OnTrack API

July 15, 2026 ยท View on GitHub

OnTrack logo

OnTrack API

test-doubtfire-api CodeQL RuboCop

OnTrack (formerly Doubtfire) is a feedback-driven learning support system. This repository contains the Rails and Grape API used by OnTrack.

Development and deployment

Use the doubtfire-deploy repository for the supported development environment and the deployment guide. It checks out this API as a submodule and provides the database, Redis, PDF services, web app, and required configuration in one place.

When the development environment is running, the API documentation is available at http://localhost:3000/api/docs/.

Environment variables

The API supports the environment variables below. The production deployment template is maintained in doubtfire-deploy. An unset variable uses its application default where one exists; an empty value may override that default with an empty string.

Application and database

VariablePurposeDefault
RAILS_ENVRails runtime environment.development
DF_LOG_TO_STDOUTSend Rails logs to standard output.false
DF_PRODUCTION_DB_ADAPTERProduction database adapter.Deployment-specific
DF_PRODUCTION_DB_HOSTProduction database host.Deployment-specific
DF_PRODUCTION_DB_DATABASEProduction database name.Deployment-specific
DF_PRODUCTION_DB_USERNAMEProduction database username.Deployment-specific
DF_PRODUCTION_DB_PASSWORDProduction database password.Deployment-specific
DF_REDIS_CACHE_URLRedis connection used by the Rails cache.redis://localhost:6379/0
DF_REDIS_SIDEKIQ_URLRedis connection used by Sidekiq.redis://localhost:6379/1

Storage and processing

VariablePurposeDefault
DF_STUDENT_WORK_DIRDirectory containing uploaded student work.student_work
DF_ARCHIVE_DIRDirectory containing archived student work.DF_STUDENT_WORK_DIR/archive
DF_ARCHIVE_UNITSEnable automatic unit archiving.false
DF_UNIT_ARCHIVE_PERIODYears to retain units before archiving.2
DF_MAX_PDF_GEN_PROCESSESMaximum concurrent PDF-generation processes.2
DF_MAX_FILE_SIZEMaximum uploaded file size in bytes.10000000
DF_ZIP_ENTRY_LIMITMaximum number of entries in an uploaded ZIP.1000
DF_ZIP_COMPRESSION_RATIO_LIMITMaximum permitted ZIP compression ratio.100
DF_ZIP_UNCOMPRESSED_SIZE_MULTIPLIERMaximum expanded ZIP size as a multiple of DF_MAX_FILE_SIZE.10
DF_AUDITOR_UNIT_ACCESS_YEARSNumber of years of units visible to auditors.2
DF_IMPORT_STUDENTS_WEEKS_BEFPREWeeks before a teaching period that student imports are allowed.1
DF_FFMPEG_PATHPath to FFmpeg for audio processing.ffmpeg
LATEX_CONTAINER_NAMEContainer used for LaTeX PDF generation.Unset
LATEX_BUILD_PATHLaTeX build script inside that container./texlive/shell/latex_build.sh

Institution

VariablePurposeDefault
DF_INSTITUTION_NAMEInstitution display name.Institution configuration
DF_INSTITUTION_EMAIL_DOMAINInstitution email domain.Institution configuration
DF_INSTITUTION_HOSTPublic application URL.Institution configuration
DF_COOKIE_DOMAINDomain assigned to secure cookies.Derived from DF_INSTITUTION_HOST
DF_INSTITUTION_PRODUCT_NAMEProduct name shown to users.Institution configuration
DF_INSTITUTION_HAS_LOGOEnable an institution logo.false
DF_INSTITUTION_LOGO_URLInstitution logo URL./assets/images/institution-logo.png
DF_INSTITUTION_LOGO_LINK_URLDestination opened from the institution logo./
DF_INSTITUTION_PRIVACYSubmission privacy and authorship statement.Institution configuration
DF_INSTITUTION_PLAGIARISMPlagiarism and collusion statement.Institution configuration
DF_INSTITUTION_SETTINGS_RBInstitution-specific Ruby configuration file.Unset

Authentication and encryption

Rails credentials take precedence over the corresponding environment fallback for DF_SECRET_KEY_BASE, DF_SECRET_KEY_ATTR, DF_SECRET_KEY_DEVISE, DF_SECRET_KEY_AAF, DF_SECRET_KEY_MOSS, and LTI_SHARED_API_SECRET.

VariablePurposeDefault
DF_AUTH_METHODAuthentication method: database, ldap, aaf, or saml.database
DF_ACCESS_TOKEN_EXPIRY_SECONDSAccess-token lifetime in seconds.7200
DF_REFRESH_TOKEN_EXPIRY_SECONDSRefresh-token lifetime in seconds.604800
DF_SECRET_KEY_BASERails secret key base fallback.Required in production
DF_SECRET_KEY_ATTRLegacy encrypted-attribute key fallback.Required in production
DF_SECRET_KEY_DEVISEDevise secret fallback.Required in production
DF_SECRET_KEY_MOSSMOSS integration secret fallback.Unset
DF_ENCRYPTION_PRIMARY_KEYActive Record Encryption primary key.Required when encryption is used
DF_ENCRYPTION_DETERMINISTIC_KEYActive Record Encryption deterministic key.Required when encryption is used
DF_ENCRYPTION_KEY_DERIVATION_SALTActive Record Encryption derivation salt.Required when encryption is used

AAF Rapid Connect

VariablePurposeDefault
DF_AAF_ISSUER_URLAAF issuer URL.https://rapid.test.aaf.edu.au
DF_AAF_AUDIENCE_URLRegistered application URL.Required for AAF
DF_AAF_CALLBACK_URLAPI JWT callback URL.Required for AAF
DF_AAF_IDENTITY_PROVIDER_URLRegistered identity-provider URL.Required for AAF
DF_AAF_UNIQUE_URLRapid Connect authentication-request URL.Required for AAF
DF_AAF_AUTH_SIGNOUT_URLURL used after sign-out.Unset
DF_SECRET_KEY_AAFAAF shared-secret fallback.Required for AAF in production

