From 07eff56a73dc55a7ddbd0d88180ca3a02a377b2e Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Thu, 9 Sep 2021 08:38:25 -0300 Subject: [PATCH] Bug 28772: Make secret validation use the new method This patch makes the Koha::OAuth library use the new validation method To test: 1. In master, enable RESTOAuth2ClientCredentials and have your superlibrarian patron a client_id/secret pair generated 2. Use Postman to gain an access token with the client_id/secret pair => SUCCESS: This works in Koha 3. Use the access token to GET /api/v1/patrons => SUCCESS: It works 4. Apply this patchset up to the regression tests 5. Run: $ updatedatabase $ koha-plack --restart kohadev => SUCCESS: All good 6. Repeat 2 => FAIL: You get an error trying to acquire an access token. Boo 7. Run: $ kshell k$ prove t/db_dependent/api/v1/oauth.t => FAIL: Tests fail! 8. Apply this patch 9. Run: $ koha-plack --restart kohadev $ kshell k$ prove t/db_dependent/api/v1/oauth.t => SUCCESS: Tests pass! 10. Repeat 2 => SUCCESS: Your original client_id/secret pair works! 11. Sign off :-D Signed-off-by: Tomas Cohen Arazi Signed-off-by: Marcel de Rooy Signed-off-by: Kyle M Hall --- Koha/OAuth.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Koha/OAuth.pm b/Koha/OAuth.pm index 29a701114c..99f6108656 100644 --- a/Koha/OAuth.pm +++ b/Koha/OAuth.pm @@ -65,7 +65,7 @@ sub _verify_client_cb { # client_id mandatory and exists on the DB return (0, 'unauthorized_client') unless $api_key && $api_key->active; - return (0, 'access_denied') unless $api_key->secret eq $client_secret; + return (0, 'access_denied') unless $api_key->validate_secret( $client_secret ); return (1, undef, []); } -- 2.39.5