1 package Koha::REST::V1::Auth;
3 # Copyright Koha-Suomi Oy 2017
5 # This file is part of Koha.
7 # Koha is free software; you can redistribute it and/or modify it
8 # under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; either version 3 of the License, or
10 # (at your option) any later version.
12 # Koha is distributed in the hope that it will be useful, but
13 # WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with Koha; if not, see <http://www.gnu.org/licenses>.
22 use Mojo::Base 'Mojolicious::Controller';
24 use C4::Auth qw( check_cookie_auth checkpw_internal get_session haspermission );
28 use Koha::Account::Lines;
33 use Koha::OAuthAccessTokens;
34 use Koha::Old::Checkouts;
38 use Koha::Exceptions::Authentication;
39 use Koha::Exceptions::Authorization;
41 use MIME::Base64 qw( decode_base64 );
42 use Module::Load::Conditional;
43 use Scalar::Util qw( blessed );
44 use Try::Tiny qw( catch try );
54 This subroutine is called before every request to API.
66 my $namespace = $c->req->url->to_abs->path->[2] // '';
68 my $is_public = 0; # By default routes are not public
71 if ( $namespace eq 'public' ) {
73 } elsif ( $namespace eq 'contrib' ) {
78 and !C4::Context->preference('RESTPublicAPI') )
80 Koha::Exceptions::Authorization->throw(
81 "Configuration prevents the usage of this endpoint by unprivileged users");
84 if ( $c->req->url->to_abs->path eq '/api/v1/oauth/token' ) {
85 # Requesting a token shouldn't go through the API authenticaction chain
88 elsif ( $namespace eq '' or $namespace eq '.html' ) {
92 $status = authenticate_api_request($c, { is_public => $is_public, is_plugin => $is_plugin });
96 unless (blessed($_)) {
99 json => { error => 'Something went wrong, check the logs.' }
102 if ($_->isa('Koha::Exceptions::UnderMaintenance')) {
103 return $c->render(status => 503, json => { error => $_->error });
105 elsif ($_->isa('Koha::Exceptions::Authentication::SessionExpired')) {
106 return $c->render(status => 401, json => { error => $_->error });
108 elsif ($_->isa('Koha::Exceptions::Authentication::Required')) {
109 return $c->render(status => 401, json => { error => $_->error });
111 elsif ($_->isa('Koha::Exceptions::Authentication')) {
112 return $c->render(status => 401, json => { error => $_->error });
114 elsif ($_->isa('Koha::Exceptions::BadParameter')) {
115 return $c->render(status => 400, json => $_->error );
117 elsif ($_->isa('Koha::Exceptions::Authorization::Unauthorized')) {
118 return $c->render(status => 403, json => {
120 required_permissions => $_->required_permissions,
123 elsif ($_->isa('Koha::Exceptions::Authorization')) {
124 return $c->render(status => 403, json => { error => $_->error });
126 elsif ($_->isa('Koha::Exceptions')) {
127 return $c->render(status => 500, json => { error => $_->error });
132 json => { error => 'Something went wrong, check the logs.' }
140 =head3 authenticate_api_request
142 Validates authentication and allows access if authorization is not required or
143 if authorization is required and user has required permissions to access.
147 sub authenticate_api_request {
148 my ( $c, $params ) = @_;
152 $c->stash( 'is_public' => 1 )
153 if $params->{is_public};
155 # The following supports retrieval of spec with Mojolicious::Plugin::OpenAPI@1.17 and later (first one)
156 # and older versions (second one).
157 # TODO: remove the latter 'openapi.op_spec' if minimum version is bumped to at least 1.17.
158 my $spec = $c->openapi->spec || $c->match->endpoint->pattern->defaults->{'openapi.op_spec'};
161 $c->stash_overrides();
166 my $authorization = $spec->{'x-koha-authorization'};
168 my $authorization_header = $c->req->headers->authorization;
170 if ($authorization_header and $authorization_header =~ /^Bearer /) {
171 # attempt to use OAuth2 authentication
172 if ( ! Module::Load::Conditional::can_load(
173 modules => {'Net::OAuth2::AuthorizationServer' => undef} )) {
174 Koha::Exceptions::Authorization::Unauthorized->throw(
175 error => 'Authentication failure.'
179 require Net::OAuth2::AuthorizationServer;
182 my $server = Net::OAuth2::AuthorizationServer->new;
183 my $grant = $server->client_credentials_grant(Koha::OAuth::config);
184 my ($type, $token) = split / /, $authorization_header;
185 my ($valid_token, $error) = $grant->verify_access_token(
186 access_token => $token,
190 my $patron_id = Koha::ApiKeys->find( $valid_token->{client_id} )->patron_id;
191 $user = Koha::Patrons->find($patron_id);
194 # If we have "Authorization: Bearer" header and oauth authentication
195 # failed, do not try other authentication means
196 Koha::Exceptions::Authentication::Required->throw(
197 error => 'Authentication failure.'
