1 package Koha::REST::V1::Auth;
3 # Copyright Koha-Suomi Oy 2017
5 # This file is part of Koha.
7 # Koha is free software; you can redistribute it and/or modify it
8 # under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; either version 3 of the License, or
10 # (at your option) any later version.
12 # Koha is distributed in the hope that it will be useful, but
13 # WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with Koha; if not, see <http://www.gnu.org/licenses>.
22 use Mojo::Base 'Mojolicious::Controller';
24 use C4::Auth qw( check_cookie_auth checkpw_internal get_session haspermission );
28 use Koha::Account::Lines;
33 use Koha::OAuthAccessTokens;
34 use Koha::Old::Checkouts;
38 use Koha::Exceptions::Authentication;
39 use Koha::Exceptions::Authorization;
41 use MIME::Base64 qw( decode_base64 );
42 use Module::Load::Conditional;
43 use Scalar::Util qw( blessed );
44 use Try::Tiny qw( catch try );
54 This subroutine is called before every request to API.
66 my $namespace = $c->req->url->to_abs->path->[2] // '';
68 my $is_public = 0; # By default routes are not public
71 if ( $namespace eq 'public' ) {
73 } elsif ( $namespace eq 'contrib' ) {
78 and !C4::Context->preference('RESTPublicAPI') )
80 Koha::Exceptions::Authorization->throw(
81 "Configuration prevents the usage of this endpoint by unprivileged users");
84 if ( $c->req->url->to_abs->path eq '/api/v1/oauth/token' ) {
85 # Requesting a token shouldn't go through the API authenticaction chain
88 elsif ( $namespace eq '' or $namespace eq '.html' ) {
92 $status = authenticate_api_request($c, { is_public => $is_public, is_plugin => $is_plugin });
96 unless (blessed($_)) {
99 json => { error => 'Something went wrong, check the logs.' }
102 if ($_->isa('Koha::Exceptions::UnderMaintenance')) {
103 return $c->render(status => 503, json => { error => $_->error });
105 elsif ($_->isa('Koha::Exceptions::Authentication::SessionExpired')) {
106 return $c->render(status => 401, json => { error => $_->error });
108 elsif ($_->isa('Koha::Exceptions::Authentication::Required')) {
109 return $c->render(status => 401, json => { error => $_->error });
111 elsif ($_->isa('Koha::Exceptions::Authentication')) {
112 return $c->render(status => 401, json => { error => $_->error });
114 elsif ($_->isa('Koha::Exceptions::BadParameter')) {
115 return $c->render(status => 400, json => $_->error );
117 elsif ($_->isa('Koha::Exceptions::Authorization::Unauthorized')) {
118 return $c->render(status => 403, json => {
120 required_permissions => $_->required_permissions,
123 elsif ($_->isa('Koha::Exceptions::Authorization')) {
124 return $c->render(status => 403, json => { error => $_->error });
126 elsif ($_->isa('Koha::Exceptions')) {
127 return $c->render(status => 500, json => { error => $_->error });
132 json => { error => 'Something went wrong, check the logs.' }
140 =head3 authenticate_api_request
142 Validates authentication and allows access if authorization is not required or
143 if authorization is required and user has required permissions to access.
147 sub authenticate_api_request {
148 my ( $c, $params ) = @_;
152 $c->stash( 'is_public' => 1 )
153 if $params->{is_public};
155 # The following supports retrieval of spec with Mojolicious::Plugin::OpenAPI@1.17 and later (first one)
156 # and older versions (second one).
157 # TODO: remove the latter 'openapi.op_spec' if minimum version is bumped to at least 1.17.
158 my $spec = $c->openapi->spec || $c->match->endpoint->pattern->defaults->{'openapi.op_spec'};
161 $c->stash_overrides();
165 my $authorization = $spec->{'x-koha-authorization'};
167 my $authorization_header = $c->req->headers->authorization;
169 if ($authorization_header and $authorization_header =~ /^Bearer /) {
170 # attempt to use OAuth2 authentication
171 if ( ! Module::Load::Conditional::can_load(
172 modules => {'Net::OAuth2::AuthorizationServer' => undef} )) {
173 Koha::Exceptions::Authorization::Unauthorized->throw(
174 error => 'Authentication failure.'
178 require Net::OAuth2::AuthorizationServer;
181 my $server = Net::OAuth2::AuthorizationServer->new;
182 my $grant = $server->client_credentials_grant(Koha::OAuth::config);
183 my ($type, $token) = split / /, $authorization_header;
184 my ($valid_token, $error) = $grant->verify_access_token(
185 access_token => $token,
189 my $patron_id = Koha::ApiKeys->find( $valid_token->{client_id} )->patron_id;
190 $user = Koha::Patrons->find($patron_id);
193 # If we have "Authorization: Bearer" header and oauth authentication
194 # failed, do not try other authentication means
195 Koha::Exceptions::Authentication::Required->throw(
196 error => 'Authentication failure.'
