Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/Koha/OAuth.pm
Tomas Cohen Arazi 3816a57abc Bug 28772: Make secret validation use the new method 
This patch makes the Koha::OAuth library use the new validation method

To test:
1. In master, enable RESTOAuth2ClientCredentials and have your
   superlibrarian patron a client_id/secret pair generated
2. Use Postman to gain an access token with the client_id/secret pair
=> SUCCESS: This works in Koha
3. Use the access token to GET /api/v1/patrons
=> SUCCESS: It works
4. Apply this patchset up to the regression tests
5. Run:
   $ updatedatabase
   $ koha-plack --restart kohadev
=> SUCCESS: All good
6. Repeat 2
=> FAIL: You get an error trying to acquire an access token. Boo
7. Run:
   $ kshell
  k$ prove t/db_dependent/api/v1/oauth.t
=> FAIL: Tests fail!
8. Apply this patch
9. Run:
   $ koha-plack --restart kohadev
   $ kshell
  k$ prove t/db_dependent/api/v1/oauth.t
=> SUCCESS: Tests pass!
10. Repeat 2
=> SUCCESS: Your original client_id/secret pair works!
11. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-09-30 09:19:05 +02:00

121 lines
2.7 KiB
Perl
Raw Blame History

package Koha::OAuth;
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use Modern::Perl;
use Koha::ApiKeys;
use Koha::OAuthAccessTokens;
=head1 NAME
Koha::OAuth - Koha library for OAuth2 callbacks
=head1 API
=head2 Class methods
=head3 config
my $config = Koha::OAuth->config;
Returns a hashref containing the callbacks Net::OAuth2::AuthorizationServer requires
=cut
sub config {
return {
verify_client_cb => \&_verify_client_cb,
store_access_token_cb => \&_store_access_token_cb,
verify_access_token_cb => \&_verify_access_token_cb
};
}
=head3 _verify_client_cb
A callback to verify if the client asking for authorization is known to the authorization server
and allowed to get authorization.
=cut
sub _verify_client_cb {
my (%args) = @_;
my ($client_id, $client_secret) = @args{ qw/ client_id client_secret / };
my $api_key;
if ($client_id) {
$api_key = Koha::ApiKeys->find( $client_id );
}
# client_id mandatory and exists on the DB
return (0, 'unauthorized_client') unless $api_key && $api_key->active;
return (0, 'access_denied') unless $api_key->validate_secret( $client_secret );
return (1, undef, []);
}
=head3 _store_access_token_cb
A callback to store the generated access tokens.
=cut
sub _store_access_token_cb {
my ( %args ) = @_;
my ( $client_id, $access_token, $expires_in )
= @args{ qw/ client_id access_token expires_in / };
my $at = Koha::OAuthAccessToken->new({
access_token => $access_token,
expires => time + $expires_in,
client_id => $client_id,
});
$at->store;
return;
}
=head3 _verify_access_token_cb
A callback to verify the access token.
=cut
sub _verify_access_token_cb {
my (%args) = @_;
my $access_token = $args{access_token};
my $at = Koha::OAuthAccessTokens->find($access_token);
if ($at) {
if ( $at->expires <= time ) {
# need to revoke the access token
$at->delete;
return (0, 'invalid_grant')
}
return $at->unblessed;
}
return (0, 'invalid_grant')
};
1;
View git blame Copy permalink