[Bug 19133] New: REST API: Password recovery
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Bug ID: 19133 Summary: REST API: Password recovery Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Web services Assignee: koha-bugs@lists.koha-community.org Reporter: lari.taskula@jns.fi QA Contact: testopia@bugs.koha-community.org Add password recovery functionality to REST API. Support third party integrations for reset link: by default, use existing password recovery page in Koha OPAC, but also have the ability to link patron to external system to complete their password recovery. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Lari Taskula <lari.taskula@jns.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |lari.taskula@jns.fi |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #1 from Lari Taskula <lari.taskula@jns.fi> --- Created attachment 66415 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66415&action=edit Bug 19133: Password recovery via REST API This patch adds password recovery functionality to REST API. POST /patrons/password/recovery Creates a new password recovery request. Takes a JSON body with "email" and one of "userid" or "cardnumber" as parameters. Sends patron PASSWORD_RESET email. POST /patrons/password/recovery/complete Completes pending password recovery. Takes a JSON body with "uuid", "new_password" and "confirm_new_password" as parameters. If passwords meet Koha's password requirements, changes patron's password to the requested new password. To test: 1. prove t/db_dependent/api/v1/passwordrecovery.t 2. Send POST requests to the endpoints listed above. See the description of endpoints above for required parameters. 3. Check message_queue (or your email if you actually send messages in the queue) to make sure your password recovery was enqueued 4. Observe your password has been changed once you completed the recovery process -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #2 from Lari Taskula <lari.taskula@jns.fi> --- Created attachment 66416 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66416&action=edit Bug 19133: Add an ability to link patron to third party service to reset their password Adds additional functionality to POST /patrons/password/recovery. Pass a new parameter "custom_link" to send patron a recovery email that contains this link instead of Koha OPAC's opac-password-recovery.pl page. This way third party services can link Koha patrons to their own service to have passwords recovered. By default, forbids all custom links. To enable specific services, use the new system preference OpacResetPasswordHostWhitelist. This preference contains a list of allowed host names to which it is allowed to link the patron in recovery email. Use case in steps (to understand the feature better): 1. Library uses a discovery software (e.g. VuFind, from now on VF) and has disabled Koha's OPAC 2. VF uses Koha REST API 3. Patrons can login to VF with their Koha userid and password 4. Patron goes to VF login screen, but has forgotten their password 5. Patron requests their password to be reset in VF 6. VF sends a POST request to /api/v1/patrons/password/recovery with patron's userid and email as parameters, as well as custom_link to a password reset page in VF 7. Koha sends patron an email containing a link to VF password reset page (instead of Koha OPAC's opac-password-recovery.pl) 8. Patron reads their email and resets password in VF To test: 1. Apply patch and run updatedatabase.pl 2. prove t/db_dependent/api/v1/passwordrecovery.t 3. Modify OpacResetPasswordHostWhitelist system preference. Add "anything" to its value. 4. Send a POST request to /api/v1/patrons/password/recovery with parameters "email", "userid" and "custom_link" (custom_link value e.g. "https://anything/reset-password.pl?token={uuid}") 5. You should get a HTTP 201 response 6. Check your message_queue. Your password recovery email should now contain the link you provided in step 4 7. Repeat step 4 but this time use something else as custom_link value 8. You should get a response that this host name is not accepted -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #3 from Lari Taskula <lari.taskula@jns.fi> --- Created attachment 66419 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66419&action=edit Bug 19133-2: Allow third party services to send password recovery emails instead of Koha Adds a new parameter "skip_mail" to POST /api/v1/patrons/password/recovery. This allows third party services to avoid Koha enqueueing recovery email to message queue. Instead, letter content and the link containing uuid is returned. Requires permission to do so. Adds a new permission borrowers.get_password_reset_uuid that allows the above. To test: 1. Apply patch and run updatedatabase.pl 2. prove t/db_dependent/api/v1/passwordrecovery.t 3. Add yourself borrowers.get_password_reset_uuid permission 4. Send POST request to /api/v1/patrons/password/recovery containing a JSON body { "email": "patrons@email.com", "userid": "patrons userid", "custom_link": "https://allowed/reset.pl?token={uuid}", "skip_mail": true } (Make sure custom link is allowed by the system preference introduced in previous patch) 5. Check that the message contents and other related data is returned 6. Check borrower_password_recovery table - there should be a new entry for you 7. Check message_queue table - this message should not be enqueued -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #4 from Lari Taskula <lari.taskula@jns.fi> --- Needs a rebase, above patches have dependencies that are blocked and can be removed. Will get back to this later. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@bugs.koha-c | |ommunity.org Component|Web services |REST api QA Contact|testopia@bugs.koha-communit | |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Mike <black23@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |black23@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Lari Taskula <lari.taskula@hypernova.