Contrib.social

Results token becomes invalid over time

Open on Drupal.org β†’
Created on 28 February 2019, over 6 years ago
Updated 25 July 2025, about 2 months ago

Action set-finished.json would eventually have an invalid token value.

The issue might be related to caching of some sort as the result of getGenericH5PIntegrationSettings does not seem to be updated for each request, but would only be re-run when caches are cleared. The result is that security token becomes outdated after a certain number of hours.

In case of embed the solution seems to be to force no caching (please note the options part of the route):

h5p.content.embed:
  path: '/h5p/{id}/embed'
  defaults:
    _controller: '\Drupal\h5p\Controller\H5PEmbed::embed'
    _title: 'H5P Embed'
  requirements:
    _permission: 'access content'
    id: \d+
  options:
    no_cache: TRUE

The solutions for other pages/widgets/formatters using H5PIntegration might probably differ. The best approach would be to just disable the caching for those parameters being passed to the drupalSettings.

The code seems to be using cache busting logic for embed page and field formatter, though that does not seems to be enough:

$response = [
      '#cache' => [
        'tags' => [
          'h5p_content:' . $id,
        ],
      ],
    ];

The issue is that the drupalSettings will only be invalidated along with the entity itself, yet the token has nothing to do with the entity. Setting the value to be invalidated after certain time would only work if the time value for cached token creation time is available. The best simplest solution might be to set the max-age to be equal to 0 and prevent caching altogether.

πŸ› Bug report
Status

Active

Component

Code

Created by

πŸ‡ͺπŸ‡ͺEstonia pjotr.savitski

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States illeace

    If I'm reading the H5P core library's validToken() function (vendor/h5p/h5p-core/h5p.classes.php line 3351) correctly, whenever a token is generated, it is going to be valid for at least 12 hours and up to 24 hours. Rather than disabling caching completely, what if the max-age was set to 12 hours?

  • Comment 11 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States illeace
  • Merge request !46Issue #3036486: Set max-age of 12 hours to ensure results token has not expired β†’ (Merged) created by Unnamed author
  • Comment 11 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States illeace

    OK, as @pjotr.savitski suggests, I've created an issue fork that sets the max age to align with the token expiration time. This ensures that the Drupal cache never serves an H5P with an already-expired token. This is ready to be tested, but a bit time-consuming since it involves waiting for 12 hours for the cache to expire.

  • Comment 11 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States illeace

    The help simplify testing a bit, here's the test I've been using:

    1. Make sure Drupal's caching is enabled
    2. Create a Question Set H5P, or any other interactive that has a "Finish" button to submit results.
    3. Clear the Drupal cache.
    4. Make sure you are a logged in user and load a page that displays that H5P (it could be the normal node page or the embed URL). Start a timer as soon as the page loads.
    5. Open your browser's network inspector, set it to filter for "set-finished.json" to exclude any network activity aside from that callback URL, which is where your H5P "finished" data gets posted to.
    6. Complete the H5P and click the Finish button. You should see an item appear in the network inspector.
    7. Click that network item and ensure the response is JSON data with contents of {"success":true}
    8. Now the boring par ... wait 12 hours and reload the page.
    9. Repeat the steps above to ensure the "set-finished.json" response is still {"success":true}
  • Comment 10 days ago β†’
    maya maier

    Tested, new token expiry works as expected. Marking RTBC.

  • First commit to issue fork.
  • Comment 9 days ago β†’
    System Message
  • Comment 9 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States sim_1

    Merged and marking as fixed.

  • Comment 9 days ago β†’
    System Message

    Now that this issue is closed, please review the contribution record.

    As a contributor, attribute any organization helped you, or if you volunteered your own time.

    Maintainers, please credit people who helped resolve this issue.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024