1 package Koha::REST::V1::Auth;
3 # Copyright Koha-Suomi Oy 2017
5 # This file is part of Koha.
7 # Koha is free software; you can redistribute it and/or modify it under the
8 # terms of the GNU General Public License as published by the Free Software
9 # Foundation; either version 3 of the License, or (at your option) any later
12 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
13 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
14 # A PARTICULAR PURPOSE. See the GNU General Public License for more details.
16 # You should have received a copy of the GNU General Public License along
17 # with Koha; if not, write to the Free Software Foundation, Inc.,
18 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 use Mojo::Base 'Mojolicious::Controller';
22 use C4::Auth qw( check_cookie_auth checkpw_internal get_session haspermission );
26 use Koha::Account::Lines;
30 use Koha::OAuthAccessTokens;
31 use Koha::Old::Checkouts;
35 use Koha::Exceptions::Authentication;
36 use Koha::Exceptions::Authorization;
39 use Module::Load::Conditional;
40 use Scalar::Util qw( blessed );
51 This subroutine is called before every request to API.
56 my $c = shift->openapi->valid_input or return;;
63 my $namespace = $c->req->url->to_abs->path->[2];
65 if ( $namespace eq 'public'
66 and !C4::Context->preference('RESTPublicAPI') )
68 Koha::Exceptions::Authorization->throw(
69 "Configuration prevents the usage of this endpoint by unprivileged users");
72 $status = authenticate_api_request($c);
75 unless (blessed($_)) {
78 json => { error => 'Something went wrong, check the logs.' }
81 if ($_->isa('Koha::Exceptions::UnderMaintenance')) {
82 return $c->render(status => 503, json => { error => $_->error });
84 elsif ($_->isa('Koha::Exceptions::Authentication::SessionExpired')) {
85 return $c->render(status => 401, json => { error => $_->error });
87 elsif ($_->isa('Koha::Exceptions::Authentication::Required')) {
88 return $c->render(status => 401, json => { error => $_->error });
90 elsif ($_->isa('Koha::Exceptions::Authentication')) {
91 return $c->render(status => 401, json => { error => $_->error });
93 elsif ($_->isa('Koha::Exceptions::BadParameter')) {
94 return $c->render(status => 400, json => $_->error );
96 elsif ($_->isa('Koha::Exceptions::Authorization::Unauthorized')) {
97 return $c->render(status => 403, json => {
99 required_permissions => $_->required_permissions,
102 elsif ($_->isa('Koha::Exceptions::Authorization')) {
103 return $c->render(status => 403, json => { error => $_->error });
105 elsif ($_->isa('Koha::Exceptions')) {
106 return $c->render(status => 500, json => { error => $_->error });
111 json => { error => 'Something went wrong, check the logs.' }
119 =head3 authenticate_api_request
121 Validates authentication and allows access if authorization is not required or
122 if authorization is required and user has required permissions to access.
126 sub authenticate_api_request {
131 my $spec = $c->match->endpoint->pattern->defaults->{'openapi.op_spec'};
132 my $authorization = $spec->{'x-koha-authorization'};
134 my $authorization_header = $c->req->headers->authorization;
136 if ($authorization_header and $authorization_header =~ /^Bearer /) {
137 # attempt to use OAuth2 authentication
138 if ( ! Module::Load::Conditional::can_load(
139 modules => {'Net::OAuth2::AuthorizationServer' => undef} )) {
140 Koha::Exceptions::Authorization::Unauthorized->throw(
141 error => 'Authentication failure.'
145 require Net::OAuth2::AuthorizationServer;
148 my $server = Net::OAuth2::AuthorizationServer->new;
149 my $grant = $server->client_credentials_grant(Koha::OAuth::config);
150 my ($type, $token) = split / /, $authorization_header;
151 my ($valid_token, $error) = $grant->verify_access_token(
152 access_token => $token,
156 my $patron_id = Koha::ApiKeys->find( $valid_token->{client_id} )->patron_id;
157 $user = Koha::Patrons->find($patron_id);
160 # If we have "Authorization: Bearer" header and oauth authentication
161 # failed, do not try other authentication means
162 Koha::Exceptions::Authentication::Required->throw(
163 error => 'Authentication failure.'
