From e424b07d2733a23ce15ae56f2686917601ebcd59 Mon Sep 17 00:00:00 2001 From: David Cook Date: Tue, 28 Nov 2023 22:57:39 +0000 Subject: [PATCH] Bug 34893: Add checkpw change to REST API This patch adds the checkpw return value change to the REST API route for validating user identifiers and password. Test plan: 0. Apply patch 1. prove t/db_dependent/api/v1/password_validation.t Bonus points: 1. koha-plack --reload kohadev 2. Enable syspref RESTBasicAuth 3. curl -XPOST -H "Content-Type: application/json" \ -u : \ -d '{"identifier":"","password":""}' \ http://localhost:8081/api/v1/auth/password/validation 4. Validation doesn't fail. It gives you cardnumber, patron_id, userid Signed-off-by: Victor Grousset/tuxayo Signed-off-by: Tomas Cohen Arazi Signed-off-by: Wainui Witika-Park --- Koha/REST/V1/Auth/Password.pm | 103 ++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 Koha/REST/V1/Auth/Password.pm diff --git a/Koha/REST/V1/Auth/Password.pm b/Koha/REST/V1/Auth/Password.pm new file mode 100644 index 0000000000..189dcc80d5 --- /dev/null +++ b/Koha/REST/V1/Auth/Password.pm @@ -0,0 +1,103 @@ +package Koha::REST::V1::Auth::Password; + +# This file is part of Koha. +# +# Koha is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# Koha is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Koha; if not, see . + +use Modern::Perl; + +use Mojo::Base 'Mojolicious::Controller'; + +use C4::Auth qw/checkpw/; +use Koha::Patrons; + +=head1 NAME + +Koha::REST::V1::Auth::Password - Controller library for handling +validation of username and password. + +Intended use case is authenticating Koha patrons in external +applications via Koha's REST API. + +=head2 Operations + +=head3 validate + +Controller method that checks a patron's password + +=cut + +sub validate { + my $c = shift->openapi->valid_input or return; + + my $body = $c->req->json; + my $identifier = $body->{identifier}; + my $userid = $body->{userid}; + + unless ( defined $identifier or defined $userid ) { + return $c->render( + status => 400, + openapi => { error => "Validation failed" }, + ); + } + + if ( defined $identifier and defined $userid ) { + return $c->render( + status => 400, + openapi => { error => "Bad request. Only one identifier attribute can be passed." }, + ); + } + + if ($userid) { + return $c->render( + status => 400, + openapi => { error => "Validation failed" }, + ) unless Koha::Patrons->find( { userid => $userid } ); + } + + $identifier //= $userid; + + my $password = $body->{password} // ""; + + return try { + my ( $status, $THE_cardnumber, $THE_userid, $patron ) = C4::Auth::checkpw( $identifier, $password ); + unless ( $status && $status > 0 ) { + my $error_response = $status == -2 ? 'Password expired' : 'Validation failed'; + return $c->render( + status => 400, + openapi => { error => $error_response } + ); + } + + return $c->render( + status => 201, + openapi => { + cardnumber => $patron->cardnumber, + patron_id => $patron->id, + userid => $patron->userid, + } + ); + } catch { + if ( blessed $_ and $_->isa('Koha::Exceptions::Password') ) { + return $c->render( + status => 400, + openapi => { error => "$_" } + ); + } + + $c->unhandled_exception($_); + }; +} + +1; -- 2.39.5