jwt and the exp should be the minutes out of what ever is set in the Setting, default 5 minutes.
---
 app/models/users/access_verifier.rb       | 4 +---
 spec/controllers/files_controller_spec.rb | 2 +-
 spec/models/users/access_verifier_spec.rb | 2 +-
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/app/models/users/access_verifier.rb b/app/models/users/access_verifier.rb
index e6526a04d128a..71be5a1fb48a7 100644
--- a/app/models/users/access_verifier.rb
+++ b/app/models/users/access_verifier.rb
@@ -21,8 +21,6 @@
 
 module Users
   module AccessVerifier
-    TTL_MINUTES = 5
-
     class InvalidVerifier < RuntimeError
     end
 
@@ -40,7 +38,7 @@ def self.generate(claims)
       jwt_claims[:root_account_id] = root_account.global_id.to_s if root_account
       jwt_claims.merge!(claims.slice(:oauth_host, :return_url, :fallback_url))
 
-      expires = TTL_MINUTES.minutes.from_now
+      expires = Setting.get("access_verifier.ttl_minutes", "5").to_i.minutes.from_now
       key = nil # use default key
       { sf_verifier: Canvas::Security.create_jwt(jwt_claims, expires, key, :HS512) }
     end
diff --git a/spec/controllers/files_controller_spec.rb b/spec/controllers/files_controller_spec.rb
index 2df86e3bc6ded..c1d7a568e18c5 100644
--- a/spec/controllers/files_controller_spec.rb
+++ b/spec/controllers/files_controller_spec.rb
@@ -367,7 +367,7 @@ def file_with_path(path)
 
       # second use after verifier expiration but before session expiration.
       # expired verifier should be ignored but session should still be extended
-      Timecop.freeze((Users::AccessVerifier::TTL_MINUTES + 1).minutes.from_now) do
+      Timecop.freeze((Setting.get("access_verifier.ttl_minutes", "5").to_i + 1).minutes.from_now) do
         get "show", params: verifier.merge(id: file.id)
       end
       expect(response).to be_successful
diff --git a/spec/models/users/access_verifier_spec.rb b/spec/models/users/access_verifier_spec.rb
index 8e6a5aa1fb52b..2e38522502edd 100644
--- a/spec/models/users/access_verifier_spec.rb
+++ b/spec/models/users/access_verifier_spec.rb
@@ -91,7 +91,7 @@ module Users
 
       it "raises InvalidVerifier if too old" do
         verifier = Users::AccessVerifier.generate(user: user)
-        Timecop.freeze(10.minutes.from_now) do
+        Timecop.freeze((Setting.get("access_verifier.ttl_minutes", "5").to_i + 1).minutes.from_now) do
           expect { Users::AccessVerifier.validate(verifier) }.to raise_exception(Canvas::Security::TokenExpired)
         end
       end