1 package Koha::REST::V1::Auth;
3 # Copyright Koha-Suomi Oy 2017
5 # This file is part of Koha.
7 # Koha is free software; you can redistribute it and/or modify it
8 # under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; either version 3 of the License, or
10 # (at your option) any later version.
12 # Koha is distributed in the hope that it will be useful, but
13 # WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with Koha; if not, see <http://www.gnu.org/licenses>.
22 use Mojo::Base 'Mojolicious::Controller';
24 use C4::Auth qw( check_cookie_auth checkpw_internal get_session haspermission );
28 use Koha::Account::Lines;
33 use Koha::OAuthAccessTokens;
34 use Koha::Old::Checkouts;
38 use Koha::Exceptions::Authentication;
39 use Koha::Exceptions::Authorization;
41 use MIME::Base64 qw( decode_base64 );
42 use Module::Load::Conditional;
43 use Scalar::Util qw( blessed );
44 use Try::Tiny qw( catch try );
54 This subroutine is called before every request to API.
66 my $namespace = $c->req->url->to_abs->path->[2] // '';
68 my $is_public = 0; # By default routes are not public
71 if ( $namespace eq 'public' ) {
73 } elsif ( $namespace eq 'contrib' ) {
78 and !C4::Context->preference('RESTPublicAPI') )
80 Koha::Exceptions::Authorization->throw(
81 "Configuration prevents the usage of this endpoint by unprivileged users");
84 if ( $c->req->url->to_abs->path =~ m#^/api/v1/oauth/# || $c->req->url->to_abs->path =~ m#^/api/v1/public/oauth/#) {
85 # Requesting OAuth endpoints shouldn't go through the API authentication chain
88 elsif ( $namespace eq '' or $namespace eq '.html' ) {
92 $status = authenticate_api_request($c, { is_public => $is_public, is_plugin => $is_plugin });
96 unless (blessed($_)) {
99 json => { error => 'Something went wrong, check the logs.' }
102 if ($_->isa('Koha::Exceptions::UnderMaintenance')) {
103 return $c->render(status => 503, json => { error => $_->error });
105 elsif ($_->isa('Koha::Exceptions::Authentication::SessionExpired')) {
106 return $c->render(status => 401, json => { error => $_->error });
108 elsif ($_->isa('Koha::Exceptions::Authentication::Required')) {
109 return $c->render(status => 401, json => { error => $_->error });
111 elsif ($_->isa('Koha::Exceptions::Authentication')) {
112 return $c->render(status => 401, json => { error => $_->error });
114 elsif ($_->isa('Koha::Exceptions::BadParameter')) {
115 return $c->render(status => 400, json => $_->error );
117 elsif ($_->isa('Koha::Exceptions::Authorization::Unauthorized')) {
118 return $c->render(status => 403, json => {
120 required_permissions => $_->required_permissions,
123 elsif ($_->isa('Koha::Exceptions::Authorization')) {
124 return $c->render(status => 403, json => { error => $_->error });
126 elsif ($_->isa('Koha::Exceptions')) {
127 return $c->render(status => 500, json => { error => $_->error });
132 json => { error => 'Something went wrong, check the logs.' }
140 =head3 authenticate_api_request
142 Validates authentication and allows access if authorization is not required or
143 if authorization is required and user has required permissions to access.
147 sub authenticate_api_request {
148 my ( $c, $params ) = @_;
152 $c->stash( 'is_public' => 1 )
153 if $params->{is_public};
155 # The following supports retrieval of spec with Mojolicious::Plugin::OpenAPI@1.17 and later (first one)
156 # and older versions (second one).
157 # TODO: remove the latter 'openapi.op_spec' if minimum version is bumped to at least 1.17.
