1 package Koha::REST::V1::Auth;
3 # Copyright Koha-Suomi Oy 2017
5 # This file is part of Koha.
7 # Koha is free software; you can redistribute it and/or modify it
8 # under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; either version 3 of the License, or
10 # (at your option) any later version.
12 # Koha is distributed in the hope that it will be useful, but
13 # WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with Koha; if not, see <http://www.gnu.org/licenses>.
22 use Mojo::Base 'Mojolicious::Controller';
24 use C4::Auth qw( check_cookie_auth checkpw_internal get_session haspermission );
28 use Koha::Account::Lines;
33 use Koha::OAuthAccessTokens;
34 use Koha::Old::Checkouts;
38 use Koha::Exceptions::Authentication;
39 use Koha::Exceptions::Authorization;
42 use Module::Load::Conditional;
43 use Scalar::Util qw( blessed );
54 This subroutine is called before every request to API.
66 my $namespace = $c->req->url->to_abs->path->[2] // '';
68 my $is_public = 0; # By default routes are not public
71 if ( $namespace eq 'public' ) {
73 } elsif ( $namespace eq 'contrib' ) {
78 and !C4::Context->preference('RESTPublicAPI') )
80 Koha::Exceptions::Authorization->throw(
81 "Configuration prevents the usage of this endpoint by unprivileged users");
84 if ( $c->req->url->to_abs->path eq '/api/v1/oauth/token' ) {
85 # Requesting a token shouldn't go through the API authenticaction chain
88 elsif ( $namespace eq '' or $namespace eq '.html' ) {
92 $status = authenticate_api_request($c, { is_public => $is_public, is_plugin => $is_plugin });
96 unless (blessed($_)) {
99 json => { error => 'Something went wrong, check the logs.' }
102 if ($_->isa('Koha::Exceptions::UnderMaintenance')) {
103 return $c->render(status => 503, json => { error => $_->error });
105 elsif ($_->isa('Koha::Exceptions::Authentication::SessionExpired')) {
106 return $c->render(status => 401, json => { error => $_->error });
108 elsif ($_->isa('Koha::Exceptions::Authentication::Required')) {
109 return $c->render(status => 401, json => { error => $_->error });
111 elsif ($_->isa('Koha::Exceptions::Authentication')) {
112 return $c->render(status => 401, json => { error => $_->error });
114 elsif ($_->isa('Koha::Exceptions::BadParameter')) {
115 return $c->render(status => 400, json => $_->error );
117 elsif ($_->isa('Koha::Exceptions::Authorization::Unauthorized')) {
118 return $c->render(status => 403, json => {
120 required_permissions => $_->required_permissions,
123 elsif ($_->isa('Koha::Exceptions::Authorization')) {
124 return $c->render(status => 403, json => { error => $_->error });
126 elsif ($_->isa('Koha::Exceptions')) {
127 return $c->render(status => 500, json => { error => $_->error });
132 json => { error => 'Something went wrong, check the logs.' }
140 =head3 authenticate_api_request
142 Validates authentication and allows access if authorization is not required or
143 if authorization is required and user has required permissions to access.
147 sub authenticate_api_request {
148 my ( $c, $params ) = @_;
152 # The following supports retrieval of spec with Mojolicious::Plugin::OpenAPI@1.17 and later (first one)
153 # and older versions (second one).
154 # TODO: remove the latter 'openapi.op_spec' if minimum version is bumped to at least 1.17.
155 my $spec = $c->openapi->spec || $c->match->endpoint->pattern->defaults->{'openapi.op_spec'};
157 $c->stash_embed({ spec => $spec });
160 my $authorization = $spec->{'x-koha-authorization'};
162 my $authorization_header = $c->req->headers->authorization;
164 if ($authorization_header and $authorization_header =~ /^Bearer /) {
165 # attempt to use OAuth2 authentication
166 if ( ! Module::Load::Conditional::can_load(
167 modules => {'Net::OAuth2::AuthorizationServer' => undef} )) {
168 Koha::Exceptions::Authorization::Unauthorized->throw(
169 error => 'Authentication failure.'
173 require Net::OAuth2::AuthorizationServer;
176 my $server = Net::OAuth2::AuthorizationServer->new;
177 my $grant = $server->client_credentials_grant(Koha::OAuth::config);
178 my ($type, $token) = split / /, $authorization_header;
179 my ($valid_token, $error) = $grant->verify_access_token(
180 access_token => $token,
184 my $patron_id = Koha::ApiKeys->find( $valid_token->{client_id} )->patron_id;
185 $user = Koha::Patrons->find($patron_id);
188 # If we have "Authorization: Bearer" header and oauth authentication
189 # failed, do not try other authentication means
190 Koha::Exceptions::Authentication::Required->throw(
191 error => 'Authentication failure.'
