From 46c0419a11d56b078f1f8528e51bf1a78bd284e6 Mon Sep 17 00:00:00 2001 From: David Cook Date: Mon, 4 Mar 2024 04:19:38 +0000 Subject: [PATCH] Bug 34755: Backport Koha::Token change from bug 34478 This change includes the Koha::Token changes which uses Koha::Session for generating and checking CSRF tokens. 0. Apply the patch and koha-plack --restart kohadev 1. Setup Keycloak OIDC SSO according to "Testing SSO" wiki guide 2. In a regular window go to http://localhost:8080 3. In a private window go to http://localhost:8080 and click the SSO "Log in with..." button, but don't log into Keycloak 4. In the regular window, login locally, and navigate to 5-6 pages 5. In the private window, log into Keycloak 6. Note that you are redirected back to Koha and logged in successfully (no wrong_csrf_token error). Signed-off-by: Olivier Hubert Signed-off-by: Tomas Cohen Arazi --- Koha/Token.pm | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/Koha/Token.pm b/Koha/Token.pm index c4d23aeada..2c0817a26d 100644 --- a/Koha/Token.pm +++ b/Koha/Token.pm @@ -57,6 +57,8 @@ use Digest::MD5 qw( md5_base64 ); use Encode; use C4::Context; use Koha::Exceptions::Token; +use Koha::Session; + use base qw(Class::Accessor); use constant HMAC_SHA1_LENGTH => 20; use constant CSRF_EXPIRY_HOURS => 8; # 8 hours instead of 7 days.. @@ -215,11 +217,17 @@ sub decode_jwt { sub _add_default_csrf_params { my ( $params ) = @_; $params->{session_id} //= DEFA_SESSION_ID; - my $userenv = C4::Context->userenv; - if ( ( !$userenv ) || !$userenv->{id} ) { - $userenv = { id => DEFA_SESSION_USERID }; + + my $id; + my $session = Koha::Session->get_session( { sessionID => $params->{session_id} } ); + if ($session) { + $id = $session->param('id'); } - $params->{id} //= Encode::encode( 'UTF-8', $userenv->{id} ); + if ( !$id ) { + $id = DEFA_SESSION_USERID; + } + + $params->{id} //= Encode::encode( 'UTF-8', $id ); $params->{id} .= '_' . $params->{session_id}; my $pw = C4::Context->config('pass');