167 elsif ( $authorization_header and $authorization_header =~ /^Basic / ) {
168 unless ( C4::Context->preference('RESTBasicAuth') ) {
169 Koha::Exceptions::Authentication::Required->throw(
170 error => 'Basic authentication disabled'
173 $user = $c->_basic_auth( $authorization_header );
175 # If we have "Authorization: Basic" header and authentication
176 # failed, do not try other authentication means
177 Koha::Exceptions::Authentication::Required->throw(
178 error => 'Authentication failure.'
184 my $cookie = $c->cookie('CGISESSID');
186 # Mojo doesn't use %ENV the way CGI apps do
187 # Manually pass the remote_address to check_auth_cookie
188 my $remote_addr = $c->tx->remote_address;
189 my ($status, $sessionID) = check_cookie_auth(
191 { remote_addr => $remote_addr });
192 if ($status eq "ok") {
193 my $session = get_session($sessionID);
194 $user = Koha::Patrons->find($session->param('number'));
195 # $c->stash('koha.user' => $user);
197 elsif ($status eq "maintenance") {
198 Koha::Exceptions::UnderMaintenance->throw(
199 error => 'System is under maintenance.'
202 elsif ($status eq "expired" and $authorization) {
203 Koha::Exceptions::Authentication::SessionExpired->throw(
204 error => 'Session has been expired.'
207 elsif ($status eq "failed" and $authorization) {
208 Koha::Exceptions::Authentication::Required->throw(
209 error => 'Authentication failure.'
212 elsif ($authorization) {
213 Koha::Exceptions::Authentication->throw(
214 error => 'Unexpected authentication status.'
219 $c->stash('koha.user' => $user);
221 # We do not need any authorization
222 unless ($authorization) {
223 # Check the parameters
224 validate_query_parameters( $c, $spec );
228 my $permissions = $authorization->{'permissions'};
229 # Check if the user is authorized
230 if ( haspermission($user->userid, $permissions)
231 or allow_owner($c, $authorization, $user)
232 or allow_guarantor($c, $authorization, $user) ) {
234 validate_query_parameters( $c, $spec );
240 Koha::Exceptions::Authorization::Unauthorized->throw(
241 error => "Authorization failure. Missing required permission(s).",
242 required_permissions => $permissions,
246 =head3 validate_query_parameters
248 Validates the query parameters against the spec.
252 sub validate_query_parameters {
253 my ( $c, $action_spec ) = @_;
255 # Check for malformed query parameters
257 my %valid_parameters = map { ( $_->{in} eq 'query' ) ? ( $_->{name} => 1 ) : () } @{ $action_spec->{parameters} };
258 my $existing_params = $c->req->query_params->to_hash;
259 for my $param ( keys %{$existing_params} ) {
260 push @errors, { path => "/query/" . $param, message => 'Malformed query string' } unless exists $valid_parameters{$param};
263 Koha::Exceptions::BadParameter->throw(
271 Allows access to object for its owner.
273 There are endpoints that should allow access for the object owner even if they
274 do not have the required permission, e.g. access an own reserve. This can be
275 achieved by defining the operation as follows:
277 "/holds/{reserve_id}": {
280 "x-koha-authorization": {
292 my ($c, $authorization, $user) = @_;
294 return unless $authorization->{'allow-owner'};
296 return check_object_ownership($c, $user) if $user and $c;
299 =head3 allow_guarantor
301 Same as "allow_owner", but checks if the object is owned by one of C<$user>'s
306 sub allow_guarantor {
307 my ($c, $authorization, $user) = @_;
309 if (!$c || !$user || !$authorization || !$authorization->{'allow-guarantor'}){
313 my $guarantees = $user->guarantees->as_list;
314 foreach my $guarantee (@{$guarantees}) {
315 return 1 if check_object_ownership($c, $guarantee);
319 =head3 check_object_ownership
321 Determines ownership of an object from request parameters.
323 As introducing an endpoint that allows access for object's owner; if the
324 parameter that will be used to determine ownership is not already inside
325 $parameters, add a new subroutine that checks the ownership and extend
326 $parameters to contain a key with parameter_name and a value of a subref to
327 the subroutine that you created.
