1 package Koha::REST::V1::Auth;
3 # Copyright Koha-Suomi Oy 2017
5 # This file is part of Koha.
7 # Koha is free software; you can redistribute it and/or modify it
8 # under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; either version 3 of the License, or
10 # (at your option) any later version.
12 # Koha is distributed in the hope that it will be useful, but
13 # WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with Koha; if not, see <http://www.gnu.org/licenses>.
22 use Mojo::Base 'Mojolicious::Controller';
24 use C4::Auth qw( check_cookie_auth checkpw_internal get_session haspermission );
28 use Koha::Account::Lines;
32 use Koha::OAuthAccessTokens;
33 use Koha::Old::Checkouts;
37 use Koha::Exceptions::Authentication;
38 use Koha::Exceptions::Authorization;
41 use Module::Load::Conditional;
42 use Scalar::Util qw( blessed );
53 This subroutine is called before every request to API.
65 my $namespace = $c->req->url->to_abs->path->[2] // '';
66 my $is_public = ($namespace eq 'public') ? 1 : 0;
69 and !C4::Context->preference('RESTPublicAPI') )
71 Koha::Exceptions::Authorization->throw(
72 "Configuration prevents the usage of this endpoint by unprivileged users");
75 if ( $c->req->url->to_abs->path eq '/api/v1/oauth/token' ) {
76 # Requesting a token shouldn't go through the API authenticaction chain
79 elsif ( $namespace eq '' or $namespace eq '.html' ) {
83 $status = authenticate_api_request($c, { is_public => $is_public });
87 unless (blessed($_)) {
90 json => { error => 'Something went wrong, check the logs.' }
93 if ($_->isa('Koha::Exceptions::UnderMaintenance')) {
94 return $c->render(status => 503, json => { error => $_->error });
96 elsif ($_->isa('Koha::Exceptions::Authentication::SessionExpired')) {
97 return $c->render(status => 401, json => { error => $_->error });
99 elsif ($_->isa('Koha::Exceptions::Authentication::Required')) {
100 return $c->render(status => 401, json => { error => $_->error });
102 elsif ($_->isa('Koha::Exceptions::Authentication')) {
103 return $c->render(status => 401, json => { error => $_->error });
105 elsif ($_->isa('Koha::Exceptions::BadParameter')) {
106 return $c->render(status => 400, json => $_->error );
108 elsif ($_->isa('Koha::Exceptions::Authorization::Unauthorized')) {
109 return $c->render(status => 403, json => {
111 required_permissions => $_->required_permissions,
114 elsif ($_->isa('Koha::Exceptions::Authorization')) {
115 return $c->render(status => 403, json => { error => $_->error });
117 elsif ($_->isa('Koha::Exceptions')) {
118 return $c->render(status => 500, json => { error => $_->error });
123 json => { error => 'Something went wrong, check the logs.' }
131 =head3 authenticate_api_request
133 Validates authentication and allows access if authorization is not required or
134 if authorization is required and user has required permissions to access.
138 sub authenticate_api_request {
139 my ( $c, $params ) = @_;
143 # The following supports retrieval of spec with Mojolicious::Plugin::OpenAPI@1.17 and later (first one)
144 # and older versions (second one).
145 # TODO: remove the latter 'openapi.op_spec' if minimum version is bumped to at least 1.17.
146 my $spec = $c->openapi->spec || $c->match->endpoint->pattern->defaults->{'openapi.op_spec'};
148 $c->stash_embed({ spec => $spec });
150 my $authorization = $spec->{'x-koha-authorization'};
152 my $authorization_header = $c->req->headers->authorization;
154 if ($authorization_header and $authorization_header =~ /^Bearer /) {
155 # attempt to use OAuth2 authentication
156 if ( ! Module::Load::Conditional::can_load(
157 modules => {'Net::OAuth2::AuthorizationServer' => undef} )) {
158 Koha::Exceptions::Authorization::Unauthorized->throw(
159 error => 'Authentication failure.'
