Koha-community/Koha
15
7
Fork 0
Code Issues Releases Wiki Activity

Bug 38382: Fresh connection when connexion CSRF token expires

Browse source 
This patch simply generates a new user agent when reauthenticating when the CSRF token
for the session has expired.

To test:
1 - Edit Koha/Token.pm, line 275
from:    { MaxAge => $params->{MaxAge} // ( CSRF_EXPIRY_HOURS * 3600 ) },
to:      { MaxAge => $params->{MaxAge} // ( CSRF_EXPIRY_HOURS ) },
2 - This will make your CSRF tokens expire after 8 seconds
3 - vim /etc/koha/sites/kohadev/connexion.cnf
4 - Set content:
    host:
    port: 8888
    koha:http://localhost:8081
    log:/var/log/koha/kohadev/connexion.log
    match:ISBN
    user:kohauser
    password:kohapass
    overlay_action:replace
    nomatch_action:create_new
    item_action:always_add
    import_mode:direct
    framework:BKS
    overlay_framework:
    debug:1
5 - Save the sample file from this bug into your kohaclone (or copy and paste into a file your koha test site can reach)
6 - On the command line:
    perl misc/bin/connexion_import_daemon.pl -c /etc/koha/sites/kohadev/connexion.cnf
7 - In another terminal:
    cat bug_33418.test  | nc -v localhost 8888
8 - Successful request
9 - Wait 10 seconds (more than 8 anyways)
10 - Repeat 7
11 - Unsuccessful request - Invalid CSRF token
12 - Ctrl+C to stop the connexion daemon
13 - Apply patch
14 - repeat 6
15 - repeat 7, success
16 - Wait more than 8 seconds
17 - repeat 7, success!
18 - repeat again until you are satisfied
19 - Sign off!

WNC amended and tidied

Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
Nick Clemens 2024-11-06 20:24:48 +00:00 committed by Katrin Fischer
parent 9fe1563fa0
commit e758492d99
Signed by: kfischer
GPG key ID: 0EF6E2C03357A834
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
misc/bin/connexion_import_daemon.pl
View file

@ -407,8 +407,10 @@ exit;
if ( $status == HTTP_UNAUTHORIZED || $status == HTTP_FORBIDDEN ) {
# Our token might have expired. Re-authenticate and post again.
$ua = _ua(); # fresh one, needs to authenticate
$self->{ua} = $ua;
$self->{csrf_token} = $self->authenticate;
$resp = $ua->post(
$resp = $ua->post(
$base_url . IMPORT_SVC_URI,
$post_body,
csrf_token => $self->{csrf_token},