[Bug 36560] New: ILS-DI API doesn't have mechanism to provide CSRF tokens for POSTs
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 Bug ID: 36560 Summary: ILS-DI API doesn't have mechanism to provide CSRF tokens for POSTs Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Web services Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org When using the ILS-DI "AuthenticatePatron" service, you'll want to POST to the ILS-DI, but now this isn't possible without a CSRF token. But a third-party system doesn't have a CSRF token. This relates to bug 36094. It also won't have an "op" with a "cud-" prefix. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |36094 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094 [Bug 36094] svc/authentication needs adjustements -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on|36094 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094 [Bug 36094] svc/authentication needs adjustements -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |36094 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094 [Bug 36094] svc/authentication needs adjustements -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- As I describe in https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094#c23 I think we'll actually have to have a ILS-DI exception for CSRF checking, since it uses IP-based auth and not cookie-based auth. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- Note that some ILS-DI services are state changing actions. I will be glad when this ILS-DI API is gone... -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fridolin.somers@biblibre.co | |m See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=37899 --- Comment #3 from Fridolin Somers <fridolin.somers@biblibre.com> --- Arf this is a problem for Bokeh portal -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |alexbuckley@catalyst.net.nz --- Comment #4 from David Cook <dcook@prosentient.com.au> --- *** Bug 37899 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED --- Comment #5 from David Cook <dcook@prosentient.com.au> --- I am hoping to get to this soon. Thanks for your patience, folks... -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |dcook@prosentient.com.au |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |ASSIGNED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|ILS-DI API doesn't have |ILS-DI API POSTS cause CSRF |mechanism to provide CSRF |errors unnecessarily |tokens for POSTs | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=36094 Depends on|36094 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094 [Bug 36094] svc/authentication needs adjustments -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- Created attachment 173114 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=173114&action=edit Bug 36560: Add a CSRF exception for ILS-DI API This change adds an exception for the ILS-DI API for CSRF prevention since there is no way to acquire a CSRF token for the ILS-DI API. 1. Go to http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=ILS-DI 2. Enable "ILS-DI" 3. curl -v localhost:8080/cgi-bin/koha/ilsdi.pl -d "service=AuthenticatePatron&username=REALUSER&password=REALPASSWORD" 4. Note the 403 response 5. Apply the patch 6. sudo koha-plack --restart kohadev 7. curl -v localhost:8080/cgi-bin/koha/ilsdi.pl -d "service=AuthenticatePatron&username=REALUSER&password=REALPASSWORD" 8. Note the 200 response -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 --- Comment #7 from David Cook <dcook@prosentient.com.au> --- Technically, the ILS-DI API can be vulnerable to CSRF, if the ILS-DI:AuthorizedIPs is blank or if it matches the IP address of the targeted user. However, the ILS-DI API doesn't have any way of obtaining a CSRF token, so I think we should add an exception. Alternatively, we could change the way the ILS-DI API works, but that would have far reaching consequences. Another alternative would be to replicate all ILS-DI API functionality in the REST API, and switch people over to using that... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 --- Comment #8 from David Cook <dcook@prosentient.com.au> --- Yet... as practical as an exception might be in the short-term... it still doesn't help us in the long-term. -- Maybe we do make an AuthenticateApiUser verb for the ILS-DI too, which requires a Koha staff user with an ILS-DI permission, and then we get all third-parties to use that. Initially, if we add a CSRF exception, we could continue supporting ILS-DI:AuthorizedIPs as well, and then eventually remove the exception and drop IP auth support. -- Jonathan, what do you think? The ILS-DI API is used fairly broadly. Not only for discovery systems like VuFind and EBSCO EDS but also for other third-party systems (especially in public libraries) that use it to authenticate patrons. Overall, I've found third-parties willing to work with us on API integrations, but Koha hasn't had the options for secure HTTP API integrations (even the REST API has permissions issues to an extent). -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|ILS-DI API POSTS cause CSRF |ILS-DI API POSTS cause CSRF |errors unnecessarily |errors -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 Andreas Jonsson <andreas.jonsson@kreablo.se> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andreas.jonsson@kreablo.se -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 --- Comment #9 from Jonathan Druart <jonathan.druart@gmail.com> --- (In reply to David Cook from comment #8)
Jonathan, what do you think?
Not ideal but I don't have something better to suggest. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #173114|0 |1 is obsolete| | --- Comment #10 from David Nind <david@davidnind.com> --- Created attachment 173182 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=173182&action=edit Bug 36560: Add a CSRF exception for ILS-DI API This change adds an exception for the ILS-DI API for CSRF prevention since there is no way to acquire a CSRF token for the ILS-DI API. 1. Go to http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=ILS-DI 2. Enable "ILS-DI" 3. curl -v localhost:8080/cgi-bin/koha/ilsdi.pl -d "service=AuthenticatePatron&username=REALUSER&password=REALPASSWORD" 4. Note the 403 response 5. Apply the patch 6. sudo koha-plack --restart kohadev 7. curl -v localhost:8080/cgi-bin/koha/ilsdi.pl -d "service=AuthenticatePatron&username=REALUSER&password=REALPASSWORD" 8. Note the 200 response Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 Kyle M Hall (khall) <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 Kyle M Hall (khall) <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #173182|0 |1 is obsolete| | --- Comment #11 from Kyle M Hall (khall) <kyle@bywatersolutions.com> --- Created attachment 173349 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=173349&action=edit Bug 36560: Add a CSRF exception for ILS-DI API This change adds an exception for the ILS-DI API for CSRF prevention since there is no way to acquire a CSRF token for the ILS-DI API. 1. Go to http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=ILS-DI 2. Enable "ILS-DI" 3. curl -v localhost:8080/cgi-bin/koha/ilsdi.pl -d "service=AuthenticatePatron&username=REALUSER&password=REALPASSWORD" 4. Note the 403 response 5. Apply the patch 6. sudo koha-plack --restart kohadev 7. curl -v localhost:8080/cgi-bin/koha/ilsdi.pl -d "service=AuthenticatePatron&username=REALUSER&password=REALPASSWORD" 8. Note the 200 response Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 --- Comment #12 from Kyle M Hall (khall) <kyle@bywatersolutions.com> --- Created attachment 173350 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=173350&action=edit Bug 36560: (QA follow-up) Tidy code Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |kyle@bywatersolutions.com |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |release-notes-needed --- Comment #13 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Might be good to have a quick note here that this means the ILS-DI service will work again. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |24.11.00 released in| | Status|Passed QA |Pushed to main -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 --- Comment #14 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Pushed for 24.11! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the| |This change creates an release notes| |anti-CSRF exception so that | |the ILS-DI API will work | |without a CSRF token. | |Libraries are reminded that | |they should be careful when | |configuring the | |ILS-DI:AuthorizedIPs system | |preference for access to | |the ILS-DI API. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 Lisette Scheer <lisette@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|release-notes-needed | CC| |lisette@bywatersolutions.co | |m -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|24.11.00 |24.11.00,24.05.06 released in| | CC| |lucas@bywatersolutions.com Status|Pushed to main |Pushed to stable --- Comment #15 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- Backported to 24.05.x for upcoming 24.05.06 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |Pushed to oldstable -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldstable |Needs documenting --- Comment #16 from Fridolin Somers <fridolin.somers@biblibre.com> --- Not for 23.11.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36560 Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |caroline.cyr-la-rose@inlibr | |o.com Status|Needs documenting |RESOLVED Resolution|--- |FIXED --- Comment #17 from Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> --- Bug fix, nothing to add/edit in the manual. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org