-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
3.9.17, 4.0.4
-
MOODLE_39_STABLE, MOODLE_400_STABLE
There appears to be a few cases where Firebase/JWT::parseKeySet in `mod/lti/locallib.php:lti_varify_with_keyset` will cause moodle to return a giant HTML with the exception, rather than a JSON error message. The HTML file it returns presents the following error:
Exception - Argument 1 passed to Firebase\JWT\JWK::parseKeySet() must be of the type array, null given, called in [dirroot]/mod/lti/locallib.php on line 1372
I believe that this refers to this line: https://github.com/moodle/moodle/blob/ac9e395ed6661fa76ba7e1d6a77e47631e88a9ca/mod/lti/locallib.php#L1372
I am hosting a bitnami dockerised setup for testing (docker-compose.yml attached). For my locally hosted version (version: 2022041901.00), I am able to trigger this problem by providing an "exp" over 3 minutes in the past - see fudge-token-issue.py attached.
I see two problems here:
1. It is returning a giant HTML instead of an error message. (In contrast to what appears to be the intent: https://github.com/moodle/moodle/blob/ac9e395ed6661fa76ba7e1d6a77e47631e88a9ca/mod/lti/token.php#L70)
2. The error message doesn't provide any useful information. The problem is with the "exp" key, not the keyset.
What should it do?
It should return a simple json with an error message like "Tool has no keyset".
What else does it affect?
If the tool or platform are misconfigured such that the platform cannot obtain the keyset for the tool, this route should, again, return a simple json with an error that explains this, not a HTML document.