SAML

VariablePurposeDefault
DF_SAML_METADATA_URLIdentity-provider metadata URL.Unset
DF_SAML_METADATA_FILE_PATHLocal identity-provider metadata file.Unset
DF_SAML_CONSUMER_SERVICE_URLSAML assertion consumer URL.Required for SAML
DF_SAML_SP_ENTITY_IDService-provider entity ID.Required for SAML
DF_SAML_IDP_TARGET_URLIdentity-provider login URL.Required for SAML
DF_SAML_IDP_SIGNOUT_URLIdentity-provider logout URL.Unset
DF_SAML_IDP_CERTIdentity-provider certificate when metadata is unavailable.Conditionally required
DF_SAML_IDP_SAML_NAME_IDENTIFIER_FORMATSAML NameID format.Email address

LDAP

VariablePurposeDefault
DF_LDAP_HOSTLDAP server host.Required for LDAP
DF_LDAP_PORTLDAP server port.LDAP library default
DF_LDAP_ATTRIBUTELDAP attribute used as the login identifier.Required for LDAP
DF_LDAP_BASELDAP search base.Required for LDAP
DF_LDAP_SSLEnable an encrypted LDAP connection.false
DF_LDAP_USE_ADMIN_TO_BINDBind with an administrator account before searching.false
DF_LDAP_ADMIN_USERLDAP administrator bind user.Unset
DF_LDAP_ADMIN_PWDLDAP administrator bind password.Unset

D2L

VariablePurposeDefault
D2L_ENABLEDEnable D2L integration.false
D2L_CLIENT_IDD2L OAuth client ID.Unset
D2L_CLIENT_SECRETD2L OAuth client secret.Unset
D2L_REDIRECT_URID2L OAuth callback URL ending in /api/d2l/callback.Unset
D2L_API_HOSTInstitution D2L API host.Unset
D2L_OAUTH_SITED2L authorization server.https://auth.brightspace.com
D2L_OAUTH_SITE_AUTHORIZE_URLD2L authorization path./oauth2/auth
D2L_OAUTH_SITE_TOKEN_URLD2L token path./core/connect/token

Email

VariablePurposeDefault
DF_MAIL_PERFORM_DELIVERIESEnable outgoing email delivery.Disabled
DF_MAIL_DELIVERY_METHODAction Mailer delivery method.Deployment-specific
DF_SMTP_ADDRESSSMTP server address.Unset
DF_SMTP_PORTSMTP server port.Unset
DF_SMTP_DOMAINSMTP HELO domain.Unset
DF_SMTP_USERNAMESMTP username.Unset
DF_SMTP_PASSWORDSMTP password.Unset
DF_SMTP_AUTHENTICATIONSMTP authentication method.Unset
DF_EMAIL_ERRORS_TOAddress receiving PDF-generation errors.Unset

Integrations and background services

VariablePurposeDefault
TII_ENABLEDEnable Turnitin integration.false
TII_INDEX_SUBMISSIONSIndex submissions in Turnitin.false
TII_REGISTER_WEBHOOKRegister the Turnitin webhook.false
TCA_API_KEYTurnitin Core API key.Unset
TCA_HOSTTurnitin institution host.Unset
DF_JPLAG_MIN_TOKENSMinimum matching-token threshold used by JPlag.-1
DF_JPLAG_SKIP_CLUSTER_CHECKSkip JPlag cluster calculation.false
DF_JPLAG_MAX_SHOWN_COMPARISONSMaximum comparisons retained in a JPlag report; -1 means all.2500
LTI_ENABLEDEnable LTI routes and authentication.false
LTI_SHARED_API_SECRETShared secret between the Rails and LTI APIs.Unset
MODERATION_SCORE_FACTORMultiplier applied to moderation score changes.1.0

Overseer and container access

VariablePurposeDefault
OVERSEER_ENABLEDEnable Overseer assessment services.false
OVERSEER_WORKDIR_VOLUME_MOUNTHost directory used for isolated Overseer work.Required when Overseer is enabled
OVERSEER_FALLBACK_VOLUME_CONTAINERShared-container fallback when a host mount cannot be used.Unset
OVERSEER_STUDENT_NOTIFICATION_GRACE_PERIOD_MINUTESDelay before notifying students of unread failed assessments.30
DISK_SPACE_ENDPOINT_ENABLEDExpose host storage availability to Overseer administrators.false
DOCKER_REGISTRY_URLRegistry used for Overseer images.Unset
DOCKER_PROXY_URLDocker proxy or registry login endpoint.Unset
DOCKER_USERDocker registry username.Unset
DOCKER_TOKENDocker registry access token.Unset

Error reporting

VariablePurposeDefault
SENTRY_DSNSentry project data-source name.Unset
SENTRY_ENVIRONMENTEnvironment label attached to Sentry events.Rails environment

Testing

OnTrack aims to follow a Test-Driven Development approach. New or changed models and API endpoints should be accompanied by tests that describe and verify their expected behaviour.

Run API commands inside the doubtfire-deploy Dev Container:

cd /workspace/doubtfire-api
rails test

# Running an individual test
rails test test/api/settings_test:14 # test_get_config_details

Tests are grouped under test/models, test/api, and test/helpers. Shared test helpers should be placed in test/helpers, with helper modules defined under the TestHelpers namespace. List the available maintenance and development tasks with rails --tasks.

Contributing

See CONTRIBUTING.md.

License

Licensed under the GNU Affero General Public License (AGPL) v3.