195 elsif ( $authorization_header and $authorization_header =~ /^Basic / ) {
196 unless ( C4::Context->preference('RESTBasicAuth') ) {
197 Koha::Exceptions::Authentication::Required->throw(
198 error => 'Basic authentication disabled'
201 $user = $c->_basic_auth( $authorization_header );
203 # If we have "Authorization: Basic" header and authentication
204 # failed, do not try other authentication means
205 Koha::Exceptions::Authentication::Required->throw(
206 error => 'Authentication failure.'
212 my $cookie = $c->cookie('CGISESSID');
214 # Mojo doesn't use %ENV the way CGI apps do
215 # Manually pass the remote_address to check_auth_cookie
216 my $remote_addr = $c->tx->remote_address;
217 my ($status, $sessionID) = check_cookie_auth(
219 { remote_addr => $remote_addr });
220 if ($status eq "ok") {
221 my $session = get_session($sessionID);
222 $user = Koha::Patrons->find( $session->param('number') )
223 unless $session->param('sessiontype')
224 and $session->param('sessiontype') eq 'anon';
227 elsif ($status eq "maintenance") {
228 Koha::Exceptions::UnderMaintenance->throw(
229 error => 'System is under maintenance.'
232 elsif ($status eq "expired" and $authorization) {
233 Koha::Exceptions::Authentication::SessionExpired->throw(
234 error => 'Session has been expired.'
237 elsif ($status eq "failed" and $authorization) {
238 Koha::Exceptions::Authentication::Required->throw(
239 error => 'Authentication failure.'
242 elsif ($authorization) {
243 Koha::Exceptions::Authentication->throw(
244 error => 'Unexpected authentication status.'
249 $c->stash('koha.user' => $user);
250 C4::Context->interface('api');
252 if ( $user and !$cookie_auth ) { # cookie-auth sets this and more, don't mess with that
253 $c->_set_userenv( $user );
256 if ( !$authorization and
257 ( $params->{is_public} and
258 ( C4::Context->preference('RESTPublicAnonymousRequests') or
259 $user) or $params->{is_plugin} ) ) {
260 # We do not need any authorization
261 # Check the parameters
262 validate_query_parameters( $c, $spec );
266 # We are required authorizarion, there needs
267 # to be an identified user
268 Koha::Exceptions::Authentication::Required->throw(
269 error => 'Authentication failure.' )
274 my $permissions = $authorization->{'permissions'};
275 # Check if the user is authorized
276 if ( ( defined($permissions) and haspermission($user->userid, $permissions) )
277 or allow_owner($c, $authorization, $user)
278 or allow_guarantor($c, $authorization, $user) ) {
280 validate_query_parameters( $c, $spec );
286 Koha::Exceptions::Authorization::Unauthorized->throw(
287 error => "Authorization failure. Missing required permission(s).",
288 required_permissions => $permissions,
292 =head3 validate_query_parameters
294 Validates the query parameters against the spec.
298 sub validate_query_parameters {
299 my ( $c, $action_spec ) = @_;
301 # Check for malformed query parameters
303 my %valid_parameters = map { ( $_->{in} eq 'query' ) ? ( $_->{name} => 1 ) : () } @{ $action_spec->{parameters} };
304 my $existing_params = $c->req->query_params->to_hash;
305 for my $param ( keys %{$existing_params} ) {
306 push @errors, { path => "/query/" . $param, message => 'Malformed query string' } unless exists $valid_parameters{$param};
309 Koha::Exceptions::BadParameter->throw(
316 Allows access to object for its owner.
318 There are endpoints that should allow access for the object owner even if they
319 do not have the required permission, e.g. access an own reserve. This can be
320 achieved by defining the operation as follows:
322 "/holds/{reserve_id}": {
325 "x-koha-authorization": {
337 my ($c, $authorization, $user) = @_;
339 return unless $authorization->{'allow-owner'};
341 return check_object_ownership($c, $user) if $user and $c;
344 =head3 allow_guarantor
346 Same as "allow_owner", but checks if the object is owned by one of C<$user>'s
351 sub allow_guarantor {
352 my ($c, $authorization, $user) = @_;
354 if (!$c || !$user || !$authorization || !$authorization->{'allow-guarantor'}){
358 my $guarantees = $user->guarantee_relationships->guarantees->as_list;
359 foreach my $guarantee (@{$guarantees}) {
360 return 1 if check_object_ownership($c, $guarantee);
364 =head3 check_object_ownership
366 Determines ownership of an object from request parameters.
368 As introducing an endpoint that allows access for object's owner; if the
369 parameter that will be used to determine ownership is not already inside
370 $parameters, add a new subroutine that checks the ownership and extend
371 $parameters to contain a key with parameter_name and a value of a subref to
372 the subroutine that you created.
