Bug 17050: Do not kick the session out when accessing the REST API

Mojolicious does not set $ENV{REMOTE_ADDR} (neither $ENV{HTTP_*}) as it may share ENV between different requests. Fortunately for us, Plack does not! This is a dirty patch to fix this issue but it seems that there is not lot of solutions. It adds a remote_addr parameter to C4::Auth::check_cookie_authin order to send it from Koha::Rest::V1::startup reading the headers sent by Mojolicious. Test plan: Hit /cgi-bin/koha/mainpage.pl Hit /api/v1/patrons/42 Hit /cgi-bin/koha/mainpage.pl With this patch applied, everything will be fine and you won't be logged out. Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-05 15:03:28 +00:00 · 2016-08-05 15:03:28 +00:00 · b5fc3d2937
commit b5fc3d2937
parent 3315a883ed
2 changed files with 6 additions and 2 deletions
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@ -1614,7 +1614,9 @@ Possible return values in C<$status> are:
 sub check_cookie_auth {
    my $cookie        = shift;
    my $flagsrequired = shift;
+    my $params        = shift;

+    my $remote_addr = $params->{remote_addr} || $ENV{REMOTE_ADDR};
    my $dbh     = C4::Context->dbh;
    my $timeout = _timeout_syspref();

@ -1671,7 +1673,7 @@ sub check_cookie_auth {
            $userid    = undef;
            $sessionID = undef;
            return ("expired", undef);
-        } elsif ( C4::Context->preference('SessionRestrictionByIP') && $ip ne $ENV{'REMOTE_ADDR'} ) {
+        } elsif ( C4::Context->preference('SessionRestrictionByIP') && $ip ne $remote_addr ) {

            # IP address changed
            $session->delete();
--- a/Koha/REST/V1.pm
+++ b/Koha/REST/V1.pm
@ -29,7 +29,9 @@ sub startup {
        cb => sub {
            my $c = shift;

-            my ($status, $sessionID) = check_cookie_auth($c->cookie('CGISESSID'));
+            # ENV{REMOTE_ADDR} is not set here, we need to read the headers
+            my $remote_addr = $c->req->headers->header('x-forwarded-for');
+            my ($status, $sessionID) = check_cookie_auth($c->cookie('CGISESSID'), undef, { remote_addr => $remote_addr });
            if ($status eq "ok") {
                my $session = get_session($sessionID);
                my $user = Koha::Patrons->find($session->param('number'));