From b6f3da27c1b985d37d3c1175ee338e9b77ce1a73 Mon Sep 17 00:00:00 2001 From: David Cook Date: Tue, 6 Jun 2023 03:48:06 +0000 Subject: [PATCH] Bug 33881: Clear self-check JWT during auth kick out This patch clears the JWT cookie during auth kick out (ie when a web user navigates from the self-check out/in to the rest of Koha). Test plan: 0. Apply patch and koha-plack --reload kohadev 1. Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl 2. Log in as the "koha" user 3. In another tab, go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl 4. Go to http://localhost:8080/cgi-bin/koha/opac-search.pl?idx=&q=a&weight_search=1 5. Note that you are prompted to "Log in to your account" via the normal Koha prompt 6. Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl 7. Note that you are prompted to "Log in to your account" within the "Self checkout system", and note that your self-checkout session for the "koha" user has *not* persisted like it did before the patch was applied Signed-off-by: Andrew Fuerste-Henry Signed-off-by: Nick Clemens Signed-off-by: Tomas Cohen Arazi (cherry picked from commit 1fa961b97b8f52d1c9920c72d9338d150deb829b) Signed-off-by: Fridolin Somers --- C4/Auth.pm | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/C4/Auth.pm b/C4/Auth.pm index cf21e3bdc4..9b298eed87 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -260,6 +260,15 @@ sub get_template_and_user { -sameSite => 'Lax', )); + #NOTE: This JWT should only be used by the self-check controllers + $cookie = $cookie_mgr->replace_in_list( $cookie, $in->{query}->cookie( + -name => 'JWT', + -value => '', + -HttpOnly => 1, + -secure => ( C4::Context->https_enabled() ? 1 : 0 ), + -sameSite => 'Lax', + )); + my $auth_error = $in->{query}->param('auth_error'); $template->param( -- 2.39.2