Enforce valid lis_outcome_service_url

Recently, a new institution joined CodeOcean and used a relative URL. This won't work, so that we are rejecting non-absolute URLs by now.

app/controllers/concerns/lti.rb

@@ -85,6 +85,16 @@ module Lti
 
   private :require_valid_consumer_key
 
+  def require_valid_lis_outcome_service_url
+    # We want to check that any URL given is absolute, but none URL is fine, too.
+    return unless params[:lis_outcome_service_url]
+
+    url = URI.parse(params[:lis_outcome_service_url])
+    refuse_lti_launch(message: t('sessions.oauth.invalid_lis_outcome_service_url')) unless url.absolute?
+  end
+
+  private :require_valid_lis_outcome_service_url
+
   def require_valid_exercise_token
     proxy_exercise = ProxyExercise.find_by(token: params[:custom_token])
     @exercise = if proxy_exercise.nil?

app/controllers/sessions_controller.rb

@@ -4,7 +4,8 @@ class SessionsController < ApplicationController
   include Lti
 
   %i[require_oauth_parameters require_valid_consumer_key require_valid_oauth_signature require_unique_oauth_nonce
-     set_current_user require_valid_exercise_token set_study_group_membership set_embedding_options].each do |method_name|
+     require_valid_lis_outcome_service_url set_current_user require_valid_exercise_token set_study_group_membership
+     set_embedding_options].each do |method_name|
     before_action(method_name, only: :create_through_lti)
   end