[Bug 37286] New: Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Bug ID: 37286 Summary: Fix REST API authentication when using Mojo apps Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: ASSIGNED Severity: normal Priority: P5 - low Component: REST API Assignee: julian.maurice@biblibre.com Reporter: julian.maurice@biblibre.com QA Contact: testopia@bugs.koha-community.org CC: tomascohen@gmail.com Koha::REST::V1::Auth checks the request URL path and do various things depending on how it looks. For instance, it allows everyone to access paths starting with "/api/v1/oauth/" But because of how Koha::REST::V1 was written, when using mojolicious applications Koha::App::Intranet and Koha::App::Opac, paths had to add a path prefix ("/api"), which means the final path as seen by Koha::REST::V1::Auth looked like this: "/api/api/v1/oauth" I said "had to", but actually there is another way that does not require this path manipulation and that's what this bug is about -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 --- Comment #1 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 168644 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=168644&action=edit Bug 37286: Fix REST API authentication when using Mojo apps Koha::REST::V1::Auth checks the request URL path and do various things depending on how it looks. For instance, it allows everyone to access paths starting with "/api/v1/oauth/" But because of how Koha::REST::V1 was written, when using mojolicious applications Koha::App::Intranet and Koha::App::Opac, paths had to add a path prefix ("/api"), which means the final path as seen by Koha::REST::V1::Auth looked like this: "/api/api/v1/oauth". I said "had to", but actually there is another way that does not require this path manipulation and that's what this patch does: Koha::REST::V1 now accepts a configuration parameter that allows to change the base path for API routes, which allows Koha::App::Plugin::RESTV1 (used by Koha::App::Intranet and Koha::App::Opac) to generate the right routes. This configuration parameter defaults to "/api/v1", so when outside of Koha::App::Intranet and Koha::App::Opac (when using debian/templates/plack.psgi for instance), the behavior is unchanged. Test plan: 1. Do not apply the patch yet 2. Run `bin/intranet daemon -l http://*:8080` 3. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token` It should return a 403 error, with an error message "Authentication failure". 4. Stop `bin/intranet daemon -l http://*:8080` by hitting Ctrl-C on the terminal you started it 5. Apply the patch 6. Run `bin/intranet daemon -l http://*:8080` again 7. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token` This time it should return a 400 error with an error message saying the "grant_type" property is missing. This error is normal as we did not send any data in the POST request body, and seeing this means Koha allowed us to use that route because it recognized '/api/v1/oauth/' at the start of the URL path 8. You can do the same test with `bin/opac` -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david@davidnind.com --- Comment #2 from David Nind <david@davidnind.com> --- Any hints on how to set things up for testing this? In koha-testing-docker, I get this when running step 2 of the test plan: bin/intranet daemon -l http://*:8080 Can't create listen socket: Address already in use at /usr/share/perl5/Mojo/IOLoop.pm line 124 PS I don't know what a "Mojo app" is, so maybe I'm not the right person to test this bug 8-) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Magnus Enger <magnus@libriotech.no> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off Patch complexity|--- |Medium patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Magnus Enger <magnus@libriotech.no> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #168644|0 |1 is obsolete| | --- Comment #3 from Magnus Enger <magnus@libriotech.no> --- Created attachment 176544 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=176544&action=edit Bug 37286: Fix REST API authentication when using Mojo apps Koha::REST::V1::Auth checks the request URL path and do various things depending on how it looks. For instance, it allows everyone to access paths starting with "/api/v1/oauth/" But because of how Koha::REST::V1 was written, when using mojolicious applications Koha::App::Intranet and Koha::App::Opac, paths had to add a path prefix ("/api"), which means the final path as seen by Koha::REST::V1::Auth looked like this: "/api/api/v1/oauth". I said "had to", but actually there is another way that does not require this path manipulation and that's what this patch does: Koha::REST::V1 now accepts a configuration parameter that allows to change the base path for API routes, which allows Koha::App::Plugin::RESTV1 (used by Koha::App::Intranet and Koha::App::Opac) to generate the right routes. This configuration parameter defaults to "/api/v1", so when outside of Koha::App::Intranet and Koha::App::Opac (when using debian/templates/plack.psgi for instance), the behavior is unchanged. Test plan: 1. Do not apply the patch yet 2. Run `bin/intranet daemon -l http://*:8080` 3. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token` It should return a 403 error, with an error message "Authentication failure". 4. Stop `bin/intranet daemon -l http://*:8080` by hitting Ctrl-C on the terminal you started it 5. Apply the patch 6. Run `bin/intranet daemon -l http://*:8080` again 7. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token` This time it should return a 400 error with an error message saying the "grant_type" property is missing. This error is normal as we did not send any data in the POST request body, and seeing this means Koha allowed us to use that route because it recognized '/api/v1/oauth/' at the start of the URL path 8. You can do the same test with `bin/opac` Signed-off-by: Magnus Enger <magnus@libriotech.no> Works as advertised. See Bugzilla for notes from testing. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Magnus Enger <magnus@libriotech.no> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |magnus@libriotech.no --- Comment #4 from Magnus Enger <magnus@libriotech.no> --- Initially, I had the same problem as David (in KTD), but I got around it by replacing :8080 with :8083 in the test plan. Here is what I got: === Server === $ bin/intranet daemon -l http://*:8083 [2025-01-15 10:28:23.65073] [11469] [info] Listening at "http://*:8083" Web application available at http://127.0.0.1:8083 === Client === $ curl -i -d{} http://127.0.0.1:8083/api/v1/oauth/token HTTP/1.1 401 Unauthorized Server: Mojolicious (Perl) Date: Wed, 15 Jan 2025 10:29:10 GMT Content-Type: application/json; charset=utf8 Content-Length: 35 {"error":"Authentication failure."} === Server === [2025-01-15 10:29:10.88254] [11469] [trace] [smrnH4W71gxh] POST "/api/api/v1/oauth/token" [2025-01-15 10:29:10.88285] [11469] [trace] [smrnH4W71gxh] Routing to application "Koha::REST::V1" [2025-01-15 10:29:10.88386] [11469] [trace] [smrnH4W71gxh] POST "/api/api/v1/oauth/token" [2025-01-15 10:29:10.88987] [11469] [trace] [smrnH4W71gxh] Routing to controller "Koha::REST::V1::Auth" and action "under" [2025-01-15 10:29:10.89101] [11469] [trace] [smrnH4W71gxh] 401 Unauthorized (0.007137s, 140.115/s) Applied the patch and restarted all the things. === Server === $ bin/intranet daemon -l http://*:8083 [2025-01-15 10:30:57.89162] [12106] [info] Listening at "http://*:8083" Web application available at http://127.0.0.1:8083 === Client === $ curl -i -d{} http://127.0.0.1:8083/api/v1/oauth/token HTTP/1.1 400 Bad Request Server: Mojolicious (Perl) Content-Length: 79 Content-Type: application/json;charset=UTF-8 Date: Wed, 15 Jan 2025 10:31:04 GMT {"errors":[{"message":"Missing property.","path":"\/grant_type"}],"status":400} === Server === [2025-01-15 10:31:04.33156] [12106] [trace] [QQTeoJ7i-Vbe] POST "/api/v1/oauth/token" [2025-01-15 10:31:04.33186] [12106] [trace] [QQTeoJ7i-Vbe] Routing to application "Koha::REST::V1" [2025-01-15 10:31:04.33434] [12106] [trace] [QQTeoJ7i-Vbe] POST "/api/v1/oauth/token" [2025-01-15 10:31:04.34088] [12106] [trace] [QQTeoJ7i-Vbe] Routing to controller "Koha::REST::V1::Auth" and action "under" [2025-01-15 10:31:04.34195] [12106] [trace] [QQTeoJ7i-Vbe] Routing to controller "Koha::REST::V1::OAuth" and action "token" [2025-01-15 10:31:04.34253] [12106] [trace] [QQTeoJ7i-Vbe] 400 Bad Request (0.008181s, 122.234/s) So I have verified this works according to the tese plan, but it will definitely need a more thorough review of the code. :-) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Paul Derscheid <paul.derscheid@lmscloud.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |paul.derscheid@lmscloud.de -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@gmail.com Status|Signed Off |Failed QA --- Comment #5 from Jonathan Druart <jonathan.druart@gmail.com> --- Julian, do you think you could provide a test? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 --- Comment #6 from Julian Maurice <julian.maurice@biblibre.com> --- Created attachment 177101 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=177101&action=edit Bug 37286: Add tests for REST authentication through Mojo apps -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Signed Off --- Comment #7 from Julian Maurice <julian.maurice@biblibre.com> --- (In reply to Jonathan Druart from comment #5)
Julian, do you think you could provide a test? Done!
-- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Patch doesn't apply -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Patch doesn't apply |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #176544|0 |1 is obsolete| | Attachment #177101|0 |1 is obsolete| | --- Comment #8 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 179117 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179117&action=edit Bug 37286: Fix REST API authentication when using Mojo apps Koha::REST::V1::Auth checks the request URL path and do various things depending on how it looks. For instance, it allows everyone to access paths starting with "/api/v1/oauth/" But because of how Koha::REST::V1 was written, when using mojolicious applications Koha::App::Intranet and Koha::App::Opac, paths had to add a path prefix ("/api"), which means the final path as seen by Koha::REST::V1::Auth looked like this: "/api/api/v1/oauth". I said "had to", but actually there is another way that does not require this path manipulation and that's what this patch does: Koha::REST::V1 now accepts a configuration parameter that allows to change the base path for API routes, which allows Koha::App::Plugin::RESTV1 (used by Koha::App::Intranet and Koha::App::Opac) to generate the right routes. This configuration parameter defaults to "/api/v1", so when outside of Koha::App::Intranet and Koha::App::Opac (when using debian/templates/plack.psgi for instance), the behavior is unchanged. Test plan: 1. Do not apply the patch yet 2. Run `bin/intranet daemon -l http://*:8080` 3. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token` It should return a 403 error, with an error message "Authentication failure". 4. Stop `bin/intranet daemon -l http://*:8080` by hitting Ctrl-C on the terminal you started it 5. Apply the patch 6. Run `bin/intranet daemon -l http://*:8080` again 7. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token` This time it should return a 400 error with an error message saying the "grant_type" property is missing. This error is normal as we did not send any data in the POST request body, and seeing this means Koha allowed us to use that route because it recognized '/api/v1/oauth/' at the start of the URL path 8. You can do the same test with `bin/opac` Signed-off-by: Magnus Enger <magnus@libriotech.no> Works as advertised. See Bugzilla for notes from testing. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 --- Comment #9 from Jonathan Druart <jonathan.druart@gmail.com> --- Created attachment 179118 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179118&action=edit Bug 37286: Add tests for REST authentication through Mojo apps Amended-by: Jonathan Druart Add +x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Martin Renvoize (ashimema) <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #179117|0 |1 is obsolete| | --- Comment #10 from Martin Renvoize (ashimema) <martin.renvoize@ptfs-europe.com> --- Created attachment 179129 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179129&action=edit Bug 37286: Fix REST API authentication when using Mojo apps Koha::REST::V1::Auth checks the request URL path and do various things depending on how it looks. For instance, it allows everyone to access paths starting with "/api/v1/oauth/" But because of how Koha::REST::V1 was written, when using mojolicious applications Koha::App::Intranet and Koha::App::Opac, paths had to add a path prefix ("/api"), which means the final path as seen by Koha::REST::V1::Auth looked like this: "/api/api/v1/oauth". I said "had to", but actually there is another way that does not require this path manipulation and that's what this patch does: Koha::REST::V1 now accepts a configuration parameter that allows to change the base path for API routes, which allows Koha::App::Plugin::RESTV1 (used by Koha::App::Intranet and Koha::App::Opac) to generate the right routes. This configuration parameter defaults to "/api/v1", so when outside of Koha::App::Intranet and Koha::App::Opac (when using debian/templates/plack.psgi for instance), the behavior is unchanged. Test plan: 1. Do not apply the patch yet 2. Run `bin/intranet daemon -l http://*:8080` 3. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token` It should return a 403 error, with an error message "Authentication failure". 4. Stop `bin/intranet daemon -l http://*:8080` by hitting Ctrl-C on the terminal you started it 5. Apply the patch 6. Run `bin/intranet daemon -l http://*:8080` again 7. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token` This time it should return a 400 error with an error message saying the "grant_type" property is missing. This error is normal as we did not send any data in the POST request body, and seeing this means Koha allowed us to use that route because it recognized '/api/v1/oauth/' at the start of the URL path 8. You can do the same test with `bin/opac` Signed-off-by: Magnus Enger <magnus@libriotech.no> Works as advertised. See Bugzilla for notes from testing. Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Martin Renvoize (ashimema) <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #179118|0 |1 is obsolete| | --- Comment #11 from Martin Renvoize (ashimema) <martin.renvoize@ptfs-europe.com> --- Created attachment 179130 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179130&action=edit Bug 37286: Add tests for REST authentication through Mojo apps Amended-by: Jonathan Druart Add +x Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Martin Renvoize (ashimema) <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com QA Contact|testopia@bugs.koha-communit |martin.renvoize@ptfs-europe |y.org |.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Martin Renvoize (ashimema) <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA --- Comment #12 from Martin Renvoize (ashimema) <martin.renvoize@ptfs-europe.com> --- I'm also happy here, so adding my SO stamp.. I've also drawn Tomas's attention to it.. but I reckon we can PQA here now. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 --- Comment #13 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Additional tests and a lot of removed FIXMES... :) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to main Version(s)| |25.05.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 --- Comment #14 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Pushed for 25.05! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 --- Comment #15 from Julian Maurice <julian.maurice@biblibre.com> --- Can this be backported please ? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |rel_24_11_candidate --- Comment #16 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- (In reply to Julian Maurice from comment #15)
Can this be backported please ?
Hi Julian, you can use the rel_... keyword to give an additional alert to the RMaint. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |rel_24_05_candidate --- Comment #17 from Julian Maurice <julian.maurice@biblibre.com> --- Thanks Katrin. I also added the keyword for 24.05 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Paul Derscheid <paul.derscheid@lmscloud.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to main |Pushed to stable Version(s)|25.05.00 |25.05.00,24.11.04 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 --- Comment #18 from Paul Derscheid <paul.derscheid@lmscloud.de> --- Nice work everyone! Pushed to 24.11.x for 24.11.04 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Paul Derscheid <paul.derscheid@lmscloud.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|rel_24_11_candidate | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Jesse Maseto <jesse@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jesse@bywatersolutions.com --- Comment #19 from Jesse Maseto <jesse@bywatersolutions.com> --- Merge conflicts with 24.05.x, please rebase if needed in 24.05.x. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wainuiwitikapark@catalyst.n | |et.nz Status|Pushed to stable |Needs documenting --- Comment #20 from Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz> --- Not backporting to 22.11.x as it wasn't backported to 24.05.x (or 23.XX) -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org