git.koha-community.org Git - koha.git/commit

Bug 29543: Enforce authentication for self-checkout

The self-checkout feature is assuming a patron is logged in if patronid
is passed. It also assumes that "We're in a controlled environment; we
trust the user", which is terribly wrong!

This patch is suggesting to generate a JSON Web Token (JWT) to store in
a cookie and only allow action (renew, check in/out) is the token is
valid. The token is only generated once the user has been authenticated
And is removed when the user finish the session/logout.

Test plan:
You must know exactly how the self-checkout feature works to test this patch.
The 4 following sysprefs must be tested:
SelfCheckoutByLogin, AutoSelfCheckAllowed, AutoSelfCheckID, AutoSelfCheckPass
Confirm that you can renew, checkin for the items you own, and checkout new items.
Confirm that you are not allowed to access other account's info.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

author	Jonathan Druart <jonathan.druart@bugs.koha-community.org>
	Wed, 5 Jan 2022 11:47:10 +0000 (12:47 +0100)
committer	Fridolin Somers <fridolin.somers@biblibre.com>
	Thu, 3 Feb 2022 07:05:29 +0000 (21:05 -1000)
commit	78815e97774a101f1108950249ff10ba3a3f9898
tree	69e3e136fc0f5a3e96e92327cbf06f3556980e3a	tree \| snapshot
parent	3cb8640cbf67224addf0ae6abaeca5cf74d2690d	commit \| diff