Search code examples
meteoriron-routerlti

Meteor LTI Auth, data from Iron Router server route to client?

Am working on LTI Tool Provider, I have implemented an LTI auth package and am successfully able to get two (..one?) legged OAuth working aka match the signatures and we're all good to redirect, except one important thing.

What I want to be able to do, is

  • If this user doesnt exist, create it and log in
  • If the user exists, log our user in

Right now I have no way of actually determining my user once I redirect to a client route.

The LTI Consumer points to my Iron Router server route that looks something like:

Router.route('/lti', { where: 'server' }).post(function() {
    provider.valid_request(request, function(error, valid) {
        if (valid) {
            this.response.writeHead(302, { Location: '/' });
        } else {
            this.response.writeHead(403);
        }
    });
    return this.response.end();
});

Are there any packages I can use to get this working simply? Can I use something like accounts-base? Do I need to implement my own logic?

Any help or direction is appreciated.

Cheers.

Solution

  • I solved this by implementing a single-use authentication token system, handled by a custom login handler using accounts-base and the Accounts.registerLoginHandler method.

    Rough auth flow overview:

    LTI Route (server)

    1. If authenticated, create a new account/update the old one
    2. Insert a token + timestamp object into a collection.
    3. Redirect to an authentication route, passing our token as a parameter

    Auth route (client)

    1. Check if our user is logged in. If so, redirect to our home route
      • If a token has been provided and it exists, mark it used. As we have no way of checking for a user in a server route, if a user has a session, closed and opens the link through the LMS again, we need to deal with our excess tokens.
    2. If our user is not logged in, check for a token. If it exists, pass it to a custom authentication via Accounts.callLoginMethod
    3. Our custom login handler validates our token. If legitimate, consume the token and log the user in.

    My code is messy, but when I refactor I'll probably open source it as a Meteor package.