163 require Net::OAuth2::AuthorizationServer;
166 my $server = Net::OAuth2::AuthorizationServer->new;
167 my $grant = $server->client_credentials_grant(Koha::OAuth::config);
168 my ($type, $token) = split / /, $authorization_header;
169 my ($valid_token, $error) = $grant->verify_access_token(
170 access_token => $token,
174 my $patron_id = Koha::ApiKeys->find( $valid_token->{client_id} )->patron_id;
175 $user = Koha::Patrons->find($patron_id);
176 C4::Context->interface('api');
179 # If we have "Authorization: Bearer" header and oauth authentication
180 # failed, do not try other authentication means
181 Koha::Exceptions::Authentication::Required->throw(
182 error => 'Authentication failure.'
186 elsif ( $authorization_header and $authorization_header =~ /^Basic / ) {
187 unless ( C4::Context->preference('RESTBasicAuth') ) {
188 Koha::Exceptions::Authentication::Required->throw(
189 error => 'Basic authentication disabled'
192 $user = $c->_basic_auth( $authorization_header );
193 C4::Context->interface('api');
195 # If we have "Authorization: Basic" header and authentication
196 # failed, do not try other authentication means
197 Koha::Exceptions::Authentication::Required->throw(
198 error => 'Authentication failure.'
204 my $cookie = $c->cookie('CGISESSID');
206 # Mojo doesn't use %ENV the way CGI apps do
207 # Manually pass the remote_address to check_auth_cookie
208 my $remote_addr = $c->tx->remote_address;
209 my ($status, $sessionID) = check_cookie_auth(
211 { remote_addr => $remote_addr });
212 if ($status eq "ok") {
213 my $session = get_session($sessionID);
214 $user = Koha::Patrons->find( $session->param('number') )
215 unless $session->param('sessiontype')
216 and $session->param('sessiontype') eq 'anon';
218 elsif ($status eq "maintenance") {
219 Koha::Exceptions::UnderMaintenance->throw(
220 error => 'System is under maintenance.'
223 elsif ($status eq "expired" and $authorization) {
224 Koha::Exceptions::Authentication::SessionExpired->throw(
225 error => 'Session has been expired.'
228 elsif ($status eq "failed" and $authorization) {
229 Koha::Exceptions::Authentication::Required->throw(
230 error => 'Authentication failure.'
233 elsif ($authorization) {
234 Koha::Exceptions::Authentication->throw(
235 error => 'Unexpected authentication status.'
240 $c->stash('koha.user' => $user);
242 if ( !$authorization and
243 ( $params->{is_public} and
244 ( C4::Context->preference('RESTPublicAnonymousRequests') or
246 # We do not need any authorization
247 # Check the parameters
248 validate_query_parameters( $c, $spec );
252 # We are required authorizarion, there needs
253 # to be an identified user
254 Koha::Exceptions::Authentication::Required->throw(
255 error => 'Authentication failure.' )
260 my $permissions = $authorization->{'permissions'};
261 # Check if the user is authorized
262 if ( ( defined($permissions) and haspermission($user->userid, $permissions) )
263 or allow_owner($c, $authorization, $user)
264 or allow_guarantor($c, $authorization, $user) ) {
266 validate_query_parameters( $c, $spec );
272 Koha::Exceptions::Authorization::Unauthorized->throw(
273 error => "Authorization failure. Missing required permission(s).",
274 required_permissions => $permissions,
278 =head3 validate_query_parameters
280 Validates the query parameters against the spec.
284 sub validate_query_parameters {
285 my ( $c, $action_spec ) = @_;
287 # Check for malformed query parameters
289 my %valid_parameters = map { ( $_->{in} eq 'query' ) ? ( $_->{name} => 1 ) : () } @{ $action_spec->{parameters} };
290 my $existing_params = $c->req->query_params->to_hash;
291 for my $param ( keys %{$existing_params} ) {
292 push @errors, { path => "/query/" . $param, message => 'Malformed query string' } unless exists $valid_parameters{$param};
295 Koha::Exceptions::BadParameter->throw(
303 Allows access to object for its owner.
305 There are endpoints that should allow access for the object owner even if they
306 do not have the required permission, e.g. access an own reserve. This can be
307 achieved by defining the operation as follows:
309 "/holds/{reserve_id}": {
312 "x-koha-authorization": {
324 my ($c, $authorization, $user) = @_;
326 return unless $authorization->{'allow-owner'};
328 return check_object_ownership($c, $user) if $user and $c;
331 =head3 allow_guarantor
333 Same as "allow_owner", but checks if the object is owned by one of C<$user>'s
338 sub allow_guarantor {
339 my ($c, $authorization, $user) = @_;
341 if (!$c || !$user || !$authorization || !$authorization->{'allow-guarantor'}){
345 my $guarantees = $user->guarantee_relationships->guarantees->as_list;
346 foreach my $guarantee (@{$guarantees}) {
347 return 1 if check_object_ownership($c, $guarantee);
