https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40736 Bug ID: 40736 Summary: OAuth/OIDC authentication broken when CGISESSID is missing Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: REST API Assignee: koha-bugs@lists.koha-community.org Reporter: lari.taskula@hypernova.fi QA Contact: testopia@bugs.koha-community.org CC: tomascohen@gmail.com Our API error logs contain multiple instances of the following error
[ERROR] Can't call method "value" on an undefined value at /usr/share/koha/lib/Koha/REST/V1/OAuth/Client.pm line 100.
Client.pm:100 is
$state = Koha::Token->new->generate_csrf( { session_id => $c->req->cookie('CGISESSID')->value } );
This happens when a web crawler (Googlebot in our case) navigates to OAuth/OIDC login API endpoint, and Koha attempts to generate them a new CSRF token but is unable to due to missing CGISESSID cookie. To replicate: 1. Have an identity provider <provider code> defined under Administration > Identity providers 2. On a fresh browser session (clear cookies), 3. Navigate to https://yourkoha/api/v1/public/oauth/login/<provider code>/opac 4. Observe [ERROR] Can't call method "value" on an undefined value at /usr/share/koha/lib/Koha/REST/V1/OAuth/Client.pm line 100. in plack-api-error.log -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.