1 package Koha::REST::V1::Auth;
3 # Copyright Koha-Suomi Oy 2017
5 # This file is part of Koha.
7 # Koha is free software; you can redistribute it and/or modify it under the
8 # terms of the GNU General Public License as published by the Free Software
9 # Foundation; either version 3 of the License, or (at your option) any later
12 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
13 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
14 # A PARTICULAR PURPOSE. See the GNU General Public License for more details.
16 # You should have received a copy of the GNU General Public License along
17 # with Koha; if not, write to the Free Software Foundation, Inc.,
18 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 use Mojo::Base 'Mojolicious::Controller';
24 use C4::Auth qw( check_cookie_auth checkpw_internal get_session haspermission );
28 use Koha::Account::Lines;
32 use Koha::OAuthAccessTokens;
33 use Koha::Old::Checkouts;
37 use Koha::Exceptions::Authentication;
38 use Koha::Exceptions::Authorization;
41 use Module::Load::Conditional;
42 use Scalar::Util qw( blessed );
53 This subroutine is called before every request to API.
58 my $c = shift->openapi->valid_input or return;;
65 my $namespace = $c->req->url->to_abs->path->[2];
67 if ( $namespace eq 'public'
68 and !C4::Context->preference('RESTPublicAPI') )
70 Koha::Exceptions::Authorization->throw(
71 "Configuration prevents the usage of this endpoint by unprivileged users");
74 if ( $c->req->url->to_string eq '/api/v1/oauth/token' ) {
75 # Requesting a token shouldn't go through the API authenticaction chain
79 $status = authenticate_api_request($c);
83 unless (blessed($_)) {
86 json => { error => 'Something went wrong, check the logs.' }
89 if ($_->isa('Koha::Exceptions::UnderMaintenance')) {
90 return $c->render(status => 503, json => { error => $_->error });
92 elsif ($_->isa('Koha::Exceptions::Authentication::SessionExpired')) {
93 return $c->render(status => 401, json => { error => $_->error });
95 elsif ($_->isa('Koha::Exceptions::Authentication::Required')) {
96 return $c->render(status => 401, json => { error => $_->error });
98 elsif ($_->isa('Koha::Exceptions::Authentication')) {
99 return $c->render(status => 401, json => { error => $_->error });
101 elsif ($_->isa('Koha::Exceptions::BadParameter')) {
102 return $c->render(status => 400, json => $_->error );
104 elsif ($_->isa('Koha::Exceptions::Authorization::Unauthorized')) {
105 return $c->render(status => 403, json => {
107 required_permissions => $_->required_permissions,
110 elsif ($_->isa('Koha::Exceptions::Authorization')) {
111 return $c->render(status => 403, json => { error => $_->error });
113 elsif ($_->isa('Koha::Exceptions')) {
114 return $c->render(status => 500, json => { error => $_->error });
119 json => { error => 'Something went wrong, check the logs.' }
127 =head3 authenticate_api_request
129 Validates authentication and allows access if authorization is not required or
130 if authorization is required and user has required permissions to access.
134 sub authenticate_api_request {
139 my $spec = $c->match->endpoint->pattern->defaults->{'openapi.op_spec'};
140 my $authorization = $spec->{'x-koha-authorization'};
142 my $authorization_header = $c->req->headers->authorization;
144 if ($authorization_header and $authorization_header =~ /^Bearer /) {
145 # attempt to use OAuth2 authentication
146 if ( ! Module::Load::Conditional::can_load(
147 modules => {'Net::OAuth2::AuthorizationServer' => undef} )) {
148 Koha::Exceptions::Authorization::Unauthorized->throw(
149 error => 'Authentication failure.'
153 require Net::OAuth2::AuthorizationServer;
156 my $server = Net::OAuth2::AuthorizationServer->new;
157 my $grant = $server->client_credentials_grant(Koha::OAuth::config);
158 my ($type, $token) = split / /, $authorization_header;
159 my ($valid_token, $error) = $grant->verify_access_token(
160 access_token => $token,
164 my $patron_id = Koha::ApiKeys->find( $valid_token->{client_id} )->patron_id;
165 $user = Koha::Patrons->find($patron_id);
166 C4::Context->interface('api');
169 # If we have "Authorization: Bearer" header and oauth authentication
170 # failed, do not try other authentication means
171 Koha::Exceptions::Authentication::Required->throw(
172 error => 'Authentication failure.'
