[Bug 24862] New: REST API throws 500 errors for browser after logout
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Bug ID: 24862 Summary: REST API throws 500 errors for browser after logout Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: REST API Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au It looks like the REST API might not be handling cookies correctly. To test: 0. Use koha-testing-docker 1. Login to http://localhost:8080/ 2. Go to http://localhost:8080/api/v1/libraries 3. Observe a 200 OK HTTP code and JSON output 4. Logout from http://localhost:8080/ 5. Go to http://localhost:8080/api/v1/libraries 6. Observe a 500 Internal Server Error and the following JSON output: {"error":"Something went wrong, check the logs."} It seems to me that really that should be returning a 401 and the following JSON output: {"error":"Authentication failure."} -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |tomascohen@gmail.com |ity.org | CC| |tomascohen@gmail.com -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #1 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Good catch, David. Thanks for reporting it. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |josef.moravec@gmail.com, | |julian.maurice@biblibre.com | |, | |martin.renvoize@ptfs-europe | |.com, | |nick@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff Patch complexity|--- |Small patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 --- Comment #2 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 100683 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=100683&action=edit Bug 24862: Regression tests This patch introduces tests for the expected behaviour on API routes that expect a logged in user, but the request is made with an anonymous session cookie. To test: 1. Apply this patch 2. Run: $ kshell k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t => FAIL: Tests fail because the situation is not handled correctly in the code Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 --- Comment #3 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 100684 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=100684&action=edit Bug 24862: Handle annonymous sessions gracefuly This patch introduces code to detect (cookie) annonymous sessions and act as expected. Right now, as check_cookie_auth is not passed the required permissions (because there aren't always required permissions, and the code to check permissions is shared with other authentication mechanisms) it returns 'ok' and the session id. This use case was overlooked when this was coded, and yeilds unexpected error codes (500) when the user logs out and the annonymous session cookie is used to hit the API. The end result doesn't pose any security issue (i.e. the resource access is rejected) but the returned error code is not correct and should be fixed. This patch verifies for an anonymous session (and avoids querying the corresponding patron) and then verifies if there is an authorization config on the route and if the patron object is defined. To test: 1. Apply the tests patch 2. Run: $ kshell k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t => FAIL: Tests fail, 500 instead of the expected 401 3. Apply this patch 4. Repeat 2 => SUCCESS: Tests pass! 5. Repeat the original 'steps to reproduce' from the bug report using the browser => SUCCESS: Problem solved! 6. Sign off :-D Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Sponsored-by: ByWater Solutions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|REST API throws 500 errors |API throws 500 errors for |for browser after logout |browser after logout -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|API throws 500 errors for |Wrong behaviour on |browser after logout |anonymous sessions CC| |agustinmoyano@theke.io -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #100683|0 |1 is obsolete| | --- Comment #4 from David Nind <david@davidnind.com> --- Created attachment 100692 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=100692&action=edit Bug 24862: Regression tests This patch introduces tests for the expected behaviour on API routes that expect a logged in user, but the request is made with an anonymous session cookie. To test: 1. Apply this patch 2. Run: $ kshell k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t => FAIL: Tests fail because the situation is not handled correctly in the code Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #100684|0 |1 is obsolete| | --- Comment #5 from David Nind <david@davidnind.com> --- Created attachment 100693 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=100693&action=edit Bug 24862: Handle annonymous sessions gracefuly This patch introduces code to detect (cookie) annonymous sessions and act as expected. Right now, as check_cookie_auth is not passed the required permissions (because there aren't always required permissions, and the code to check permissions is shared with other authentication mechanisms) it returns 'ok' and the session id. This use case was overlooked when this was coded, and yeilds unexpected error codes (500) when the user logs out and the annonymous session cookie is used to hit the API. The end result doesn't pose any security issue (i.e. the resource access is rejected) but the returned error code is not correct and should be fixed. This patch verifies for an anonymous session (and avoids querying the corresponding patron) and then verifies if there is an authorization config on the route and if the patron object is defined. To test: 1. Apply the tests patch 2. Run: $ kshell k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t => FAIL: Tests fail, 500 instead of the expected 401 3. Apply this patch 4. Repeat 2 => SUCCESS: Tests pass! 5. Repeat the original 'steps to reproduce' from the bug report using the browser => SUCCESS: Problem solved! 6. Sign off :-D Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Sponsored-by: ByWater Solutions Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #100692|0 |1 is obsolete| | --- Comment #6 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 100734 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=100734&action=edit Bug 24862: Regression tests This patch introduces tests for the expected behaviour on API routes that expect a logged in user, but the request is made with an anonymous session cookie. To test: 1. Apply this patch 2. Run: $ kshell k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t => FAIL: Tests fail because the situation is not handled correctly in the code Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #100693|0 |1 is obsolete| | --- Comment #7 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 100735 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=100735&action=edit Bug 24862: Handle annonymous sessions gracefuly This patch introduces code to detect (cookie) annonymous sessions and act as expected. Right now, as check_cookie_auth is not passed the required permissions (because there aren't always required permissions, and the code to check permissions is shared with other authentication mechanisms) it returns 'ok' and the session id. This use case was overlooked when this was coded, and yeilds unexpected error codes (500) when the user logs out and the annonymous session cookie is used to hit the API. The end result doesn't pose any security issue (i.e. the resource access is rejected) but the returned error code is not correct and should be fixed. This patch verifies for an anonymous session (and avoids querying the corresponding patron) and then verifies if there is an authorization config on the route and if the patron object is defined. To test: 1. Apply the tests patch 2. Run: $ kshell k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t => FAIL: Tests fail, 500 instead of the expected 401 3. Apply this patch 4. Repeat 2 => SUCCESS: Tests pass! 5. Repeat the original 'steps to reproduce' from the bug report using the browser => SUCCESS: Problem solved! 6. Sign off :-D Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Sponsored-by: ByWater Solutions Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to master Version(s)| |20.05.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 --- Comment #8 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Nice work everyone! Pushed to master for 20.05 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=24861 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |25045 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25045 [Bug 25045] Add a way to restrict anonymous access to public routes (OpacPublic behaviour) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact| |nick@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to master |Pushed to stable CC| |aleisha@catalyst.net.nz -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|20.05.00 |20.05.00, 19.11.07 released in| | Status|Pushed to stable |Pushed to oldstable --- Comment #9 from Aleisha Amohia <aleisha@catalyst.net.nz> --- backported to 19.11.x for 19.11.07 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24862 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldstable |Pushed to oldoldstable CC| |victor@tuxayo.net Version(s)|20.05.00, 19.11.07 |20.05.00, 19.11.07, released in| |19.05.13 --- Comment #10 from Victor Grousset/tuxayo <victor@tuxayo.net> --- Backported to 19.05.x branch for 19.05.13 -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org