https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094 --- Comment #14 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #13)
I'll come up with something for this.
Of course, my thoughts were based off the expectation that check_api_auth() returned a cookie and session ID for all responses. Here's the proposed flow: 1. GET /svc/authentication If authenticated, returns OK and session cookie for authenticated session plus X-CSRF_TOKEN header in response If not authenticated, returns failed/anon and session cookie for anonymous session plus X-CSRF_TOKEN header in response 2. POST /svc/authentication If not authenticated, perform authentication using X-CSRF_TOKEN and session cookie for anonymous session 3. POST /svc/new_bib Do work using X-CSRF_TOKEN from previous response (or meta tag if it's in a web app) and session cookie -- Technically, the POST /svc/authentication can use whatever session cookie, so I suppose I'll just create an anonymous session if one is missing. It means extra logic in /svc/authentication, which is suboptimal but it beats creating yet another "check_*" function in C4/Auth.pm or changing the API of our internal auth functions... -- You are receiving this mail because: You are watching all bug changes.