200 elsif ( $authorization_header and $authorization_header =~ /^Basic / ) {
201 unless ( C4::Context->preference('RESTBasicAuth') ) {
202 Koha::Exceptions::Authentication::Required->throw(
203 error => 'Basic authentication disabled'
206 $user = $c->_basic_auth( $authorization_header );
208 # If we have "Authorization: Basic" header and authentication
209 # failed, do not try other authentication means
210 Koha::Exceptions::Authentication::Required->throw(
211 error => 'Authentication failure.'
217 my $cookie = $c->cookie('CGISESSID');
219 # Mojo doesn't use %ENV the way CGI apps do
220 # Manually pass the remote_address to check_auth_cookie
221 my $remote_addr = $c->tx->remote_address;
222 my ($status, $session) = check_cookie_auth(
224 { remote_addr => $remote_addr });
225 if ($status eq "ok") {
226 $user = Koha::Patrons->find( $session->param('number') );
229 elsif ($status eq "anon") {
232 elsif ($status eq "maintenance") {
233 Koha::Exceptions::UnderMaintenance->throw(
234 error => 'System is under maintenance.'
237 elsif ($status eq "expired" and $authorization) {
238 Koha::Exceptions::Authentication::SessionExpired->throw(
239 error => 'Session has been expired.'
242 elsif ($status eq "failed" and $authorization) {
243 Koha::Exceptions::Authentication::Required->throw(
244 error => 'Authentication failure.'
247 elsif ($authorization) {
248 Koha::Exceptions::Authentication->throw(
249 error => 'Unexpected authentication status.'
254 $c->stash('koha.user' => $user);
255 C4::Context->interface('api');
257 if ( $user and !$cookie_auth ) { # cookie-auth sets this and more, don't mess with that
258 $c->_set_userenv( $user );
261 if ( !$authorization and
262 ( $params->{is_public} and
263 ( C4::Context->preference('RESTPublicAnonymousRequests') or
264 $user) or $params->{is_plugin} ) ) {
265 # We do not need any authorization
266 # Check the parameters
267 validate_query_parameters( $c, $spec );
271 # We are required authorizarion, there needs
272 # to be an identified user
273 Koha::Exceptions::Authentication::Required->throw(
274 error => 'Authentication failure.' )
279 my $permissions = $authorization->{'permissions'};
280 # Check if the user is authorized
281 if ( ( defined($permissions) and haspermission($user->userid, $permissions) )
282 or allow_owner($c, $authorization, $user)
283 or allow_guarantor($c, $authorization, $user) ) {
285 validate_query_parameters( $c, $spec );
291 Koha::Exceptions::Authorization::Unauthorized->throw(
292 error => "Authorization failure. Missing required permission(s).",
293 required_permissions => $permissions,
297 =head3 validate_query_parameters
299 Validates the query parameters against the spec.
303 sub validate_query_parameters {
304 my ( $c, $action_spec ) = @_;
306 # Check for malformed query parameters
308 my %valid_parameters = map { ( $_->{in} eq 'query' ) ? ( $_->{name} => 1 ) : () } @{ $action_spec->{parameters} };
309 my $existing_params = $c->req->query_params->to_hash;
310 for my $param ( keys %{$existing_params} ) {
311 push @errors, { path => "/query/" . $param, message => 'Malformed query string' } unless exists $valid_parameters{$param};
314 Koha::Exceptions::BadParameter->throw(
321 Allows access to object for its owner.
323 There are endpoints that should allow access for the object owner even if they
324 do not have the required permission, e.g. access an own reserve. This can be
325 achieved by defining the operation as follows:
327 "/holds/{reserve_id}": {
330 "x-koha-authorization": {
342 my ($c, $authorization, $user) = @_;
344 return unless $authorization->{'allow-owner'};
346 return check_object_ownership($c, $user) if $user and $c;
349 =head3 allow_guarantor
351 Same as "allow_owner", but checks if the object is owned by one of C<$user>'s
356 sub allow_guarantor {
357 my ($c, $authorization, $user) = @_;
359 if (!$c || !$user || !$authorization || !$authorization->{'allow-guarantor'}){
363 my $guarantees = $user->guarantee_relationships->guarantees->as_list;
364 foreach my $guarantee (@{$guarantees}) {
365 return 1 if check_object_ownership($c, $guarantee);
369 =head3 check_object_ownership
371 Determines ownership of an object from request parameters.
373 As introducing an endpoint that allows access for object's owner; if the
374 parameter that will be used to determine ownership is not already inside
375 $parameters, add a new subroutine that checks the ownership and extend
376 $parameters to contain a key with parameter_name and a value of a subref to
377 the subroutine that you created.
