From 2dd06e940928e5581404a95ae89c1f1094fd8c3a Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 20 Jan 2022 10:10:05 +0100
Subject: [PATCH] Bug 29914: Make check_cookie_auth compare the userid

check_cookie_auth is assuming that the user is authenticated if a cookie exists
and that the login/username exists in the DB.

So basically if you hit the login page, fill the login input with a
valid username, click "login"
=> A cookie will be generated, and the sessions table will contain a
line with this session id.
On the second hit, if the username is in the DB, it will be enough to be
considered authenticated.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 7114dc2fb1a1440dd031ee771efee6e50bb86540)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit be18dc19b8e84919416eab5cd43f4ed345fc280a)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
---
 C4/Auth.pm           | 19 +++++++++++--------
 Koha/REST/V1/Auth.pm |  7 ++++---
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/C4/Auth.pm b/C4/Auth.pm
index 89c54115cb..d9b87672b6 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -1703,6 +1703,8 @@ Possible return values in C<$status> are:
 
 =item "ok" -- user authenticated; C<$sessionID> have valid values.
 
+=item "anon" -- user not authenticated but valid for anonymous session.
+
 =item "failed" -- credentials are not correct; C<$sessionid> are undef
 
 =item "maintenance" -- DB is in maintenance mode; no login possible at the moment
@@ -1785,20 +1787,21 @@ sub check_cookie_auth {
             $userid    = undef;
             $sessionID = undef;
             return ( "expired", undef );
-        } else {
+        } elsif ( $userid ) {
             $session->param( 'lasttime', time() );
             my $flags = defined($flagsrequired) ? haspermission( $userid, $flagsrequired ) : 1;
             if ($flags) {
                 return ( "ok", $sessionID );
-            } else {
-                $session->delete();
-                $session->flush;
-                C4::Context->_unset_userenv($sessionID);
-                $userid    = undef;
-                $sessionID = undef;
-                return ( "failed", undef );
             }
+        } else {
+            return ( "anon", $session );
         }
+        $session->delete();
+        $session->flush;
+        C4::Context->_unset_userenv($sessionID);
+        $userid    = undef;
+        $sessionID = undef;
+        return ( "failed", undef );
     } else {
         return ( "expired", undef );
     }
diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm
index cec55a0274..f390f1567b 100644
--- a/Koha/REST/V1/Auth.pm
+++ b/Koha/REST/V1/Auth.pm
@@ -217,9 +217,10 @@ sub authenticate_api_request {
                                                 { remote_addr => $remote_addr });
         if ($status eq "ok") {
             my $session = get_session($sessionID);
-            $user = Koha::Patrons->find( $session->param('number') )
-              unless $session->param('sessiontype')
-                 and $session->param('sessiontype') eq 'anon';
+            $user = Koha::Patrons->find( $session->param('number') );
+            $cookie_auth = 1;
+        }
+        elsif ($status eq "anon") {
             $cookie_auth = 1;
         }
         elsif ($status eq "maintenance") {
-- 
2.39.5