[Koha-bugs] [Bug 36094] svc/authentication needs adjustements
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Feb 27 23:29:17 CET 2024
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094
--- Comment #21 from David Cook <dcook at prosentient.com.au> ---
(In reply to Jonathan Druart from comment #20)
> why not simply reject if the request_method ne "POST"?
Because the GET is used to obtain the CSRF in order to do the POST like I
describe in https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094#c14
If MarcEdit is trying to use the SVC API, they'll first do a GET against
svc/authentication to get the initial CSRF token and to check if they're
authenticated already (since the SVC API uses cookie auth).
If they're not authenticated, then they POST to svc/authentication to login
using the CSRF token they got from the previous GET.
They could then use the CSRF token they get back from the POST to do the next
operation. (In theory all the SVC endpoints should return a CSRF token in their
response headers, but I haven't gotten that far. I think you've mentioned
elsewhere that the primary concern is Koha's internal use of SVC API so fair
enough. But as Katrin mentions in Comment 2 we do need to think about external
users too, so I've still got it on my mind.)
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list