201 elsif ( $authorization_header and $authorization_header =~ /^Basic / ) {
202 unless ( C4::Context->preference('RESTBasicAuth') ) {
203 Koha::Exceptions::Authentication::Required->throw(
204 error => 'Basic authentication disabled'
207 $user = $c->_basic_auth( $authorization_header );
209 # If we have "Authorization: Basic" header and authentication
210 # failed, do not try other authentication means
211 Koha::Exceptions::Authentication::Required->throw(
212 error => 'Authentication failure.'
218 my $cookie = $c->cookie('CGISESSID');
220 # Mojo doesn't use %ENV the way CGI apps do
221 # Manually pass the remote_address to check_auth_cookie
222 my $remote_addr = $c->tx->remote_address;
223 my ($status, $session) = check_cookie_auth(
225 { remote_addr => $remote_addr });
226 if ($status eq "ok") {
227 $user = Koha::Patrons->find( $session->param('number') );
230 elsif ($status eq "anon") {
233 elsif ($status eq "additional-auth-needed") {
234 if ( $c->req->url->to_abs->path eq '/api/v1/auth/send_otp_token' ) {
235 $user = Koha::Patrons->find( $session->param('number') );
238 Koha::Exceptions::Authentication::Required->throw(
239 error => 'Authentication failure.'
243 elsif ($status eq "maintenance") {
244 Koha::Exceptions::UnderMaintenance->throw(
245 error => 'System is under maintenance.'
248 elsif ($status eq "expired" and $authorization) {
249 Koha::Exceptions::Authentication::SessionExpired->throw(
250 error => 'Session has been expired.'
253 elsif ($status eq "failed" and $authorization) {
254 Koha::Exceptions::Authentication::Required->throw(
255 error => 'Authentication failure.'
258 elsif ($authorization) {
259 Koha::Exceptions::Authentication->throw(
260 error => 'Unexpected authentication status.'
265 $c->stash('koha.user' => $user);
266 C4::Context->interface('api');
268 if ( $user and !$cookie_auth ) { # cookie-auth sets this and more, don't mess with that
269 $c->_set_userenv( $user );
272 if ( !$authorization and
273 ( $params->{is_public} and
274 ( C4::Context->preference('RESTPublicAnonymousRequests') or
275 $user) or $params->{is_plugin} )
277 # We do not need any authorization
278 # Check the parameters
279 validate_query_parameters( $c, $spec );
283 # We are required authorizarion, there needs
284 # to be an identified user
285 Koha::Exceptions::Authentication::Required->throw(
286 error => 'Authentication failure.' )
291 my $permissions = $authorization->{'permissions'};
292 # Check if the user is authorized
293 if ( ( defined($permissions) and haspermission($user->userid, $permissions) )
294 or allow_owner($c, $authorization, $user)
295 or allow_guarantor($c, $authorization, $user) ) {
297 validate_query_parameters( $c, $spec );
303 Koha::Exceptions::Authorization::Unauthorized->throw(
304 error => "Authorization failure. Missing required permission(s).",
305 required_permissions => $permissions,
309 =head3 validate_query_parameters
311 Validates the query parameters against the spec.
315 sub validate_query_parameters {
316 my ( $c, $action_spec ) = @_;
318 # Check for malformed query parameters
320 my %valid_parameters = map { ( $_->{in} eq 'query' ) ? ( $_->{name} => 1 ) : () } @{ $action_spec->{parameters} };
321 my $existing_params = $c->req->query_params->to_hash;
322 for my $param ( keys %{$existing_params} ) {
323 push @errors, { path => "/query/" . $param, message => 'Malformed query string' } unless exists $valid_parameters{$param};
326 Koha::Exceptions::BadParameter->throw(
333 Allows access to object for its owner.
335 There are endpoints that should allow access for the object owner even if they
336 do not have the required permission, e.g. access an own reserve. This can be
337 achieved by defining the operation as follows:
339 "/holds/{reserve_id}": {
342 "x-koha-authorization": {
354 my ($c, $authorization, $user) = @_;
356 return unless $authorization->{'allow-owner'};
358 return check_object_ownership($c, $user) if $user and $c;
361 =head3 allow_guarantor
363 Same as "allow_owner", but checks if the object is owned by one of C<$user>'s
368 sub allow_guarantor {
369 my ($c, $authorization, $user) = @_;
371 if (!$c || !$user || !$authorization || !$authorization->{'allow-guarantor'}){
375 my $guarantees = $user->guarantee_relationships->guarantees->as_list;
376 foreach my $guarantee (@{$guarantees}) {
377 return 1 if check_object_ownership($c, $guarantee);
381 =head3 check_object_ownership
383 Determines ownership of an object from request parameters.
385 As introducing an endpoint that allows access for object's owner; if the
386 parameter that will be used to determine ownership is not already inside
387 $parameters, add a new subroutine that checks the ownership and extend
388 $parameters to contain a key with parameter_name and a value of a subref to
389 the subroutine that you created.
