From 996b100f1f46f574cc597d4fd2865c1db8e5f4e7 Mon Sep 17 00:00:00 2001 From: Julian Maurice Date: Thu, 12 Apr 2018 14:48:58 +0200 Subject: [PATCH] Bug 20402: Don't look at cookies if OAuth2 is attempted and has failed Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart --- Koha/REST/V1/Auth.pm | 47 ++++++++++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 19 deletions(-) diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm index 3ca43faadd..f9b885f491 100644 --- a/Koha/REST/V1/Auth.pm +++ b/Koha/REST/V1/Auth.pm @@ -113,27 +113,36 @@ sub authenticate_api_request { my $spec = $c->match->endpoint->pattern->defaults->{'openapi.op_spec'}; my $authorization = $spec->{'x-koha-authorization'}; - if (my $oauth = $c->oauth) { - my $clients = C4::Context->config('api_client'); - $clients = [ $clients ] unless ref $clients eq 'ARRAY'; - my ($client) = grep { $_->{client_id} eq $oauth->{client_id} } @$clients; - - my $patron = Koha::Patrons->find($client->{patron_id}); - my $permissions = $authorization->{'permissions'}; - # Check if the patron is authorized - if ( haspermission($patron->userid, $permissions) - or allow_owner($c, $authorization, $patron) - or allow_guarantor($c, $authorization, $patron) ) { - - validate_query_parameters( $c, $spec ); - - # Everything is ok - return 1; + my $authorization_header = $c->req->headers->authorization; + if ($authorization_header and $authorization_header =~ /^Bearer /) { + if (my $oauth = $c->oauth) { + my $clients = C4::Context->config('api_client'); + $clients = [ $clients ] unless ref $clients eq 'ARRAY'; + my ($client) = grep { $_->{client_id} eq $oauth->{client_id} } @$clients; + + my $patron = Koha::Patrons->find($client->{patron_id}); + my $permissions = $authorization->{'permissions'}; + # Check if the patron is authorized + if ( haspermission($patron->userid, $permissions) + or allow_owner($c, $authorization, $patron) + or allow_guarantor($c, $authorization, $patron) ) { + + validate_query_parameters( $c, $spec ); + + # Everything is ok + return 1; + } + + Koha::Exceptions::Authorization::Unauthorized->throw( + error => "Authorization failure. Missing required permission(s).", + required_permissions => $permissions, + ); } - Koha::Exceptions::Authorization::Unauthorized->throw( - error => "Authorization failure. Missing required permission(s).", - required_permissions => $permissions, + # If we have "Authorization: Bearer" header and oauth authentication + # failed, do not try other authentication means + Koha::Exceptions::Authentication::Required->throw( + error => 'Authentication failure.' ); } -- 2.39.5