158 my $spec = $c->openapi->spec || $c->match->endpoint->pattern->defaults->{'openapi.op_spec'};
160 $c->stash_embed( { spec => $spec } );
161 $c->stash_overrides();
163 # FIXME: Remove once CGI is not used
164 my $accept_language = $c->req->headers->accept_language;
165 $ENV{HTTP_ACCEPT_LANGUAGE} = $accept_language
170 my $authorization = $spec->{'x-koha-authorization'};
172 my $authorization_header = $c->req->headers->authorization;
174 if ($authorization_header and $authorization_header =~ /^Bearer /) {
175 # attempt to use OAuth2 authentication
176 if ( ! Module::Load::Conditional::can_load(
177 modules => {'Net::OAuth2::AuthorizationServer' => undef} )) {
178 Koha::Exceptions::Authorization::Unauthorized->throw(
179 error => 'Authentication failure.'
183 require Net::OAuth2::AuthorizationServer;
186 my $server = Net::OAuth2::AuthorizationServer->new;
187 my $grant = $server->client_credentials_grant(Koha::OAuth::config);
188 my ($type, $token) = split / /, $authorization_header;
189 my ($valid_token, $error) = $grant->verify_access_token(
190 access_token => $token,
194 my $patron_id = Koha::ApiKeys->find( $valid_token->{client_id} )->patron_id;
195 $user = Koha::Patrons->find($patron_id);
198 # If we have "Authorization: Bearer" header and oauth authentication
199 # failed, do not try other authentication means
200 Koha::Exceptions::Authentication::Required->throw(
201 error => 'Authentication failure.'
205 elsif ( $authorization_header and $authorization_header =~ /^Basic / ) {
206 unless ( C4::Context->preference('RESTBasicAuth') ) {
207 Koha::Exceptions::Authentication::Required->throw(
208 error => 'Basic authentication disabled'
211 $user = $c->_basic_auth( $authorization_header );
213 # If we have "Authorization: Basic" header and authentication
214 # failed, do not try other authentication means
215 Koha::Exceptions::Authentication::Required->throw(
216 error => 'Authentication failure.'
222 my $cookie = $c->cookie('CGISESSID');
224 # Mojo doesn't use %ENV the way CGI apps do
225 # Manually pass the remote_address to check_auth_cookie
226 my $remote_addr = $c->tx->remote_address;
227 my ($status, $session) = check_cookie_auth(
229 { remote_addr => $remote_addr });
231 if ( $c->req->url->to_abs->path eq '/api/v1/auth/otp/token_delivery' ) {
232 if ( $status eq 'additional-auth-needed' ) {
233 $user = Koha::Patrons->find( $session->param('number') );
236 elsif ( $status eq 'ok' ) {
237 Koha::Exceptions::Authentication->throw(
238 error => 'Cannot request a new token.' );
241 Koha::Exceptions::Authentication::Required->throw(
242 error => 'Authentication failure.' );
245 elsif ( $c->req->url->to_abs->path eq '/api/v1/auth/two-factor/registration'
246 || $c->req->url->to_abs->path eq '/api/v1/auth/two-factor/registration/verification' ) {
248 if ( $status eq 'setup-additional-auth-needed' ) {
249 $user = Koha::Patrons->find( $session->param('number') );
252 elsif ( $status eq 'ok' ) {
253 $user = Koha::Patrons->find( $session->param('number') );
254 if ( $user->auth_method ne 'password' ) {
255 # If the user already enabled 2FA they don't need to register again
256 Koha::Exceptions::Authentication->throw(
257 error => 'Cannot request this route.' );
262 Koha::Exceptions::Authentication::Required->throw(
263 error => 'Authentication failure.' );
267 if ($status eq "ok") {
268 $user = Koha::Patrons->find( $session->param('number') );
271 elsif ($status eq "anon") {
274 elsif ($status eq "additional-auth-needed") {
276 elsif ($status eq "maintenance") {
277 Koha::Exceptions::UnderMaintenance->throw(
278 error => 'System is under maintenance.'
281 elsif ($status eq "expired" and $authorization) {
282 Koha::Exceptions::Authentication::SessionExpired->throw(
283 error => 'Session has been expired.'
