From 348dbb1594be77582bb389c9080baa2ebd38fc21 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 21 Sep 2023 09:59:09 +0200
Subject: [PATCH] Bug 34478: Move C4::Auth check

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
---
 C4/Auth.pm | 49 +++++++++++++++++++++++++------------------------
 1 file changed, 25 insertions(+), 24 deletions(-)

diff --git a/C4/Auth.pm b/C4/Auth.pm
index c6d4ac36c2..b73e8527e1 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -1312,6 +1312,7 @@ sub checkauth {
     }
 
     # finished authentification, now respond
+    my $auth_template_name = ( $type eq 'opac' ) ? 'opac-auth.tt' : 'auth.tt';
     if ( $auth_state eq 'completed' || $authnotrequired ) {
         # successful login
         unless (@$cookie) {
@@ -1327,6 +1328,30 @@ sub checkauth {
         my $patron = $userid ? Koha::Patrons->find({ userid => $userid }) : undef;
         $patron->update_lastseen('login') if $patron;
 
+        if ( defined $query->param('op') ) {
+            die "Cannot use GET for this request"
+                if $request_method ne 'POST';
+
+            print $query->header(
+                {
+                    type              => 'text/html',
+                    charset           => 'utf-8',
+                    cookie            => $cookie,
+                    'X-Frame-Options' => 'SAMEORIGIN',
+                    -sameSite         => 'Lax'
+                }
+            );
+
+            my $template = C4::Templates::gettemplate( $auth_template_name, $type, $query );
+            output_and_exit( $query, $cookie, $template, 'wrong_csrf_token' )
+                unless Koha::Token->new->check_csrf(
+                    {
+                        session_id => scalar $query->cookie('CGISESSID'),
+                        token      => scalar $query->param('csrf_token'),
+                    }
+                );
+        }
+
         # In case, that this request was a login attempt, we want to prevent that users can repost the opac login
         # request. We therefore redirect the user to the requested page again without the login parameters.
         # See Post/Redirect/Get (PRG) design pattern: https://en.wikipedia.org/wiki/Post/Redirect/Get
@@ -1365,7 +1390,6 @@ sub checkauth {
     $LibraryNameTitle =~ s/<(?:\/?)(?:br|p)\s*(?:\/?)>/ /sgi;
     $LibraryNameTitle =~ s/<(?:[^<>'"]|'(?:[^']*)'|"(?:[^"]*)")*>//sg;
 
-    my $auth_template_name = ( $type eq 'opac' ) ? 'opac-auth.tt' : 'auth.tt';
     my $auth_error = $query->param('auth_error');
     my $template = C4::Templates::gettemplate( $auth_template_name, $type, $query );
     $template->param(
@@ -1481,29 +1505,6 @@ sub checkauth {
         }
     }
 
-    if ( $auth_state eq 'completed' && defined $query->param('op') ) {
-        die "Cannot use GET for this request"
-            if $request_method ne 'POST';
-
-        print $query->header(
-            {
-                type              => 'text/html',
-                charset           => 'utf-8',
-                cookie            => $cookie,
-                'X-Frame-Options' => 'SAMEORIGIN',
-                -sameSite         => 'Lax'
-            }
-        );
-
-        output_and_exit( $query, $cookie, $template, 'wrong_csrf_token' )
-            unless Koha::Token->new->check_csrf(
-                {
-                    session_id => scalar $query->cookie('CGISESSID'),
-                    token      => scalar $query->param('csrf_token'),
-                }
-            );
-    }
-
     $template->param(
         LibraryName => C4::Context->preference("LibraryName"),
         %info,
-- 
2.39.2