From c3ffc84985ac8ffb43f6160affb2ff3d60f7d9ee Mon Sep 17 00:00:00 2001
From: James Carbine <jamescarbine@gmail.com>
Date: Tue, 21 Sep 2021 17:55:49 -0600
Subject: [PATCH] Add setting to change ttl on AccessVerifier

5 minutes sometimes just isn't enough. This makes it so it is configurable and not hard coded.

Test Plan:

* Add a video to a course
* insert a video tag into the html of a page. ie:
```
<p><video style="border: 2px solid black;" width="450" height="225" controls="controls">
<source src="/courses/<course_id>/files/<file_id>/download" /></video></p>
```
* Inspect the network traffic while watching the video.
* Obtain the jwt used to download the video.
* Inspect that jwt and the exp should be the minutes out of what ever is set in the Setting, default 5 minutes.
---
 app/models/users/access_verifier.rb       | 4 +---
 spec/controllers/files_controller_spec.rb | 2 +-
 spec/models/users/access_verifier_spec.rb | 2 +-
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/app/models/users/access_verifier.rb b/app/models/users/access_verifier.rb
index 72ab7f314f4df..c815dba863f0c 100644
--- a/app/models/users/access_verifier.rb
+++ b/app/models/users/access_verifier.rb
@@ -21,8 +21,6 @@
 
 module Users
   module AccessVerifier
-    TTL_MINUTES = 5
-
     class InvalidVerifier < RuntimeError
     end
 
@@ -40,7 +38,7 @@ def self.generate(claims)
       jwt_claims[:root_account_id] = root_account.global_id.to_s if root_account
       jwt_claims.merge!(claims.slice(:oauth_host, :return_url, :fallback_url))
 
-      expires = TTL_MINUTES.minutes.from_now
+      expires = Setting.get('access_verifier.ttl_minutes', '5').to_i.minutes.from_now
       key = nil # use default key
       { sf_verifier: Canvas::Security.create_jwt(jwt_claims, expires, key, :HS512) }
     end
diff --git a/spec/controllers/files_controller_spec.rb b/spec/controllers/files_controller_spec.rb
index cfe33084f5b05..b8a1d92374800 100644
--- a/spec/controllers/files_controller_spec.rb
+++ b/spec/controllers/files_controller_spec.rb
@@ -369,7 +369,7 @@ def file_with_path(path)
 
       # second use after verifier expiration but before session expiration.
       # expired verifier should be ignored but session should still be extended
-      Timecop.freeze((Users::AccessVerifier::TTL_MINUTES + 1).minutes.from_now) do
+      Timecop.freeze((Setting.get('access_verifier.ttl_minutes', '5').to_i + 1).minutes.from_now) do
         get 'show', params: verifier.merge(id: file.id)
       end
       expect(response).to be_successful
diff --git a/spec/models/users/access_verifier_spec.rb b/spec/models/users/access_verifier_spec.rb
index 814066feb0f06..03e6535f684a0 100644
--- a/spec/models/users/access_verifier_spec.rb
+++ b/spec/models/users/access_verifier_spec.rb
@@ -92,7 +92,7 @@ module Users
 
       it "raises InvalidVerifier if too old" do
         verifier = Users::AccessVerifier.generate(user: user)
-        Timecop.freeze(10.minutes.from_now) do
+        Timecop.freeze((Setting.get('access_verifier.ttl_minutes', '5').to_i + 1).minutes.from_now) do
           expect{ Users::AccessVerifier.validate(verifier) }.to raise_exception(Canvas::Security::TokenExpired)
         end
       end