393 sub check_object_ownership {
396 return if not $c or not $user;
399 accountlines_id => \&_object_ownership_by_accountlines_id,
400 borrowernumber => \&_object_ownership_by_patron_id,
401 patron_id => \&_object_ownership_by_patron_id,
402 checkout_id => \&_object_ownership_by_checkout_id,
403 reserve_id => \&_object_ownership_by_reserve_id,
406 foreach my $param ( keys %{ $parameters } ) {
407 my $check_ownership = $parameters->{$param};
408 if ($c->stash($param)) {
409 return &$check_ownership($c, $user, $c->stash($param));
411 elsif ($c->param($param)) {
412 return &$check_ownership($c, $user, $c->param($param));
414 elsif ($c->match->stack->[-1]->{$param}) {
415 return &$check_ownership($c, $user, $c->match->stack->[-1]->{$param});
417 elsif ($c->req->json && $c->req->json->{$param}) {
418 return 1 if &$check_ownership($c, $user, $c->req->json->{$param});
423 =head3 _object_ownership_by_accountlines_id
425 Finds a Koha::Account::Line-object by C<$accountlines_id> and checks if it
430 sub _object_ownership_by_accountlines_id {
431 my ($c, $user, $accountlines_id) = @_;
433 my $accountline = Koha::Account::Lines->find($accountlines_id);
434 return $accountline && $user->borrowernumber == $accountline->borrowernumber;
437 =head3 _object_ownership_by_borrowernumber
439 Compares C<$borrowernumber> to currently logged in C<$user>.
443 sub _object_ownership_by_patron_id {
444 my ($c, $user, $patron_id) = @_;
446 return $user->borrowernumber == $patron_id;
449 =head3 _object_ownership_by_checkout_id
451 First, attempts to find a Koha::Checkout-object by C<$issue_id>. If we find one,
452 compare its borrowernumber to currently logged in C<$user>. However, if an issue
453 is not found, attempt to find a Koha::Old::Checkout-object instead and compare its
454 borrowernumber to currently logged in C<$user>.
458 sub _object_ownership_by_checkout_id {
459 my ($c, $user, $issue_id) = @_;
461 my $issue = Koha::Checkouts->find($issue_id);
462 $issue = Koha::Old::Checkouts->find($issue_id) unless $issue;
463 return $issue && $issue->borrowernumber
464 && $user->borrowernumber == $issue->borrowernumber;
467 =head3 _object_ownership_by_reserve_id
469 Finds a Koha::Hold-object by C<$reserve_id> and checks if it
472 TODO: Also compare against old_reserves
476 sub _object_ownership_by_reserve_id {
477 my ($c, $user, $reserve_id) = @_;
479 my $reserve = Koha::Holds->find($reserve_id);
480 return $reserve && $user->borrowernumber == $reserve->borrowernumber;
485 Internal method that performs Basic authentication.
490 my ( $c, $authorization_header ) = @_;
492 my ( $type, $credentials ) = split / /, $authorization_header;
494 unless ($credentials) {
495 Koha::Exceptions::Authentication::Required->throw( error => 'Authentication failure.' );
498 my $decoded_credentials = decode_base64( $credentials );
499 my ( $user_id, $password ) = split( /:/, $decoded_credentials, 2 );
501 my $dbh = C4::Context->dbh;
502 unless ( checkpw_internal($dbh, $user_id, $password ) ) {
503 Koha::Exceptions::Authorization::Unauthorized->throw( error => 'Invalid password' );
506 my $patron = Koha::Patrons->find({ userid => $user_id });
507 if ( $patron->password_expired ) {
508 Koha::Exceptions::Authorization::Unauthorized->throw( error => 'Password has expired' );
516 $c->_set_userenv( $patron );
518 Internal method that sets C4::Context->userenv
523 my ( $c, $patron ) = @_;
525 my $passed_library_id = $c->req->headers->header('x-koha-library');
528 if ( $passed_library_id ) {
529 $THE_library = Koha::Libraries->find( $passed_library_id );
530 Koha::Exceptions::Authorization::Unauthorized->throw(
531 "Unauthorized attempt to set library to $passed_library_id"
532 ) unless $THE_library and $patron->can_log_into($THE_library);
535 $THE_library = $patron->library;
538 C4::Context->_new_userenv( $patron->borrowernumber );
539 C4::Context->set_userenv(
540 $patron->borrowernumber, # number,
541 $patron->userid, # userid,
542 $patron->cardnumber, # cardnumber
543 $patron->firstname, # firstname
544 $patron->surname, # surname
545 $THE_library->branchcode, # branch
546 $THE_library->branchname, # branchname
547 $patron->flags, # flags,
548 $patron->email, # emailaddress