From 24f067b0cf220c035ba5773956d19e0a80a75044 Mon Sep 17 00:00:00 2001 From: Matt Blenkinsop Date: Wed, 6 Dec 2023 10:03:45 +0000 Subject: [PATCH] Bug 35204: Prevent an expired password from throwing a 500 error Currently when a patron with an expired password is authenticated via the API a 500 error is returned rather than a 400 "Validation failed" error. This patch catches the return value for an expired password and returns the validation failure before the patron search is attempted. Test plan: 1) Choose a patron and set their password expiry date to a date in the past 2) Send a request to auth/password/validation as an authenticated user with that patron's details 3) The response should be a 500 error 4) Apply patch 5) Repeat steps 1-3 and this time the response should be a 400 code with an error message of "Password expired" Signed-off-by: Tomas Cohen Arazi Signed-off-by: Katrin Fischer (cherry picked from commit f3bb88505245228d97a4e39612b17a688df64a79) Signed-off-by: Fridolin Somers (cherry picked from commit df9d4b0f55fa6b4c430a77686d8e00804eed88de) Signed-off-by: Lucas Gass --- Koha/REST/V1/Auth/Password.pm | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Koha/REST/V1/Auth/Password.pm b/Koha/REST/V1/Auth/Password.pm index 4369ffd187..9889bf45a7 100644 --- a/Koha/REST/V1/Auth/Password.pm +++ b/Koha/REST/V1/Auth/Password.pm @@ -41,7 +41,7 @@ Controller method that checks a patron's password sub validate { my $c = shift->openapi->valid_input or return; - my $body = $c->req->json; + my $body = $c->req->json; my $identifier = $body->{identifier}; my $userid = $body->{userid}; @@ -72,10 +72,11 @@ sub validate { return try { my ( $status, $THE_cardnumber, $THE_userid ) = C4::Auth::checkpw( $identifier, $password ); - unless ($status) { + unless ( $status && $status > 0 ) { + my $error_response = $status == -2 ? 'Password expired' : 'Validation failed'; return $c->render( status => 400, - openapi => { error => "Validation failed" } + openapi => { error => $error_response } ); } -- 2.39.5