From 4ebb9246cfc21b00d4bca5a2ad6b5f06bda274c6 Mon Sep 17 00:00:00 2001 From: Matt Blenkinsop Date: Wed, 6 Dec 2023 10:03:45 +0000 Subject: [PATCH] Bug 35204: Prevent an expired password from throwing a 500 error MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Currently when a patron with an expired password is authenticated via the API a 500 error is returned rather than a 400 "Validation failed" error. This patch catches the return value for an expired password and returns the validation failure before the patron search is attempted. Test plan: 1) Choose a patron and set their password expiry date to a date in the past 2) Send a request to auth/password/validation as an authenticated user with that patron's details 3) The response should be a 500 error 4) Apply patch 5) Repeat steps 1-3 and this time the response should be a 400 code with an error message of "Password expired" Signed-off-by: Tomas Cohen Arazi Signed-off-by: Katrin Fischer (cherry picked from commit f3bb88505245228d97a4e39612b17a688df64a79) Signed-off-by: Fridolin Somers (cherry picked from commit df9d4b0f55fa6b4c430a77686d8e00804eed88de) Signed-off-by: Lucas Gass (cherry picked from commit 24f067b0cf220c035ba5773956d19e0a80a75044) Signed-off-by: Frédéric Demians --- Koha/REST/V1/Auth/Password.pm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Koha/REST/V1/Auth/Password.pm b/Koha/REST/V1/Auth/Password.pm index dd6f56718a..9889bf45a7 100644 --- a/Koha/REST/V1/Auth/Password.pm +++ b/Koha/REST/V1/Auth/Password.pm @@ -72,10 +72,11 @@ sub validate { return try { my ( $status, $THE_cardnumber, $THE_userid ) = C4::Auth::checkpw( $identifier, $password ); - unless ($status) { + unless ( $status && $status > 0 ) { + my $error_response = $status == -2 ? 'Password expired' : 'Validation failed'; return $c->render( status => 400, - openapi => { error => "Validation failed" } + openapi => { error => $error_response } ); } -- 2.39.5