286 elsif ($status eq "failed" and $authorization) {
287 Koha::Exceptions::Authentication::Required->throw(
288 error => 'Authentication failure.'
291 elsif ($authorization) {
292 Koha::Exceptions::Authentication->throw(
293 error => 'Unexpected authentication status.'
299 $c->stash('koha.user' => $user);
300 C4::Context->interface('api');
302 if ( $user and !$cookie_auth ) { # cookie-auth sets this and more, don't mess with that
303 $c->_set_userenv( $user );
306 if ( !$authorization and
307 ( $params->{is_public} and
308 ( C4::Context->preference('RESTPublicAnonymousRequests') or
309 $user) or $params->{is_plugin} )
311 # We do not need any authorization
312 # Check the parameters
313 validate_query_parameters( $c, $spec );
317 # We are required authorization, there needs
318 # to be an identified user
319 Koha::Exceptions::Authentication::Required->throw(
320 error => 'Authentication failure.' )
325 my $permissions = $authorization->{'permissions'};
326 # Check if the user is authorized
327 if ( ( defined($permissions) and haspermission($user->userid, $permissions) )
328 or allow_owner($c, $authorization, $user)
329 or allow_guarantor($c, $authorization, $user) ) {
331 validate_query_parameters( $c, $spec );
337 Koha::Exceptions::Authorization::Unauthorized->throw(
338 error => "Authorization failure. Missing required permission(s).",
339 required_permissions => $permissions,
343 =head3 validate_query_parameters
345 Validates the query parameters against the spec.
349 sub validate_query_parameters {
350 my ( $c, $action_spec ) = @_;
352 # Check for malformed query parameters
354 my %valid_parameters = map { ( $_->{in} eq 'query' ) ? ( $_->{name} => 1 ) : () } @{ $action_spec->{parameters} };
355 my $existing_params = $c->req->query_params->to_hash;
356 for my $param ( keys %{$existing_params} ) {
357 push @errors, { path => "/query/" . $param, message => 'Malformed query string' } unless exists $valid_parameters{$param};
360 Koha::Exceptions::BadParameter->throw(
367 Allows access to object for its owner.
369 There are endpoints that should allow access for the object owner even if they
370 do not have the required permission, e.g. access an own reserve. This can be
371 achieved by defining the operation as follows:
373 "/holds/{reserve_id}": {
376 "x-koha-authorization": {
388 my ($c, $authorization, $user) = @_;
390 return unless $authorization->{'allow-owner'};
392 return check_object_ownership($c, $user) if $user and $c;
395 =head3 allow_guarantor
397 Same as "allow_owner", but checks if the object is owned by one of C<$user>'s
402 sub allow_guarantor {
403 my ($c, $authorization, $user) = @_;
405 if (!$c || !$user || !$authorization || !$authorization->{'allow-guarantor'}){
409 my $guarantees = $user->guarantee_relationships->guarantees->as_list;
410 foreach my $guarantee (@{$guarantees}) {
411 return 1 if check_object_ownership($c, $guarantee);
415 =head3 check_object_ownership
417 Determines ownership of an object from request parameters.
419 As introducing an endpoint that allows access for object's owner; if the
420 parameter that will be used to determine ownership is not already inside
421 $parameters, add a new subroutine that checks the ownership and extend
422 $parameters to contain a key with parameter_name and a value of a subref to
423 the subroutine that you created.