176 elsif ( $authorization_header and $authorization_header =~ /^Basic / ) {
177 unless ( C4::Context->preference('RESTBasicAuth') ) {
178 Koha::Exceptions::Authentication::Required->throw(
179 error => 'Basic authentication disabled'
182 $user = $c->_basic_auth( $authorization_header );
183 C4::Context->interface('api');
185 # If we have "Authorization: Basic" header and authentication
186 # failed, do not try other authentication means
187 Koha::Exceptions::Authentication::Required->throw(
188 error => 'Authentication failure.'
194 my $cookie = $c->cookie('CGISESSID');
196 # Mojo doesn't use %ENV the way CGI apps do
197 # Manually pass the remote_address to check_auth_cookie
198 my $remote_addr = $c->tx->remote_address;
199 my ($status, $sessionID) = check_cookie_auth(
201 { remote_addr => $remote_addr });
202 if ($status eq "ok") {
203 my $session = get_session($sessionID);
204 $user = Koha::Patrons->find($session->param('number'));
205 # $c->stash('koha.user' => $user);
207 elsif ($status eq "maintenance") {
208 Koha::Exceptions::UnderMaintenance->throw(
209 error => 'System is under maintenance.'
212 elsif ($status eq "expired" and $authorization) {
213 Koha::Exceptions::Authentication::SessionExpired->throw(
214 error => 'Session has been expired.'
217 elsif ($status eq "failed" and $authorization) {
218 Koha::Exceptions::Authentication::Required->throw(
219 error => 'Authentication failure.'
222 elsif ($authorization) {
223 Koha::Exceptions::Authentication->throw(
224 error => 'Unexpected authentication status.'
229 $c->stash('koha.user' => $user);
231 # We do not need any authorization
232 unless ($authorization) {
233 # Check the parameters
234 validate_query_parameters( $c, $spec );
238 my $permissions = $authorization->{'permissions'};
239 # Check if the user is authorized
240 if ( ( defined($permissions) and haspermission($user->userid, $permissions) )
241 or allow_owner($c, $authorization, $user)
242 or allow_guarantor($c, $authorization, $user) ) {
244 validate_query_parameters( $c, $spec );
250 Koha::Exceptions::Authorization::Unauthorized->throw(
251 error => "Authorization failure. Missing required permission(s).",
252 required_permissions => $permissions,
256 =head3 validate_query_parameters
258 Validates the query parameters against the spec.
262 sub validate_query_parameters {
263 my ( $c, $action_spec ) = @_;
265 # Check for malformed query parameters
267 my %valid_parameters = map { ( $_->{in} eq 'query' ) ? ( $_->{name} => 1 ) : () } @{ $action_spec->{parameters} };
268 my $existing_params = $c->req->query_params->to_hash;
269 for my $param ( keys %{$existing_params} ) {
270 push @errors, { path => "/query/" . $param, message => 'Malformed query string' } unless exists $valid_parameters{$param};
273 Koha::Exceptions::BadParameter->throw(
281 Allows access to object for its owner.
283 There are endpoints that should allow access for the object owner even if they
284 do not have the required permission, e.g. access an own reserve. This can be
285 achieved by defining the operation as follows:
287 "/holds/{reserve_id}": {
290 "x-koha-authorization": {
302 my ($c, $authorization, $user) = @_;
304 return unless $authorization->{'allow-owner'};
306 return check_object_ownership($c, $user) if $user and $c;
309 =head3 allow_guarantor
311 Same as "allow_owner", but checks if the object is owned by one of C<$user>'s
316 sub allow_guarantor {
317 my ($c, $authorization, $user) = @_;
319 if (!$c || !$user || !$authorization || !$authorization->{'allow-guarantor'}){
323 my $guarantees = $user->guarantees->as_list;
324 foreach my $guarantee (@{$guarantees}) {
325 return 1 if check_object_ownership($c, $guarantee);
329 =head3 check_object_ownership
331 Determines ownership of an object from request parameters.
333 As introducing an endpoint that allows access for object's owner; if the
334 parameter that will be used to determine ownership is not already inside
335 $parameters, add a new subroutine that checks the ownership and extend
336 $parameters to contain a key with parameter_name and a value of a subref to
337 the subroutine that you created.
