From 154a2ea9ad5b6e911a504b8798f5ffe6df1c2297 Mon Sep 17 00:00:00 2001
From: Tomas Cohen Arazi <tomascohen@theke.io>
Date: Wed, 27 Mar 2024 12:01:32 +0000
Subject: [PATCH] Bug 36420: Allow Basic authentication using `cardnumber`

This patch makes the API Basic authentication work with cardnumbers.
The used `checkpw_internal` method already does the fallback check.

To test:
1. Apply the unit tests patch
2. Run:
   $ ktd --shell
  k$ prove t/db_dependent/api/v1/auth_basic.t
=> FAIL: Tests explode! [1]
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass!
5. Sign off :-D

[1] This highlights an underlying bug! Instead of getting 403, etc we get a 500. This is because of the internal fallback mechanism allowing the cardnumber+password combination, but then the Koha::Patron->find... not finding :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
---
 Koha/REST/V1/Auth.pm | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm
index 4e729e88dd..e563315418 100644
--- a/Koha/REST/V1/Auth.pm
+++ b/Koha/REST/V1/Auth.pm
@@ -527,14 +527,16 @@ sub _basic_auth {
         Koha::Exceptions::Authentication::Required->throw( error => 'Authentication failure.' );
     }
 
-    my $decoded_credentials = decode_base64( $credentials );
-    my ( $user_id, $password ) = split( /:/, $decoded_credentials, 2 );
+    my $decoded_credentials = decode_base64($credentials);
+    my ( $identifier, $password ) = split( /:/, $decoded_credentials, 2 );
 
-    unless ( checkpw_internal($user_id, $password ) ) {
+    my $patron = Koha::Patrons->find( { userid => $identifier } );
+    $patron //= Koha::Patrons->find( { cardnumber => $identifier } );
+
+    unless ( checkpw_internal( $identifier, $password ) ) {
         Koha::Exceptions::Authorization::Unauthorized->throw( error => 'Invalid password' );
     }
 
-    my $patron = Koha::Patrons->find({ userid => $user_id });
     if ( $patron->password_expired ) {
         Koha::Exceptions::Authorization::Unauthorized->throw( error => 'Password has expired' );
     }
-- 
2.39.2