David Cook
0fe82b601b
GET svc/authentication will return a CSRF token in a response header POST svc/authentication requires a CSRF token which can be sourced from the response header of GET svc/authentication or some other place like the meta element on a HTML page Note: misc/migration_tools/koha-svc.pl is a simple script which can be used to practically evaluate svc/authentication and svc/bib Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
66 lines
2.5 KiB
Perl
Executable file
66 lines
2.5 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
|
|
# Copyright 2007 LibLime
|
|
#
|
|
# This file is part of Koha.
|
|
#
|
|
# Koha is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Koha is distributed in the hope that it will be useful, but
|
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Koha; if not, see <http://www.gnu.org/licenses>.
|
|
#
|
|
|
|
use Modern::Perl;
|
|
|
|
use CGI qw ( -utf8 );
|
|
use C4::Auth qw/check_api_auth get_session/;
|
|
use XML::Simple;
|
|
|
|
my $query = CGI->new;
|
|
|
|
# The authentication strategy for the biblios web
|
|
# services is as follows.
|
|
#
|
|
# 1. biblios POSTs to the authenticate API with URL-encoded
|
|
# form parameters 'userid' and 'password'. If the credentials
|
|
# belong to a valid user with the 'editcatalogue' privilege,
|
|
# a session cookie is returned and a Koha session created. Otherwise, an
|
|
# appropriate error is returned.
|
|
# 2. For subsequent calls to the biblios APIs, the user agent
|
|
# should submit the same session cookie. If the cookie is
|
|
# not supplied or does not correspond to a valid session, the API
|
|
# will redirect to this authentication API.
|
|
# 3. The session cookie should not be (directly) sent back to the user's
|
|
# web browser, but instead should be stored and submitted by biblios.
|
|
|
|
my $csrf_token;
|
|
my ( $status, $cookie, $sessionID ) = check_api_auth( $query, { editcatalogue => 'edit_catalogue' } );
|
|
if ( $status eq "ok" ) {
|
|
$csrf_token = Koha::Token->new->generate_csrf( { session_id => scalar $sessionID } );
|
|
} else {
|
|
my $session = C4::Auth::get_session("");
|
|
$session->param( 'ip', $session->remote_addr() );
|
|
$session->param( 'lasttime', time() );
|
|
$session->param( 'sessiontype', 'anon' );
|
|
$session->param( 'interface', 'api' );
|
|
$session->flush();
|
|
$sessionID = $session->id();
|
|
$cookie = $query->cookie(
|
|
-name => 'CGISESSID',
|
|
-value => $sessionID,
|
|
-HttpOnly => 1,
|
|
-secure => ( C4::Context->https_enabled() ? 1 : 0 ),
|
|
-sameSite => 'Lax'
|
|
);
|
|
$csrf_token = Koha::Token->new->generate_csrf( { session_id => scalar $sessionID } );
|
|
}
|
|
print $query->header( -type => 'text/xml', cookie => $cookie, -'X-CSRF_TOKEN' => $csrf_token );
|
|
print XMLout( { status => $status }, NoAttr => 1, RootName => 'response', XMLDecl => 1 );
|