341 sub check_object_ownership {
344 return if not $c or not $user;
347 accountlines_id => \&_object_ownership_by_accountlines_id,
348 borrowernumber => \&_object_ownership_by_patron_id,
349 patron_id => \&_object_ownership_by_patron_id,
350 checkout_id => \&_object_ownership_by_checkout_id,
351 reserve_id => \&_object_ownership_by_reserve_id,
354 foreach my $param ( keys %{ $parameters } ) {
355 my $check_ownership = $parameters->{$param};
356 if ($c->stash($param)) {
357 return &$check_ownership($c, $user, $c->stash($param));
359 elsif ($c->param($param)) {
360 return &$check_ownership($c, $user, $c->param($param));
362 elsif ($c->match->stack->[-1]->{$param}) {
363 return &$check_ownership($c, $user, $c->match->stack->[-1]->{$param});
365 elsif ($c->req->json && $c->req->json->{$param}) {
366 return 1 if &$check_ownership($c, $user, $c->req->json->{$param});
371 =head3 _object_ownership_by_accountlines_id
373 Finds a Koha::Account::Line-object by C<$accountlines_id> and checks if it
378 sub _object_ownership_by_accountlines_id {
379 my ($c, $user, $accountlines_id) = @_;
381 my $accountline = Koha::Account::Lines->find($accountlines_id);
382 return $accountline && $user->borrowernumber == $accountline->borrowernumber;
385 =head3 _object_ownership_by_borrowernumber
387 Compares C<$borrowernumber> to currently logged in C<$user>.
391 sub _object_ownership_by_patron_id {
392 my ($c, $user, $patron_id) = @_;
394 return $user->borrowernumber == $patron_id;
397 =head3 _object_ownership_by_checkout_id
399 First, attempts to find a Koha::Checkout-object by C<$issue_id>. If we find one,
400 compare its borrowernumber to currently logged in C<$user>. However, if an issue
401 is not found, attempt to find a Koha::Old::Checkout-object instead and compare its
402 borrowernumber to currently logged in C<$user>.
406 sub _object_ownership_by_checkout_id {
407 my ($c, $user, $issue_id) = @_;
409 my $issue = Koha::Checkouts->find($issue_id);
410 $issue = Koha::Old::Checkouts->find($issue_id) unless $issue;
411 return $issue && $issue->borrowernumber
412 && $user->borrowernumber == $issue->borrowernumber;
415 =head3 _object_ownership_by_reserve_id
417 Finds a Koha::Hold-object by C<$reserve_id> and checks if it
420 TODO: Also compare against old_reserves
424 sub _object_ownership_by_reserve_id {
425 my ($c, $user, $reserve_id) = @_;
427 my $reserve = Koha::Holds->find($reserve_id);
428 return $reserve && $user->borrowernumber == $reserve->borrowernumber;
433 Internal method that performs Basic authentication.
438 my ( $c, $authorization_header ) = @_;
440 my ( $type, $credentials ) = split / /, $authorization_header;
442 unless ($credentials) {
443 Koha::Exceptions::Authentication::Required->throw( error => 'Authentication failure.' );
446 my $decoded_credentials = decode_base64( $credentials );
447 my ( $user_id, $password ) = split( /:/, $decoded_credentials, 2 );
449 my $dbh = C4::Context->dbh;
450 unless ( checkpw_internal($dbh, $user_id, $password ) ) {
451 Koha::Exceptions::Authorization::Unauthorized->throw( error => 'Invalid password' );
454 return Koha::Patrons->find({ userid => $user_id });