3 # Copyright 2007 LibLime
5 # This file is part of Koha.
7 # Koha is free software; you can redistribute it and/or modify it
8 # under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; either version 3 of the License, or
10 # (at your option) any later version.
12 # Koha is distributed in the hope that it will be useful, but
13 # WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with Koha; if not, see <http://www.gnu.org/licenses>.
24 use C4::Auth qw/check_api_auth get_session/;
29 # The authentication strategy for the biblios web
30 # services is as follows.
32 # 1. biblios POSTs to the authenticate API with URL-encoded
33 # form parameters 'userid' and 'password'. If the credentials
34 # belong to a valid user with the 'editcatalogue' privilege,
35 # a session cookie is returned and a Koha session created. Otherwise, an
36 # appropriate error is returned.
37 # 2. For subsequent calls to the biblios APIs, the user agent
38 # should submit the same session cookie. If the cookie is
39 # not supplied or does not correspond to a valid session, the API
40 # will redirect to this authentication API.
41 # 3. The session cookie should not be (directly) sent back to the user's
42 # web browser, but instead should be stored and submitted by biblios.
45 my ( $status, $cookie, $sessionID ) = check_api_auth( $query, { editcatalogue => 'edit_catalogue' } );
46 if ( $status eq "ok" ) {
47 $csrf_token = Koha::Token->new->generate_csrf( { session_id => scalar $sessionID } );
49 my $session = C4::Auth::get_session("");
50 $session->param( 'ip', $session->remote_addr() );
51 $session->param( 'lasttime', time() );
52 $session->param( 'sessiontype', 'anon' );
53 $session->param( 'interface', 'api' );
55 $sessionID = $session->id();
56 $cookie = $query->cookie(
60 -secure => ( C4::Context->https_enabled() ? 1 : 0 ),
63 $csrf_token = Koha::Token->new->generate_csrf( { session_id => scalar $sessionID } );
65 print $query->header( -type => 'text/xml', cookie => $cookie, -'X-CSRF_TOKEN' => $csrf_token );
66 print XMLout( { status => $status }, NoAttr => 1, RootName => 'response', XMLDecl => 1 );