MDL-80835 enrol_lti: add partitioning support to MoodleSession cookie

Adds the property that is required by Chrome to opt-in to its 3rd party cookie partitioning solution, CHIPS. This specific change deals with the cookie that is set when the user is not yet auth'd with the site and is necessary to facilitate OIDC nonce retrieval and validation.
abgreeve · Mar 21, 2024 · b293cb5 · b293cb5
1 parent a92f780
commit b293cb5
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/enrol/lti/login.php b/enrol/lti/login.php
@@ -26,6 +26,7 @@
  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 
+use auth_lti\local\ltiadvantage\utility\cookie_helper;
 use enrol_lti\local\ltiadvantage\lib\lti_cookie;
 use enrol_lti\local\ltiadvantage\lib\issuer_database;
 use enrol_lti\local\ltiadvantage\lib\launch_cache_session;
@@ -76,6 +77,19 @@
     $_REQUEST['client_id'] = $_REQUEST['id'];
 }
 
+// Before beginning the OIDC authentication, ensure the MoodleSession cookie can be used. Browser-specific steps may need to be
+// taken to set cookies in 3rd party contexts. Skip the check if the user is already auth'd. This means that either cookies aren't
+// an issue in the current browser/launch context.
+if (!isloggedin()) {
+    cookie_helper::do_cookie_check(new moodle_url('/enrol/lti/login.php', [
+        'iss' => $iss,
+        'login_hint' => $loginhint,
+        'target_link_uri' => $targetlinkuri,
+        'lti_message_hint' => $ltimessagehint,
+        'client_id' => $_REQUEST['client_id'],
+    ]));
+}
+
 // Now, do the OIDC login.
 $redirecturl = LtiOidcLogin::new(
     new issuer_database(new application_registration_repository(), new deployment_repository()),