351 =head3 check_object_ownership
353 Determines ownership of an object from request parameters.
355 As introducing an endpoint that allows access for object's owner; if the
356 parameter that will be used to determine ownership is not already inside
357 $parameters, add a new subroutine that checks the ownership and extend
358 $parameters to contain a key with parameter_name and a value of a subref to
359 the subroutine that you created.
363 sub check_object_ownership {
366 return if not $c or not $user;
369 accountlines_id => \&_object_ownership_by_accountlines_id,
370 borrowernumber => \&_object_ownership_by_patron_id,
371 patron_id => \&_object_ownership_by_patron_id,
372 checkout_id => \&_object_ownership_by_checkout_id,
373 reserve_id => \&_object_ownership_by_reserve_id,
376 foreach my $param ( keys %{ $parameters } ) {
377 my $check_ownership = $parameters->{$param};
378 if ($c->stash($param)) {
379 return &$check_ownership($c, $user, $c->stash($param));
381 elsif ($c->param($param)) {
382 return &$check_ownership($c, $user, $c->param($param));
384 elsif ($c->match->stack->[-1]->{$param}) {
385 return &$check_ownership($c, $user, $c->match->stack->[-1]->{$param});
387 elsif ($c->req->json && $c->req->json->{$param}) {
388 return 1 if &$check_ownership($c, $user, $c->req->json->{$param});
393 =head3 _object_ownership_by_accountlines_id
395 Finds a Koha::Account::Line-object by C<$accountlines_id> and checks if it
400 sub _object_ownership_by_accountlines_id {
401 my ($c, $user, $accountlines_id) = @_;
403 my $accountline = Koha::Account::Lines->find($accountlines_id);
404 return $accountline && $user->borrowernumber == $accountline->borrowernumber;
407 =head3 _object_ownership_by_borrowernumber
409 Compares C<$borrowernumber> to currently logged in C<$user>.
413 sub _object_ownership_by_patron_id {
414 my ($c, $user, $patron_id) = @_;
416 return $user->borrowernumber == $patron_id;
419 =head3 _object_ownership_by_checkout_id
421 First, attempts to find a Koha::Checkout-object by C<$issue_id>. If we find one,
422 compare its borrowernumber to currently logged in C<$user>. However, if an issue
423 is not found, attempt to find a Koha::Old::Checkout-object instead and compare its
424 borrowernumber to currently logged in C<$user>.
428 sub _object_ownership_by_checkout_id {
429 my ($c, $user, $issue_id) = @_;
431 my $issue = Koha::Checkouts->find($issue_id);
432 $issue = Koha::Old::Checkouts->find($issue_id) unless $issue;
433 return $issue && $issue->borrowernumber
434 && $user->borrowernumber == $issue->borrowernumber;
437 =head3 _object_ownership_by_reserve_id
439 Finds a Koha::Hold-object by C<$reserve_id> and checks if it
442 TODO: Also compare against old_reserves
446 sub _object_ownership_by_reserve_id {
447 my ($c, $user, $reserve_id) = @_;
449 my $reserve = Koha::Holds->find($reserve_id);
450 return $reserve && $user->borrowernumber == $reserve->borrowernumber;
455 Internal method that performs Basic authentication.
460 my ( $c, $authorization_header ) = @_;
462 my ( $type, $credentials ) = split / /, $authorization_header;
464 unless ($credentials) {
465 Koha::Exceptions::Authentication::Required->throw( error => 'Authentication failure.' );
468 my $decoded_credentials = decode_base64( $credentials );
469 my ( $user_id, $password ) = split( /:/, $decoded_credentials, 2 );
471 my $dbh = C4::Context->dbh;
472 unless ( checkpw_internal($dbh, $user_id, $password ) ) {
473 Koha::Exceptions::Authorization::Unauthorized->throw( error => 'Invalid password' );
476 return Koha::Patrons->find({ userid => $user_id });