Bug 28772: Make secret validation use the new method

This patch makes the Koha::OAuth library use the new validation method

To test:
1. In master, enable RESTOAuth2ClientCredentials and have your
   superlibrarian patron a client_id/secret pair generated
2. Use Postman to gain an access token with the client_id/secret pair
=> SUCCESS: This works in Koha
3. Use the access token to GET /api/v1/patrons
=> SUCCESS: It works
4. Apply this patchset up to the regression tests
5. Run:
   $ updatedatabase
   $ koha-plack --restart kohadev
=> SUCCESS: All good
6. Repeat 2
=> FAIL: You get an error trying to acquire an access token. Boo
7. Run:
   $ kshell
  k$ prove t/db_dependent/api/v1/oauth.t
=> FAIL: Tests fail!
8. Apply this patch
9. Run:
   $ koha-plack --restart kohadev
   $ kshell
  k$ prove t/db_dependent/api/v1/oauth.t
=> SUCCESS: Tests pass!
10. Repeat 2
=> SUCCESS: Your original client_id/secret pair works!
11. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This commit is contained in:
Tomás Cohen Arazi 2021-09-09 08:38:25 -03:00 committed by Kyle M Hall
parent a8621ed4f0
commit 07eff56a73

View file

@ -65,7 +65,7 @@ sub _verify_client_cb {
# client_id mandatory and exists on the DB
return (0, 'unauthorized_client') unless $api_key && $api_key->active;
return (0, 'access_denied') unless $api_key->secret eq $client_secret;
return (0, 'access_denied') unless $api_key->validate_secret( $client_secret );
return (1, undef, []);
}