[Koha-bugs] [Bug 28787] Send a notice with the TOTP token

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28787

--- Comment #22 from Marcel de Rooy <m.de.rooy at rijksmuseum.nl> ---
(In reply to Jonathan Druart from comment #18)
> (In reply to Marcel de Rooy from comment #16)
> > [2] Code segment from Koha/REST/V1/Auth.pm
> >     if ( !$authorization and
> >          ( $params->{is_public} and
> >           ( C4::Context->preference('RESTPublicAnonymousRequests') or
> >             $user) or $params->{is_plugin} )
> >         or $pending_auth
> > This does not look good to me. Do we need pending_auth here ? If so, at
> > least we need parentheses etc. My follow-up removes the line now.
> 
> 
> Why? Can you explain? If the user is not fully authenticated they shouldn't
> be allowed to access REST API route.
> With your follow-up patch the tests are failing now.

With a bit of delay.. Thx for your patience :)

First, the !A and (B and (C or D)) or E expression seems to be wrong. If D
should be true now, we are putting the door open! So the first impression is:
we need some brackets here, but looking further we dont need this stage here.

If the cookie tells us additional-auth-needed, we should only allow the
otp_token path and set the user. Another path should be revoked (follow-up). If
you set the user, and this statement is therefore fine for API, there is no
need for pending auth. You can just run this call. The current checks for user
are enough.

Note the relation with x-koha-authorization too. The follow-up adds this line.
We should jump to the else branch and check for $user now.

If you read this code carefully, I think you should understand the point?

About the test, I will submit another comment or fix it. Please wait.

-- 
You are receiving this mail because:
You are watching all bug changes.