376 sub check_object_ownership {
379 return if not $c or not $user;
382 accountlines_id => \&_object_ownership_by_accountlines_id,
383 borrowernumber => \&_object_ownership_by_patron_id,
384 patron_id => \&_object_ownership_by_patron_id,
385 checkout_id => \&_object_ownership_by_checkout_id,
386 reserve_id => \&_object_ownership_by_reserve_id,
389 foreach my $param ( keys %{ $parameters } ) {
390 my $check_ownership = $parameters->{$param};
391 if ($c->stash($param)) {
392 return &$check_ownership($c, $user, $c->stash($param));
394 elsif ($c->param($param)) {
395 return &$check_ownership($c, $user, $c->param($param));
397 elsif ($c->match->stack->[-1]->{$param}) {
398 return &$check_ownership($c, $user, $c->match->stack->[-1]->{$param});
400 elsif ($c->req->json && $c->req->json->{$param}) {
401 return 1 if &$check_ownership($c, $user, $c->req->json->{$param});
406 =head3 _object_ownership_by_accountlines_id
408 Finds a Koha::Account::Line-object by C<$accountlines_id> and checks if it
413 sub _object_ownership_by_accountlines_id {
414 my ($c, $user, $accountlines_id) = @_;
416 my $accountline = Koha::Account::Lines->find($accountlines_id);
417 return $accountline && $user->borrowernumber == $accountline->borrowernumber;
420 =head3 _object_ownership_by_borrowernumber
422 Compares C<$borrowernumber> to currently logged in C<$user>.
426 sub _object_ownership_by_patron_id {
427 my ($c, $user, $patron_id) = @_;
429 return $user->borrowernumber == $patron_id;
432 =head3 _object_ownership_by_checkout_id
434 First, attempts to find a Koha::Checkout-object by C<$issue_id>. If we find one,
435 compare its borrowernumber to currently logged in C<$user>. However, if an issue
436 is not found, attempt to find a Koha::Old::Checkout-object instead and compare its
437 borrowernumber to currently logged in C<$user>.
441 sub _object_ownership_by_checkout_id {
442 my ($c, $user, $issue_id) = @_;
444 my $issue = Koha::Checkouts->find($issue_id);
445 $issue = Koha::Old::Checkouts->find($issue_id) unless $issue;
446 return $issue && $issue->borrowernumber
447 && $user->borrowernumber == $issue->borrowernumber;
450 =head3 _object_ownership_by_reserve_id
452 Finds a Koha::Hold-object by C<$reserve_id> and checks if it
455 TODO: Also compare against old_reserves
459 sub _object_ownership_by_reserve_id {
460 my ($c, $user, $reserve_id) = @_;
462 my $reserve = Koha::Holds->find($reserve_id);
463 return $reserve && $user->borrowernumber == $reserve->borrowernumber;
468 Internal method that performs Basic authentication.
473 my ( $c, $authorization_header ) = @_;
475 my ( $type, $credentials ) = split / /, $authorization_header;
477 unless ($credentials) {
478 Koha::Exceptions::Authentication::Required->throw( error => 'Authentication failure.' );
481 my $decoded_credentials = decode_base64( $credentials );
482 my ( $user_id, $password ) = split( /:/, $decoded_credentials, 2 );
484 my $dbh = C4::Context->dbh;
485 unless ( checkpw_internal($dbh, $user_id, $password ) ) {
486 Koha::Exceptions::Authorization::Unauthorized->throw( error => 'Invalid password' );
489 return Koha::Patrons->find({ userid => $user_id });
494 $c->_set_userenv( $patron );
496 Internal method that sets C4::Context->userenv
501 my ( $c, $patron ) = @_;
503 my $passed_library_id = $c->req->headers->header('x-koha-library');
506 if ( $passed_library_id ) {
507 $THE_library = Koha::Libraries->find( $passed_library_id );
508 Koha::Exceptions::Authorization::Unauthorized->throw(
509 "Unauthorized attempt to set library to $passed_library_id"
510 ) unless $THE_library and $patron->can_log_into($THE_library);
513 $THE_library = $patron->library;
516 C4::Context->_new_userenv( $patron->borrowernumber );
517 C4::Context->set_userenv(
518 $patron->borrowernumber, # number,
519 $patron->userid, # userid,
520 $patron->cardnumber, # cardnumber
521 $patron->firstname, # firstname
522 $patron->surname, # surname
523 $THE_library->branchcode, # branch
524 $THE_library->branchname, # branchname
525 $patron->flags, # flags,
526 $patron->email, # emailaddress