https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 --- Comment #8 from David Cook <dcook@prosentient.com.au> --- Yet... as practical as an exception might be in the short-term... it still doesn't help us in the long-term. -- Maybe we do make an AuthenticateApiUser verb for the ILS-DI too, which requires a Koha staff user with an ILS-DI permission, and then we get all third-parties to use that. Initially, if we add a CSRF exception, we could continue supporting ILS-DI:AuthorizedIPs as well, and then eventually remove the exception and drop IP auth support. -- Jonathan, what do you think? The ILS-DI API is used fairly broadly. Not only for discovery systems like VuFind and EBSCO EDS but also for other third-party systems (especially in public libraries) that use it to authenticate patrons. Overall, I've found third-parties willing to work with us on API integrations, but Koha hasn't had the options for secure HTTP API integrations (even the REST API has permissions issues to an extent). -- You are receiving this mail because: You are watching all bug changes.