https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42719 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #4)
(In reply to Tomás Cohen Arazi (tcohen) from comment #3)
Bug 40736 makes the condition display a nicer message. This one goes further by implementing this missing flow.
Sounds good to me! I can't think of any reason why you wouldn't want to do that. I'll make a note to return to this. Happy to QA if someone else signs off.
Hmm back on https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40736#c9 I said that this idea of creating a session where it's missing would be a CSRF vulnerability. I was probably thinking that a phisher could cause someone to do a GET to http://localhost:8080/api/v1/public/oauth/login/test/opac which would then yield a state change (ie a login) if they were already authenticated with the IdP. At that point then, they could try to exploit an XSS attack or further CSRF... I'm not sure how viable that it, but I think that's probably what my thought process was. -- You are receiving this mail because: You are watching all bug changes.