[Koha-bugs] [Bug 36094] svc/authentication needs adjustements
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Feb 21 06:13:05 CET 2024
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094
--- Comment #14 from David Cook <dcook at prosentient.com.au> ---
(In reply to David Cook from comment #13)
> I'll come up with something for this.
Of course, my thoughts were based off the expectation that check_api_auth()
returned a cookie and session ID for all responses.
Here's the proposed flow:
1. GET /svc/authentication
If authenticated, returns OK and session cookie for authenticated session plus
X-CSRF_TOKEN header in response
If not authenticated, returns failed/anon and session cookie for anonymous
session plus X-CSRF_TOKEN header in response
2. POST /svc/authentication
If not authenticated, perform authentication using X-CSRF_TOKEN and session
cookie for anonymous session
3. POST /svc/new_bib
Do work using X-CSRF_TOKEN from previous response (or meta tag if it's in a web
app) and session cookie
--
Technically, the POST /svc/authentication can use whatever session cookie, so I
suppose I'll just create an anonymous session if one is missing. It means extra
logic in /svc/authentication, which is suboptimal but it beats creating yet
another "check_*" function in C4/Auth.pm or changing the API of our internal
auth functions...
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list