427 sub check_object_ownership {
430 return if not $c or not $user;
433 accountlines_id => \&_object_ownership_by_accountlines_id,
434 borrowernumber => \&_object_ownership_by_patron_id,
435 patron_id => \&_object_ownership_by_patron_id,
436 checkout_id => \&_object_ownership_by_checkout_id,
437 reserve_id => \&_object_ownership_by_reserve_id,
440 foreach my $param ( keys %{ $parameters } ) {
441 my $check_ownership = $parameters->{$param};
442 if ($c->stash($param)) {
443 return &$check_ownership($c, $user, $c->stash($param));
445 elsif ($c->param($param)) {
446 return &$check_ownership($c, $user, $c->param($param));
448 elsif ($c->match->stack->[-1]->{$param}) {
449 return &$check_ownership($c, $user, $c->match->stack->[-1]->{$param});
451 elsif ($c->req->json && $c->req->json->{$param}) {
452 return 1 if &$check_ownership($c, $user, $c->req->json->{$param});
457 =head3 _object_ownership_by_accountlines_id
459 Finds a Koha::Account::Line-object by C<$accountlines_id> and checks if it
464 sub _object_ownership_by_accountlines_id {
465 my ($c, $user, $accountlines_id) = @_;
467 my $accountline = Koha::Account::Lines->find($accountlines_id);
468 return $accountline && $user->borrowernumber == $accountline->borrowernumber;
471 =head3 _object_ownership_by_borrowernumber
473 Compares C<$borrowernumber> to currently logged in C<$user>.
477 sub _object_ownership_by_patron_id {
478 my ($c, $user, $patron_id) = @_;
480 return $user->borrowernumber == $patron_id;
483 =head3 _object_ownership_by_checkout_id
485 First, attempts to find a Koha::Checkout-object by C<$issue_id>. If we find one,
486 compare its borrowernumber to currently logged in C<$user>. However, if an issue
487 is not found, attempt to find a Koha::Old::Checkout-object instead and compare its
488 borrowernumber to currently logged in C<$user>.
492 sub _object_ownership_by_checkout_id {
493 my ($c, $user, $issue_id) = @_;
495 my $issue = Koha::Checkouts->find($issue_id);
496 $issue = Koha::Old::Checkouts->find($issue_id) unless $issue;
497 return $issue && $issue->borrowernumber
498 && $user->borrowernumber == $issue->borrowernumber;
501 =head3 _object_ownership_by_reserve_id
503 Finds a Koha::Hold-object by C<$reserve_id> and checks if it
506 TODO: Also compare against old_reserves
510 sub _object_ownership_by_reserve_id {
511 my ($c, $user, $reserve_id) = @_;
513 my $reserve = Koha::Holds->find($reserve_id);
514 return $reserve && $user->borrowernumber == $reserve->borrowernumber;
519 Internal method that performs Basic authentication.
524 my ( $c, $authorization_header ) = @_;
526 my ( $type, $credentials ) = split / /, $authorization_header;
528 unless ($credentials) {
529 Koha::Exceptions::Authentication::Required->throw( error => 'Authentication failure.' );
532 my $decoded_credentials = decode_base64( $credentials );
533 my ( $user_id, $password ) = split( /:/, $decoded_credentials, 2 );
535 unless ( checkpw_internal($user_id, $password ) ) {
536 Koha::Exceptions::Authorization::Unauthorized->throw( error => 'Invalid password' );
539 my $patron = Koha::Patrons->find({ userid => $user_id });
540 if ( $patron->password_expired ) {
541 Koha::Exceptions::Authorization::Unauthorized->throw( error => 'Password has expired' );
549 $c->_set_userenv( $patron );
551 Internal method that sets C4::Context->userenv
556 my ( $c, $patron ) = @_;
558 my $passed_library_id = $c->req->headers->header('x-koha-library');
561 if ( $passed_library_id ) {
562 $THE_library = Koha::Libraries->find( $passed_library_id );
563 Koha::Exceptions::Authorization::Unauthorized->throw(
564 "Unauthorized attempt to set library to $passed_library_id"
565 ) unless $THE_library and $patron->can_log_into($THE_library);
568 $THE_library = $patron->library;
571 C4::Context->_new_userenv( $patron->borrowernumber );
572 C4::Context->set_userenv(
573 $patron->borrowernumber, # number,
574 $patron->userid, # userid,
575 $patron->cardnumber, # cardnumber
576 $patron->firstname, # firstname
577 $patron->surname, # surname
578 $THE_library->branchcode, # branch
579 $THE_library->branchname, # branchname
580 $patron->flags, # flags,
581 $patron->email, # emailaddress