[Koha-bugs] [Bug 31378] Add a generic OAuth2/OIDC client implementation

Tue Oct 25 04:59:10 CEST 2022

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31378

--- Comment #87 from David Cook <dcook at prosentient.com.au> ---
Comment on attachment 141807
  --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=141807
Bug 31378: Add Auth mojo plugin

Review of attachment 141807:
 --> (https://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=31378&attachment=141807)
-----------------------------------------------------------------

::: Koha/REST/Plugin/Auth.pm
@@ +83,5 @@
> +        'auth.session' => sub {
> +            my ( $c, $patron ) = @_;
> +            my $userid     = $patron->userid;
> +            my $cardnumber = $patron->cardnumber;
> +            my $cgi        = CGI->new;

I don't think that we should be using the CGI module in the Mojolicious REST
API, since we're not using CGI. This is hacky.

@@ +89,5 @@
> +            $cgi->param( userid            => $userid );
> +            $cgi->param( cardnumber        => $cardnumber );
> +            $cgi->param( auth_client_login => 1 );
> +
> +            my ( $status, $cookie, $session_id ) = C4::Auth::check_api_auth($cgi);

This is a suboptimal design for at least a couple of reasons: 1) it requires a
CGI object; 2) it creates a session for the API interface rather than the
OPAC/Staff interfaces; 3) it's not to purpose - we're not checking auth. We
know that we're just creating a new session.

I've been saying for years that we need to standardize session creation, and
it's still true.

In the meantime, a minimal session can be created as simply as this:

$session->param( 'number',       $patron->borrowernumber );
$session->param( 'id',           $patron->userid );
$session->param( 'cardnumber',   $patron->cardnumber );
$session->param( 'firstname',    $patron->firstname );
$session->param( 'surname',      $patron->surname );
$session->param( 'branch',       $patron->branchcode );
$session->param( 'branchname',   $patron->library->branchname );
$session->param( 'flags',        $patron->flags );
$session->param( 'emailaddress', $patron->email );
$session->param( 'ip',           $session->remote_addr() );
$session->param( 'lasttime',     time() );
$session->param( 'interface',    $type);

Then you can either pass the $session object or the session ID as the return
value.

-- 
You are receiving this mail because:
You are watching all bug changes.