[Bug 42926] New: Return passwordmustchange flag when patron password is expired
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42926 Bug ID: 42926 Summary: Return passwordmustchange flag when patron password is expired Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: REST API Assignee: koha-bugs@lists.koha-community.org Reporter: thibaud.guillot@biblibre.com QA Contact: testopia@bugs.koha-community.org CC: tomascohen@gmail.com Target Milestone: --- Hello, When a patron's password is expired (whether due to ForcePasswordResetWhenSetByStaff or natural expiration), the REST API can returns a structured 403 response with a `passwordmustchange` boolean flag. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42926 Thibaud Guillot (thibaud_g) <thibaud.guillot@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42926 --- Comment #1 from Thibaud Guillot (thibaud_g) <thibaud.guillot@biblibre.com> --- Created attachment 201055 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201055&action=edit Bug 42926: REST API - Return passwordmustchange flag when patron password is expired When a patron's password is expired (whether due to ForcePasswordResetWhenSetByStaff or natural expiration), the REST API now returns a structured 403 response with a `passwordmustchange` boolean flag. Before: - Basic auth returned 403 "Password has expired" - Cookie session with an expired password fell through to "Unexpected authentication status" After: - Both auth methods return 403 { "error": "Password must be changed", "passwordmustchange": true } - A dedicated Koha::Exceptions::Authentication::PasswordMustChange exception handles this case Test plan: 1. Enable syspref RESTBasicAuth 2. Create a patron with a password 3. Set password_expiration_date to yesterday: UPDATE borrowers SET password_expiration_date = DATE_SUB(NOW(), INTERVAL 1 DAY) WHERE userid = 'testuser'; 4. HTTP 403 with "passwordmustchange:true" into the body GET /api/v1/patrons 5. Enable syspref ForcePasswordResetWhenSetByStaff 6. Create a new patron WITH a password via the full patron add form (not quick add to set password during creation, not separately) 7. HTTP 403 with "passwordmustchange:true" into the body GET /api/v1/patrons 8. With the expired patron from step 3: POST /api/v1/public/patrons/{patron_id}/password via Basic auth Body: { "old_password": "...", "password": "NewPass!", "password_repeated": "NewPass!" } 9. HTTP 200 on GET /api/v1/patrons with new password prove -v t/db_dependent/api/v1/auth_basic.t Sponsored-by: BibLibre -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42926 Thibaud Guillot (thibaud_g) <thibaud.guillot@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |thibaud.guillot@biblibre.co |ity.org |m -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42926 Thibaud Guillot (thibaud_g) <thibaud.guillot@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Small patch Sponsorship status|--- |Sponsored -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42926 --- Comment #2 from Thibaud Guillot (thibaud_g) <thibaud.guillot@biblibre.com> --- I’ve noticed that the QA script reports that the test fails on the ‘Public password endpoint accessible with expired password’ section, but when I run the test script directly via prove, I don’t encounter the problem. I’m not entirely sure why. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42926 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |tomascohen@gmail.com |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42926 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Failed QA --- Comment #3 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Expired password preventing basic login on the API was already a thing in Koha. The introduced changes here are: 1) Signal de consumer about this situation in a better way. 2) Add an explicit exception for expired passwords. 3) Allow password change when expired (through a path check and exception) (1) * We prefer snake_case for coded values on the API * I think 'Password expired' reads better but I leave it to native speakers * You should use `error_code => 'password_expired'` instead of changing the 'error' object schema (by adding a new 'passwordmustchange' attribute') (2) Stick to `Koha::Exceptions::Password::Expired` for the exception name (3) This looks good. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org