#!/usr/bin/perl # Copyright 2007 LibLime # # This file is part of Koha. # # Koha is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # Koha is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Koha; if not, see . # use Modern::Perl; use CGI qw ( -utf8 ); use C4::Auth qw/check_api_auth get_session/; use XML::Simple; my $query = CGI->new; # The authentication strategy for the biblios web # services is as follows. # # 1. biblios POSTs to the authenticate API with URL-encoded # form parameters 'userid' and 'password'. If the credentials # belong to a valid user with the 'editcatalogue' privilege, # a session cookie is returned and a Koha session created. Otherwise, an # appropriate error is returned. # 2. For subsequent calls to the biblios APIs, the user agent # should submit the same session cookie. If the cookie is # not supplied or does not correspond to a valid session, the API # will redirect to this authentication API. # 3. The session cookie should not be (directly) sent back to the user's # web browser, but instead should be stored and submitted by biblios. my $csrf_token; my ( $status, $cookie, $sessionID ) = check_api_auth( $query, { editcatalogue => 'edit_catalogue' } ); if ( $status eq "ok" ) { $csrf_token = Koha::Token->new->generate_csrf( { session_id => scalar $sessionID } ); } else { my $session = C4::Auth::get_session(""); $session->param( 'ip', $session->remote_addr() ); $session->param( 'lasttime', time() ); $session->param( 'sessiontype', 'anon' ); $session->param( 'interface', 'api' ); $session->flush(); $sessionID = $session->id(); $cookie = $query->cookie( -name => 'CGISESSID', -value => $sessionID, -HttpOnly => 1, -secure => ( C4::Context->https_enabled() ? 1 : 0 ), -sameSite => 'Lax' ); $csrf_token = Koha::Token->new->generate_csrf( { session_id => scalar $sessionID } ); } print $query->header( -type => 'text/xml', cookie => $cookie, -'X-CSRF_TOKEN' => $csrf_token ); print XMLout( { status => $status }, NoAttr => 1, RootName => 'response', XMLDecl => 1 );