feat: adds support for x-forwarded-host

Adds `trustProxy` option to HMAC_SHA1 and Provider constructor.

It overloads the Provider constructor with the third argument being either a nonceStore or an options object (for a nonceStore, a signer and the trustProxy flag):

    new Provider(key: string, secret: string, options: NonceStore|Options, signer: Algo)

Author: dinoboff

src/hmac-sha1.coffee

@@ -40,6 +40,9 @@ _clean_request_body = (body, query) ->
 
 class HMAC_SHA1
 
+  constructor: (options) ->
+    @trustProxy = options and options.trustProxy
+
   toString: () ->
     'HMAC_SHA1'
 
@@ -52,24 +55,37 @@ class HMAC_SHA1
 
     @sign_string sig.join('&'), consumer_secret, token
 
+  host: (req) ->
+    if not @trustProxy
+      return req.headers.host
+
+    req.headers['x-forwarded-host'] or req.headers.host
+
+  protocol: (req) ->
+    xprotocol = req.headers['x-forwarded-proto']
+    if @trustProxy and xprotocol
+      return xprotocol
+
+    if req.protocol
+      return req.protocol
+
+    if req.connection.encrypted then 'https' else 'http'
+
   build_signature: (req, body, consumer_secret, token) ->
     hapiRawReq = req.raw and req.raw.req
     if hapiRawReq
       req = hapiRawReq
 
     originalUrl = req.originalUrl or req.url
-    protocol = req.protocol
+    host = @host req
+    protocol = @protocol req
 
     # Since canvas includes query parameters in the body we can omit the query string
     if body.tool_consumer_info_product_family_code == 'canvas'
       originalUrl = url.parse(originalUrl).pathname
 
-    if protocol is undefined
-      encrypted = req.connection.encrypted
-      protocol = (encrypted and 'https') or 'http'
-    
     parsedUrl  = url.parse originalUrl, true
-    hitUrl     = protocol + '://' + req.headers.host + parsedUrl.pathname
+    hitUrl     = protocol + '://' + host + parsedUrl.pathname
 
     @build_signature_raw hitUrl, parsedUrl, req.method, body, consumer_secret, token
 

src/provider.coffee

@@ -6,19 +6,25 @@ extensions        = require './extensions'
 
 
 class Provider
-  constructor: (consumer_key, consumer_secret, nonceStore, signature_method=(new HMAC_SHA1()) ) ->
+  constructor: (consumer_key, consumer_secret, optionsOrNonceStore, signature_method) ->
 
     if typeof consumer_key is 'undefined' or consumer_key is null
       throw new errors.ConsumerError 'Must specify consumer_key'
 
     if typeof consumer_secret is 'undefined' or consumer_secret is null
       throw new errors.ConsumerError 'Must specify consumer_secret'
 
-    if not nonceStore
+    if optionsOrNonceStore and optionsOrNonceStore.isNonceStore?()
+      nonceStore = optionsOrNonceStore
+      options = {
+        trustProxy: false
+      }
+    else
       nonceStore = new MemoryNonceStore()
+      options = optionsOrNonceStore or {}
 
-    if not nonceStore.isNonceStore?()
-      throw new errors.ParameterError 'Fourth argument must be a nonceStore object'
+    if not signature_method
+      signature_method = options.signer or new HMAC_SHA1(options)
 
     @consumer_key     = consumer_key
     @consumer_secret  = consumer_secret

test/Signer.coffee

@@ -2,13 +2,10 @@ should = require 'should'
 
 HMAC_SHA1 = require '../lib/hmac-sha1'
 
-
-
-signer = new HMAC_SHA1
-
 describe 'Signer', () ->
 
   it 'should include query params', (done) ->
+    signer = new HMAC_SHA1
     req =
       url: '/developers/LTI/test/v1p1/tool.php?foo=123&foo=bar'
       method: 'POST'
@@ -36,3 +33,34 @@ describe 'Signer', () ->
 
     done()
 
+  it.only 'should support x-forwarded-*', (done) ->
+    signer = new HMAC_SHA1 trustProxy: true
+    req =
+      url: '/developers/LTI/test/v1p1/tool.php?foo=123&foo=bar'
+      method: 'POST'
+      connection:
+        encrypted: true
+      headers:
+        host: 'localhost:5000'
+        'x-forwarded-host': 'www.imsglobal.org'
+        'x-forwarded-proto': 'http'
+    body =
+      resource_link_id: 'rsc1',
+      oauth_callback: 'about:blank',
+      lis_outcome_service_url: 'http://www.imsglobal.org/developers/LTI/test/v1p1/common/tool_consumer_outcome.php?b64=MTIzNDU6OjpzZWNyZXQ=',
+      lis_result_sourcedid: 'feb-123-456-2929::28883',
+      launch_presentation_return_url: 'http://www.imsglobal.org/developers/LTI/test/v1p1/lms_return.php',
+      lti_version: 'LTI-1p0',
+      lti_message_type: 'basic-lti-launch-request',
+      oauth_version: '1.0',
+      oauth_nonce: '7ee33f6dc94117e792ff529898ce3953',
+      oauth_timestamp: '1397708483',
+      oauth_consumer_key: '12345',
+      oauth_signature_method: 'HMAC-SHA1',
+      oauth_signature: 'dHORwwJqwh5hQQAlvaA9csSIOhc='
+
+    signature = signer.build_signature req, body, 'secret'
+    signature.should.equal body.oauth_signature
+
+    done()
+