331 sub check_object_ownership {
334 return if not $c or not $user;
337 accountlines_id => \&_object_ownership_by_accountlines_id,
338 borrowernumber => \&_object_ownership_by_patron_id,
339 patron_id => \&_object_ownership_by_patron_id,
340 checkout_id => \&_object_ownership_by_checkout_id,
341 reserve_id => \&_object_ownership_by_reserve_id,
344 foreach my $param ( keys %{ $parameters } ) {
345 my $check_ownership = $parameters->{$param};
346 if ($c->stash($param)) {
347 return &$check_ownership($c, $user, $c->stash($param));
349 elsif ($c->param($param)) {
350 return &$check_ownership($c, $user, $c->param($param));
352 elsif ($c->match->stack->[-1]->{$param}) {
353 return &$check_ownership($c, $user, $c->match->stack->[-1]->{$param});
355 elsif ($c->req->json && $c->req->json->{$param}) {
356 return 1 if &$check_ownership($c, $user, $c->req->json->{$param});
361 =head3 _object_ownership_by_accountlines_id
363 Finds a Koha::Account::Line-object by C<$accountlines_id> and checks if it
368 sub _object_ownership_by_accountlines_id {
369 my ($c, $user, $accountlines_id) = @_;
371 my $accountline = Koha::Account::Lines->find($accountlines_id);
372 return $accountline && $user->borrowernumber == $accountline->borrowernumber;
375 =head3 _object_ownership_by_borrowernumber
377 Compares C<$borrowernumber> to currently logged in C<$user>.
381 sub _object_ownership_by_patron_id {
382 my ($c, $user, $patron_id) = @_;
384 return $user->borrowernumber == $patron_id;
387 =head3 _object_ownership_by_checkout_id
389 First, attempts to find a Koha::Checkout-object by C<$issue_id>. If we find one,
390 compare its borrowernumber to currently logged in C<$user>. However, if an issue
391 is not found, attempt to find a Koha::Old::Checkout-object instead and compare its
392 borrowernumber to currently logged in C<$user>.
396 sub _object_ownership_by_checkout_id {
397 my ($c, $user, $issue_id) = @_;
399 my $issue = Koha::Checkouts->find($issue_id);
400 $issue = Koha::Old::Checkouts->find($issue_id) unless $issue;
401 return $issue && $issue->borrowernumber
402 && $user->borrowernumber == $issue->borrowernumber;
405 =head3 _object_ownership_by_reserve_id
407 Finds a Koha::Hold-object by C<$reserve_id> and checks if it
410 TODO: Also compare against old_reserves
414 sub _object_ownership_by_reserve_id {
415 my ($c, $user, $reserve_id) = @_;
417 my $reserve = Koha::Holds->find($reserve_id);
418 return $reserve && $user->borrowernumber == $reserve->borrowernumber;
423 Internal method that performs Basic authentication.
428 my ( $c, $authorization_header ) = @_;
430 my ( $type, $credentials ) = split / /, $authorization_header;
432 unless ($credentials) {
433 Koha::Exceptions::Authentication::Required->throw( error => 'Authentication failure.' );
436 my $decoded_credentials = decode_base64( $credentials );
437 my ( $user_id, $password ) = split( /:/, $decoded_credentials, 2 );
439 my $dbh = C4::Context->dbh;
440 unless ( checkpw_internal($dbh, $user_id, $password ) ) {
441 Koha::Exceptions::Authorization::Unauthorized->throw( error => 'Invalid password' );
444 return Koha::Patrons->find({ userid => $user_id });