381 sub check_object_ownership {
384 return if not $c or not $user;
387 accountlines_id => \&_object_ownership_by_accountlines_id,
388 borrowernumber => \&_object_ownership_by_patron_id,
389 patron_id => \&_object_ownership_by_patron_id,
390 checkout_id => \&_object_ownership_by_checkout_id,
391 reserve_id => \&_object_ownership_by_reserve_id,
394 foreach my $param ( keys %{ $parameters } ) {
395 my $check_ownership = $parameters->{$param};
396 if ($c->stash($param)) {
397 return &$check_ownership($c, $user, $c->stash($param));
399 elsif ($c->param($param)) {
400 return &$check_ownership($c, $user, $c->param($param));
402 elsif ($c->match->stack->[-1]->{$param}) {
403 return &$check_ownership($c, $user, $c->match->stack->[-1]->{$param});
405 elsif ($c->req->json && $c->req->json->{$param}) {
406 return 1 if &$check_ownership($c, $user, $c->req->json->{$param});
411 =head3 _object_ownership_by_accountlines_id
413 Finds a Koha::Account::Line-object by C<$accountlines_id> and checks if it
418 sub _object_ownership_by_accountlines_id {
419 my ($c, $user, $accountlines_id) = @_;
421 my $accountline = Koha::Account::Lines->find($accountlines_id);
422 return $accountline && $user->borrowernumber == $accountline->borrowernumber;
425 =head3 _object_ownership_by_borrowernumber
427 Compares C<$borrowernumber> to currently logged in C<$user>.
431 sub _object_ownership_by_patron_id {
432 my ($c, $user, $patron_id) = @_;
434 return $user->borrowernumber == $patron_id;
437 =head3 _object_ownership_by_checkout_id
439 First, attempts to find a Koha::Checkout-object by C<$issue_id>. If we find one,
440 compare its borrowernumber to currently logged in C<$user>. However, if an issue
441 is not found, attempt to find a Koha::Old::Checkout-object instead and compare its
442 borrowernumber to currently logged in C<$user>.
446 sub _object_ownership_by_checkout_id {
447 my ($c, $user, $issue_id) = @_;
449 my $issue = Koha::Checkouts->find($issue_id);
450 $issue = Koha::Old::Checkouts->find($issue_id) unless $issue;
451 return $issue && $issue->borrowernumber
452 && $user->borrowernumber == $issue->borrowernumber;
455 =head3 _object_ownership_by_reserve_id
457 Finds a Koha::Hold-object by C<$reserve_id> and checks if it
460 TODO: Also compare against old_reserves
464 sub _object_ownership_by_reserve_id {
465 my ($c, $user, $reserve_id) = @_;
467 my $reserve = Koha::Holds->find($reserve_id);
468 return $reserve && $user->borrowernumber == $reserve->borrowernumber;
473 Internal method that performs Basic authentication.
478 my ( $c, $authorization_header ) = @_;
480 my ( $type, $credentials ) = split / /, $authorization_header;
482 unless ($credentials) {
483 Koha::Exceptions::Authentication::Required->throw( error => 'Authentication failure.' );
486 my $decoded_credentials = decode_base64( $credentials );
487 my ( $user_id, $password ) = split( /:/, $decoded_credentials, 2 );
489 my $dbh = C4::Context->dbh;
490 unless ( checkpw_internal($dbh, $user_id, $password ) ) {
491 Koha::Exceptions::Authorization::Unauthorized->throw( error => 'Invalid password' );
494 return Koha::Patrons->find({ userid => $user_id });
499 $c->_set_userenv( $patron );
501 Internal method that sets C4::Context->userenv
506 my ( $c, $patron ) = @_;
508 my $passed_library_id = $c->req->headers->header('x-koha-library');
511 if ( $passed_library_id ) {
512 $THE_library = Koha::Libraries->find( $passed_library_id );
513 Koha::Exceptions::Authorization::Unauthorized->throw(
514 "Unauthorized attempt to set library to $passed_library_id"
515 ) unless $THE_library and $patron->can_log_into($THE_library);
518 $THE_library = $patron->library;
521 C4::Context->_new_userenv( $patron->borrowernumber );
522 C4::Context->set_userenv(
523 $patron->borrowernumber, # number,
524 $patron->userid, # userid,
525 $patron->cardnumber, # cardnumber
526 $patron->firstname, # firstname
527 $patron->surname, # surname
528 $THE_library->branchcode, # branch
529 $THE_library->branchname, # branchname
530 $patron->flags, # flags,
531 $patron->email, # emailaddress