[Koha-bugs] [Bug 29543] Self-checkout allows returning everybody's loans

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Tue Feb 8 16:27:46 CET 2022 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29543

--- Comment #55 from Jonathan Druart <jonathan.druart+koha at gmail.com> ---
(In reply to Marcel de Rooy from comment #50)
> Question when looking in sco-main
> 
> my $jwt = $query->cookie('JWT');
> if ($op eq "logout") {
>     $template->param( loggedout => 1 );
>     $query->param( patronlogin => undef, patronpw => undef );
>     undef $jwt;
> }
> 
> Shouldnt we do some cleaning up here and just exit ?

exit and what? Here we are going to display the login form, that's the expected
behaviour

(In reply to Marcel de Rooy from comment #51)
> Hmm. Why are we doing this in sco-main:
> 
> L47
> my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
> So the CGISESSID cookie is used here and we check permissions.

We check authentication for the staff member (who has logged in, or the
credential from the sysprefs)

> L371
> $cookie = $query->cookie(     -name => 'JWT',
> We create a new cookie JWT. But ignore the session cookie.

The JWT is used to authorised the OPAC user that has been authenticate in the
previous step (cardnumber or login+password, depending on SelfCheckoutByLogin.

> L381
> output_html_with_http_headers $query, $cookie, $template->output, undef, {
> force_no_caching => 1 };
> We output now without the CGISESSID, only JWT.
> Why dont you pass the session cookie?
> You could pass something like [ $cookie1, $cookie2 ] ?

I think CGISESSID is in the CGI object already.

(In reply to Marcel de Rooy from comment #52)
> L362
>             csrf_token           => Koha::Token->new->generate_csrf( {
> session_id => scalar $query->cookie('CGISESSID') . $patron->cardnumber, id
> => $patron->userid } ),
> 
> Where is the corresponding csrf check?

in sco-patron-image.pl

(In reply to Marcel de Rooy from comment #53)
> Iiuc JWT is not encrypted. So this may be a bit more secure, but could be
> improved.

It is encoded using a secret, see Koha::Token::_gen_jwt

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list