[Bug 38826] New: C4::Auth::check_api_auth sometimes returns $session and sometimes returns $sessionID
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Bug ID: 38826 Summary: C4::Auth::check_api_auth sometimes returns $session and sometimes returns $sessionID Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org As I discovered while troubleshooting an issue with bug 37060, it appears that C4::Auth::check_api_auth sometimes returns $session and sometimes returns $sessionID. After grepping through the code, it seems that the only file that uses the $sessionID return value from C4::Auth::check_api_auth is svc/authentication so it looks like it's the only affected file. Note: $sessionID is returned on a successful login, while $session is returned when we have a cookie for an authenticated session. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=37060 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |dcook@prosentient.com.au |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- Created attachment 176145 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=176145&action=edit Bug 38826: Make check_api_auth $sessionID consistent This change makes $sessionID consistently return using the session ID and not sometimes the session object. Test plan: 0. Apply the patch 1. koha-plack --restart kohadev 2. curl -v 'http://localhost:8081/cgi-bin/koha/svc/authentication' --cookie-jar /tmp/test.cookies 3. Note the Csrf-Token header value 4. Replace the <CSRF-TOKEN>, <USERID>, and <PASSWORD> tokens in the next step using the appropriate values (eg the CSRF-TOKEN is from the previous step) 5. curl -v -H "Content-Type: application/x-www-form-urlencoded" \ -H "Csrf-Token: <CSRF-TOKEN>" -XPOST \ 'http://localhost:8081/cgi-bin/koha/svc/authentication' \ -d "login_userid=<USERID>&login_password=<PASSWORD>" \ --cookie /tmp/test.cookies --cookie-jar /tmp/test.cookies 6. curl -XGET -v 'http://localhost:8081/cgi-bin/koha/svc/bib/29' \ --cookie /tmp/test.cookies > rec.marcxml 7. curl -v 'http://localhost:8081/cgi-bin/koha/svc/authentication' \ --cookie /tmp/test.cookies --cookie-jar /tmp/test.cookies 8. Note the Csrf-Token header value 9. curl -H "Content-Type: text/xml" -H "Csrf-Token: <CSRF-TOKEN>" \ -XPOST -v 'http://localhost:8081/cgi-bin/koha/svc/bib/29' \ --cookie /tmp/test.cookies --data @rec.marcxml -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- Note: This bug causes the Csrf-Token returned by svc/authentication to be incorrect when the user sends a cookie for an authenticated session, since it's using something like "CGI::Session=HASH(0x5592c03f5508)" instead of the actual session ID to create the token. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Jan Kissig <bibliothek@th-wildau.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Jan Kissig <bibliothek@th-wildau.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #176145|0 |1 is obsolete| | --- Comment #3 from Jan Kissig <bibliothek@th-wildau.de> --- Created attachment 176164 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=176164&action=edit Bug 38826: Make check_api_auth $sessionID consistent This change makes $sessionID consistently return using the session ID and not sometimes the session object. Test plan: 0. Apply the patch 1. koha-plack --restart kohadev 2. curl -v 'http://localhost:8081/cgi-bin/koha/svc/authentication' --cookie-jar /tmp/test.cookies 3. Note the Csrf-Token header value 4. Replace the <CSRF-TOKEN>, <USERID>, and <PASSWORD> tokens in the next step using the appropriate values (eg the CSRF-TOKEN is from the previous step) 5. curl -v -H "Content-Type: application/x-www-form-urlencoded" \ -H "Csrf-Token: <CSRF-TOKEN>" -XPOST \ 'http://localhost:8081/cgi-bin/koha/svc/authentication' \ -d "login_userid=<USERID>&login_password=<PASSWORD>" \ --cookie /tmp/test.cookies --cookie-jar /tmp/test.cookies 6. curl -XGET -v 'http://localhost:8081/cgi-bin/koha/svc/bib/29' \ --cookie /tmp/test.cookies > rec.marcxml 7. curl -v 'http://localhost:8081/cgi-bin/koha/svc/authentication' \ --cookie /tmp/test.cookies --cookie-jar /tmp/test.cookies 8. Note the Csrf-Token header value 9. curl -H "Content-Type: text/xml" -H "Csrf-Token: <CSRF-TOKEN>" \ -XPOST -v 'http://localhost:8081/cgi-bin/koha/svc/bib/29' \ --cookie /tmp/test.cookies --data @rec.marcxml Signed-off-by: Jan Kissig <bibliothek@th-wildau.de> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |major --- Comment #4 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Updating severity as I believe that will help to fix the KOCT plugin? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #176164|0 |1 is obsolete| | --- Comment #5 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 176187 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=176187&action=edit Bug 38826: Make check_api_auth $sessionID consistent This change makes $sessionID consistently return using the session ID and not sometimes the session object. Test plan: 0. Apply the patch 1. koha-plack --restart kohadev 2. curl -v 'http://localhost:8081/cgi-bin/koha/svc/authentication' --cookie-jar /tmp/test.cookies 3. Note the Csrf-Token header value 4. Replace the <CSRF-TOKEN>, <USERID>, and <PASSWORD> tokens in the next step using the appropriate values (eg the CSRF-TOKEN is from the previous step) 5. curl -v -H "Content-Type: application/x-www-form-urlencoded" \ -H "Csrf-Token: <CSRF-TOKEN>" -XPOST \ 'http://localhost:8081/cgi-bin/koha/svc/authentication' \ -d "login_userid=<USERID>&login_password=<PASSWORD>" \ --cookie /tmp/test.cookies --cookie-jar /tmp/test.cookies 6. curl -XGET -v 'http://localhost:8081/cgi-bin/koha/svc/bib/29' \ --cookie /tmp/test.cookies > rec.marcxml 7. curl -v 'http://localhost:8081/cgi-bin/koha/svc/authentication' \ --cookie /tmp/test.cookies --cookie-jar /tmp/test.cookies 8. Note the Csrf-Token header value 9. curl -H "Content-Type: text/xml" -H "Csrf-Token: <CSRF-TOKEN>" \ -XPOST -v 'http://localhost:8081/cgi-bin/koha/svc/bib/29' \ --cookie /tmp/test.cookies --data @rec.marcxml Signed-off-by: Jan Kissig <bibliothek@th-wildau.de> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |nick@bywatersolutions.com |y.org | CC| |nick@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 --- Comment #6 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Nice mix of people here! :) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |25.05.00 released in| | Status|Passed QA |Pushed to main -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 --- Comment #7 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Pushed for 25.05! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the| |This fixes authentication release notes| |checking so that the | |$sessionID is consistently | |returned (sometimes it was | |returning the session | |object). (Note: $sessionID | |is returned on a successful | |login, while $session is | |returned when there is a | |cookie for an authenticated | |session.) CC| |david@davidnind.com --- Comment #8 from David Nind <david@davidnind.com> --- I had a go at a release note, but I'm having understanding the "why" and the "effect" of this change - where this would be noticed. Only the KOCT browser addon? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 --- Comment #9 from David Cook <dcook@prosentient.com.au> --- (In reply to David Nind from comment #8)
I had a go at a release note, but I'm having understanding the "why" and the "effect" of this change - where this would be noticed. Only the KOCT browser addon?
Thanks, David. I'll take a look. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 --- Comment #10 from David Cook <dcook@prosentient.com.au> --- (In reply to David Nind from comment #8)
I had a go at a release note, but I'm having understanding the "why" and the "effect" of this change - where this would be noticed. Only the KOCT browser addon?
The release text looks good to me. At the moment, it only affects any third-party integration that uses the svc/authentication API to check an authenticated session. I'm guessing not many integrations do it, or they've been not working and no one has said anything. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 --- Comment #11 from David Cook <dcook@prosentient.com.au> --- (In reply to Katrin Fischer from comment #4)
Updating severity as I believe that will help to fix the KOCT plugin?
That's true. We should probably backport it back to 24.11 and 24.05 as well then. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aleisha@catalyst.net.nz Keywords| |rel_24_05_candidate, | |rel_24_11_candidate -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Alex Buckley <alexbuckley@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |alexbuckley@catalyst.net.nz | |, | |paul.derscheid@lmscloud.de --- Comment #12 from Alex Buckley <alexbuckley@catalyst.net.nz> --- Adding Paul for 24.11 backport. Paul, could you please backport this to 24.11 first? Then we can look to backport to 24.05. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Paul Derscheid <paul.derscheid@lmscloud.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to main |Pushed to stable Version(s)|25.05.00 |25.05.00,24.11.03 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 --- Comment #13 from Paul Derscheid <paul.derscheid@lmscloud.de> --- Nice work everyone! Pushed to 24.11.x for 24.11.03 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Alex Buckley <alexbuckley@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|25.05.00,24.11.03 |25.05.00,24.11.03,24.05.08 released in| | Status|Pushed to stable |Pushed to oldstable --- Comment #14 from Alex Buckley <alexbuckley@catalyst.net.nz> --- Nice work everyone! Pushed to 24.05.x for 24.05.08 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldstable |Pushed to oldoldstable CC| |fridolin.somers@biblibre.co | |m Version(s)|25.05.00,24.11.03,24.05.08 |25.05.00,24.11.03,24.05.08, released in| |23.11.13 --- Comment #15 from Fridolin Somers <fridolin.somers@biblibre.com> --- Pushed to 23.11.x for 23.11.13 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Paul Derscheid <paul.derscheid@lmscloud.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|rel_24_05_candidate, | |rel_24_11_candidate | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Jesse Maseto <jesse@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jesse@bywatersolutions.com Status|Pushed to oldoldstable |Pushed to oldoldoldstable --- Comment #16 from Jesse Maseto <jesse@bywatersolutions.com> --- Pushed to 22.11.x. Will be in next point release. 22.11.25 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |37060 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37060 [Bug 37060] KOCT cannot send circulation data due to missing CSRF token -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38826 Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldoldoldstable |RESOLVED CC| |wainuiwitikapark@catalyst.n | |et.nz Resolution|--- |FIXED Version(s)|25.05.00,24.11.03,24.05.08, |25.05.00,24.11.03,24.05.08, released in|23.11.13 |23.11.13,22.11.25 -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org