[Koha-bugs] [Bug 30962] REST API: Add endpoint /auth/password/validation

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Fri Jan 27 17:01:27 CET 2023 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30962

Katrin Fischer <katrin.fischer at bsz-bw.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |32739
             Status|Signed Off                  |Failed QA

--- Comment #26 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
1) Unit tests pass
2) QA test tools pass

3) Test plan

I followed the test plan and while I have the replies 204 and 400, I don't see
the error as described:

error message {"error":"Validation failed"}

4) Postman

I also tried to test this with Postman.

* Verified that BasicAuth worked as expected by listing patrons
* Tried: localhost:8081/api/v1/auth/password/validation
* Params: username, password 
* Verb: POST
* Body: { "username": "...", "password": "..." }

a) Matching username + password

* cardnumber + correct password = 400 - Bad request
* username + correct password = 204 - No Content (that's a success?)
* username + incorrect password = 400 - Bad Request - error: Validation failed
* username + incorrect password so many times to make the account lock: 400 -
Bad Request - error: Validation failed

Notes:

* The login page in Koha allows for cardnumber + password AND userid + password
at the same time. I think we should extend this route in a separate bug to also
support cardnumber/both to make this easier to use and also mimick what ILS-DI
and SIP do as well. 
I've filed: Bug 32739 - REST API: Extend endpoint /auth/password/validation for
cardnumber

* We do want the account to lock with too many attempts, which it does. The
error stays the same, but I think that's good too and matches what we do on the
OPAC, we don't want to give away too much information. *thumbs up*

QA fail:

* The route users username, but the patrons api uses user_id. We should make
things match and use user_id here as well.

Almost ready to PQA, please fix!


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32739
[Bug 32739] REST API: Extend endpoint /auth/password/validation for cardnumber
-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list