[Bug 35204] New: REST API: POST endpoint /auth/password/validation dies on patron with expired password
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Bug ID: 35204 Summary: REST API: POST endpoint /auth/password/validation dies on patron with expired password Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: REST API Assignee: koha-bugs@lists.koha-community.org Reporter: nick@bywatersolutions.com CC: tomascohen@gmail.com The REST module relies on return of cardnumber/userid from C4::Auth::checkpw, however a patron with an expired password returns only -2 This causes a 500 Error from the API route -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |30962 Severity|normal |major Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30962 [Bug 30962] Add POST endpoint for validating a user password -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com, | |matt.blenkinsop@ptfs-europe | |.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 --- Comment #1 from Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> --- Created attachment 159612 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=159612&action=edit Bug 35204: Prevent an expired password from throwing a 500 error Currently when a patron with an expired password is authenticated via the API a 500 error is returned rather than a 400 "Validation failed" error. This patch catches the return value for an expired password and returns the validation failure before the patron search is attempted. Test plan: 1) Choose a patron and set their password expiry date to a date in the past 2) Send a request to auth/password/validation with that patron's details 3) The response should be a 500 error 4) Apply patch 5) Repeat steps 1-3 and this time the response should be a 400 code with an error message of "Validation failed" -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |matt.blenkinsop@ptfs-europe |ity.org |.com -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david@davidnind.com --- Comment #2 from David Nind <david@davidnind.com> --- I'm happy to test, but how to send a request is not something I'm great at. Could you provide an example of how to send a request to generate the error? Thanks! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- (In reply to David Nind from comment #2)
I'm happy to test, but how to send a request is not something I'm great at.
Could you provide an example of how to send a request to generate the error?
Thanks!
curl -u AMINDUSER:ADMINPASSWORD -H "Content-Type: application/json" http://localhost:8081/api/v1/auth/password/validation -d '{"identifier":"patron","password":"$uper Duper 4wesome Password"}' -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- While this works... I don't think it's the right solution. It looks like we should change "unless ($status)" to "unless ($status && $status > 0)". I'm basing that off these lines 2004 # INTERNAL AUTH 2005 if ( $check_internal_as_fallback ) { 2006 @return = checkpw_internal( $userid, $password, $no_set_userenv); 2007 $passwd_ok = 1 if $return[0] > 0; # 1 or 2 2008 } I don't think the -2 for an expired password actually gets used anywhere so that's fun. The "password_expired" message at login time seems to come from $patron->password_expired in a different auth function. I don't know what a return value of 2 means either... (One of these days auth in Koha won't be a nightmare...) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Failed QA --- Comment #5 from David Cook <dcook@prosentient.com.au> --- Sorry but I think I'm going to mark this one as Failed QA even though I'm the one who made the original mistake 😅 I can fix this tomorrow afternoon if you'd prefer. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 --- Comment #6 from David Nind <david@davidnind.com> --- (In reply to David Cook from comment #3)
(In reply to David Nind from comment #2)
I'm happy to test, but how to send a request is not something I'm great at.
Could you provide an example of how to send a request to generate the error?
Thanks!
curl -u AMINDUSER:ADMINPASSWORD -H "Content-Type: application/json" http://localhost:8081/api/v1/auth/password/validation -d '{"identifier":"patron","password":"$uper Duper 4wesome Password"}'
Thanks David! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 --- Comment #7 from Tomás Cohen Arazi <tomascohen@gmail.com> --- I was going to fail this one yesterday but had a flight delayed. - We need tests (they should highlight what dcook is saying) - My opinion is we should return `error_code` => 'password_expired' or similar, so API consumers can really act correctly on further steps for the end user. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #159612|0 |1 is obsolete| | --- Comment #8 from Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> --- Created attachment 159939 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=159939&action=edit Bug 35204: Prevent an expired password from throwing a 500 error Currently when a patron with an expired password is authenticated via the API a 500 error is returned rather than a 400 "Validation failed" error. This patch catches the return value for an expired password and returns the validation failure before the patron search is attempted. Test plan: 1) Choose a patron and set their password expiry date to a date in the past 2) Send a request to auth/password/validation as an authenticated user with that patron's details 3) The response should be a 500 error 4) Apply patch 5) Repeat steps 1-3 and this time the response should be a 400 code with an error message of "Password expired" -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 --- Comment #9 from Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> --- Created attachment 159940 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=159940&action=edit Bug 35204: Add unit tests prove t/db_dependent/api/v1/password_validation.t -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 --- Comment #10 from Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> --- Attempt two - I've added a unit test and changed the error code to now show a password expiration rather than just "Validation failed". Let me know if this needs tweaking at all -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Trivial patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 --- Comment #11 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 159956 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=159956&action=edit Bug 35204: Add unit tests prove t/db_dependent/api/v1/password_validation.t Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> bsoletes: 159940 - Bug 35204: Add unit tests -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #159939|0 |1 is obsolete| | --- Comment #12 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 159957 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=159957&action=edit Bug 35204: Prevent an expired password from throwing a 500 error Currently when a patron with an expired password is authenticated via the API a 500 error is returned rather than a 400 "Validation failed" error. This patch catches the return value for an expired password and returns the validation failure before the patron search is attempted. Test plan: 1) Choose a patron and set their password expiry date to a date in the past 2) Send a request to auth/password/validation as an authenticated user with that patron's details 3) The response should be a 500 error 4) Apply patch 5) Repeat steps 1-3 and this time the response should be a 400 code with an error message of "Password expired" Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #159940|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 --- Comment #13 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Looks good. Amended the patches so they don't have tidy issues. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact| |tomascohen@gmail.com Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to master Version(s)| |24.05.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 --- Comment #14 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Pushed for 24.05! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to master |Pushed to stable CC| |fridolin.somers@biblibre.co | |m Version(s)|24.05.00 |24.05.00,23.11.02 released in| | --- Comment #15 from Fridolin Somers <fridolin.somers@biblibre.com> --- Pushed to 23.11.x for 23.11.02 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lucas@bywatersolutions.com Version(s)|24.05.00,23.11.02 |24.05.00,23.11.02,23.05.08 released in| | Status|Pushed to stable |Pushed to oldstable --- Comment #16 from Lucas Gass <lucas@bywatersolutions.com> --- Backported to 23.05.x for upcoming 23.05.08 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Frédéric Demians <frederic@tamil.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldstable |Pushed to oldoldstable CC| |frederic@tamil.fr --- Comment #17 from Frédéric Demians <frederic@tamil.fr> --- Pushed to 22.11.x for 23.11.14 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |36937 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36937 [Bug 36937] api/v1/password_validation.t generates warnings -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|martin.renvoize@ptfs-europe | |.com | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 Phil Ringnalda <phil@chetcolibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldoldstable |Needs documenting CC| |phil@chetcolibrary.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35204 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs documenting |RESOLVED Resolution|--- |FIXED --- Comment #18 from David Nind <david@davidnind.com> --- The REST API is self-documenting (up to QA to pick up any issues), so no changes to the manual are required. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org