From b5fc3d29373d2b6eecd9f3d26c798d603dae7d84 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 5 Aug 2016 15:03:28 +0000 Subject: [PATCH] Bug 17050: Do not kick the session out when accessing the REST API Mojolicious does not set $ENV{REMOTE_ADDR} (neither $ENV{HTTP_*}) as it may share ENV between different requests. Fortunately for us, Plack does not! This is a dirty patch to fix this issue but it seems that there is not lot of solutions. It adds a remote_addr parameter to C4::Auth::check_cookie_authin order to send it from Koha::Rest::V1::startup reading the headers sent by Mojolicious. Test plan: Hit /cgi-bin/koha/mainpage.pl Hit /api/v1/patrons/42 Hit /cgi-bin/koha/mainpage.pl With this patch applied, everything will be fine and you won't be logged out. Signed-off-by: Tomas Cohen Arazi Signed-off-by: Benjamin Rokseth Signed-off-by: Jonathan Druart Signed-off-by: Kyle M Hall --- C4/Auth.pm | 4 +++- Koha/REST/V1.pm | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/C4/Auth.pm b/C4/Auth.pm index 582eefc621..17e2cc17f0 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -1614,7 +1614,9 @@ Possible return values in C<$status> are: sub check_cookie_auth { my $cookie = shift; my $flagsrequired = shift; + my $params = shift; + my $remote_addr = $params->{remote_addr} || $ENV{REMOTE_ADDR}; my $dbh = C4::Context->dbh; my $timeout = _timeout_syspref(); @@ -1671,7 +1673,7 @@ sub check_cookie_auth { $userid = undef; $sessionID = undef; return ("expired", undef); - } elsif ( C4::Context->preference('SessionRestrictionByIP') && $ip ne $ENV{'REMOTE_ADDR'} ) { + } elsif ( C4::Context->preference('SessionRestrictionByIP') && $ip ne $remote_addr ) { # IP address changed $session->delete(); diff --git a/Koha/REST/V1.pm b/Koha/REST/V1.pm index b692a38334..b16e1e340e 100644 --- a/Koha/REST/V1.pm +++ b/Koha/REST/V1.pm @@ -29,7 +29,9 @@ sub startup { cb => sub { my $c = shift; - my ($status, $sessionID) = check_cookie_auth($c->cookie('CGISESSID')); + # ENV{REMOTE_ADDR} is not set here, we need to read the headers + my $remote_addr = $c->req->headers->header('x-forwarded-for'); + my ($status, $sessionID) = check_cookie_auth($c->cookie('CGISESSID'), undef, { remote_addr => $remote_addr }); if ($status eq "ok") { my $session = get_session($sessionID); my $user = Koha::Patrons->find($session->param('number')); -- 2.39.5