Koha/svc/authentication

#!/usr/bin/perl

# Copyright 2007 LibLime
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it under the
# terms of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
#
# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with Koha; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#

use strict;
use warnings;

use CGI;
use C4::Auth qw/check_api_auth/;
use XML::Simple;

my $query = new CGI;

# The authentication strategy for the biblios web 
# services is as follows.
# 
# 1. biblios POSTs to the authenticate API with URL-encoded
# form parameters 'userid' and 'password'.  If the credentials
# belong to a valid user with the 'editcatalogue' privilege,
# a session cookie is returned and a Koha session created.  Otherwise, an 
# appropriate error is returned.
# 2. For subsequent calls to the biblios APIs, the user agent
# should submit the same session cookie.  If the cookie is
# not supplied or does not correspond to a valid session, the API
# will redirect to this authentication API.
# 3. The session cookie should not be (directly) sent back to the user's
# web browser, but instead should be stored and submitted by biblios.


my ($status, $cookie, $sessionID) = check_api_auth($query, { editcatalogue => 'edit_catalogue'} );

if ($status eq "ok") {
    print $query->header(-type => 'text/xml', cookie => $cookie);
} else {
    print $query->header(-type => 'text/xml');
}
print XMLout({ status => $status }, NoAttr => 1, RootName => 'response', XMLDecl => 1);