Bug 20402: Don't look at cookies if OAuth2 is attempted and has failed

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-12 14:48:58 +02:00 · 2018-04-12 14:48:58 +02:00 · 996b100f1f
commit 996b100f1f
parent ccc034195e
1 changed files with 25 additions and 16 deletions
--- a/Koha/REST/V1/Auth.pm
+++ b/Koha/REST/V1/Auth.pm
@ -113,27 +113,36 @@ sub authenticate_api_request {
    my $spec = $c->match->endpoint->pattern->defaults->{'openapi.op_spec'};
    my $authorization = $spec->{'x-koha-authorization'};

-    if (my $oauth = $c->oauth) {
-        my $clients = C4::Context->config('api_client');
-        $clients = [ $clients ] unless ref $clients eq 'ARRAY';
-        my ($client) = grep { $_->{client_id} eq $oauth->{client_id} } @$clients;
+    my $authorization_header = $c->req->headers->authorization;
+    if ($authorization_header and $authorization_header =~ /^Bearer /) {
+        if (my $oauth = $c->oauth) {
+            my $clients = C4::Context->config('api_client');
+            $clients = [ $clients ] unless ref $clients eq 'ARRAY';
+            my ($client) = grep { $_->{client_id} eq $oauth->{client_id} } @$clients;

-        my $patron = Koha::Patrons->find($client->{patron_id});
-        my $permissions = $authorization->{'permissions'};
-        # Check if the patron is authorized
-        if ( haspermission($patron->userid, $permissions)
-            or allow_owner($c, $authorization, $patron)
-            or allow_guarantor($c, $authorization, $patron) ) {
+            my $patron = Koha::Patrons->find($client->{patron_id});
+            my $permissions = $authorization->{'permissions'};
+            # Check if the patron is authorized
+            if ( haspermission($patron->userid, $permissions)
+                or allow_owner($c, $authorization, $patron)
+                or allow_guarantor($c, $authorization, $patron) ) {

-            validate_query_parameters( $c, $spec );
+                validate_query_parameters( $c, $spec );

-            # Everything is ok
-            return 1;
+                # Everything is ok
+                return 1;
+            }
+
+            Koha::Exceptions::Authorization::Unauthorized->throw(
+                error => "Authorization failure. Missing required permission(s).",
+                required_permissions => $permissions,
+            );
        }

-        Koha::Exceptions::Authorization::Unauthorized->throw(
-            error => "Authorization failure. Missing required permission(s).",
-            required_permissions => $permissions,
+        # If we have "Authorization: Bearer" header and oauth authentication
+        # failed, do not try other authentication means
+        Koha::Exceptions::Authentication::Required->throw(
+            error => 'Authentication failure.'
        );
    }