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |23865 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23865 [Bug 23865] Throw exceptions from Koha::AuthUtils::is_password_valid -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Lari Taskula <lari.taskula@hypernova.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on|23865 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23865 [Bug 23865] Throw exceptions from Koha::AuthUtils::is_password_valid -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Lari Taskula <lari.taskula@hypernova.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #66415|0 |1 is obsolete| | --- Comment #5 from Lari Taskula <lari.taskula@hypernova.fi> --- Created attachment 94551 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=94551&action=edit Bug 19133: Password recovery via REST API This patch adds password recovery functionality to REST API. POST /public/patrons/password/recovery Creates a new password recovery request. Takes a JSON body with "email" and one of "userid" or "cardnumber" as parameters. Sends patron PASSWORD_RESET email. POST /public/patrons/password/recovery/complete Completes pending password recovery. Takes a JSON body with "uuid", "new_password" and "confirm_new_password" as parameters. If passwords meet Koha's password requirements, changes patron's password to the requested new password. To test: 1. prove t/db_dependent/api/v1/patrons_password_recovery.t 2. Send POST requests to the endpoints listed above. See the description of endpoints above for required parameters. 3. Check message_queue (or your email if you actually send messages in the queue) to make sure your password recovery was enqueued 4. Observe your password has been changed once you completed the recovery process Sponsored-by: Koha-Suomi Oy -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Lari Taskula <lari.taskula@hypernova.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #66416|0 |1 is obsolete| | --- Comment #6 from Lari Taskula <lari.taskula@hypernova.fi> --- Created attachment 94553 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=94553&action=edit Bug 19133: Add an ability to link patron to third party service to reset their password Adds additional functionality to POST /public/patrons/password/recovery. Pass a new parameter "custom_link" to send patron a recovery email that contains this link instead of Koha OPAC's opac-password-recovery.pl page. This way third party services can link Koha patrons to their own service to have passwords recovered. By default, forbids all custom links. To enable specific services, use the new system preference OpacResetPasswordHostWhitelist. This preference contains a list of allowed host names to which it is allowed to link the patron in recovery email. Use case in steps (to understand the feature better): 1. Library uses a discovery software (e.g. VuFind, from now on VF) and has disabled Koha's OPAC 2. VF uses Koha REST API 3. Patrons can login to VF with their Koha userid and password 4. Patron goes to VF login screen, but has forgotten their password 5. Patron requests their password to be reset in VF 6. VF sends a POST request to /api/v1/patrons/password/recovery with patron's userid and email as parameters, as well as custom_link to a password reset page in VF 7. Koha sends patron an email containing a link to VF password reset page (instead of Koha OPAC's opac-password-recovery.pl) 8. Patron reads their email and resets password in VF To test: 1. Apply patch and run updatedatabase.pl 2. prove t/db_dependent/api/v1/patrons_password_recovery.t 3. Modify OpacResetPasswordHostWhitelist system preference. Add "anything" to its value. 4. Send a POST request to /api/v1/public/atrons/password/recovery with parameters "email", "userid" and "custom_link" (custom_link value e.g. "https://anything/reset-password.pl?token={uuid}") 5. You should get a HTTP 201 response 6. Check your message_queue. Your password recovery email should now contain the link you provided in step 4 7. Repeat step 4 but this time use something else as custom_link value 8. You should get a response that this host name is not accepted Sponsored-by: Koha-Suomi Oy -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Lari Taskula <lari.taskula@hypernova.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Lari Taskula <lari.taskula@hypernova.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #66419|0 |1 is obsolete| | --- Comment #7 from Lari Taskula <lari.taskula@hypernova.fi> --- Created attachment 94554 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=94554&action=edit Bug 19133: Allow third party services to send password recovery emails instead of Koha Adds a new parameter "skip_mail" to POST /api/v1/public/patrons/password/recovery. This allows third party services to avoid Koha enqueueing recovery email to message queue. Instead, letter content and the link containing uuid is returned. Requires permission to do so. Adds a new permission borrowers.get_password_reset_uuid that allows the above. To test: 1. Apply patch and run updatedatabase.pl 2. prove t/db_dependent/api/v1/patrons_password_recovery.t 3. Add yourself borrowers.get_password_reset_uuid permission 4. Send POST request to /api/v1/public/patrons/password/recovery containing a JSON body { "email": "patrons@email.com", "userid": "patrons userid", "custom_link": "https://allowed/reset.pl?token={uuid}", "skip_mail": true } (Make sure custom link is allowed by the system preference introduced in previous patch) 5. Check that the message contents and other related data is returned 6. Check borrower_password_recovery table - there should be a new entry for you 7. Check message_queue table - this message should not be enqueued Sponsored-by: Koha-Suomi Oy -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Joonas Kylmälä <joonas.kylmala@helsinki.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Patch doesn't apply CC| |joonas.kylmala@helsinki.fi -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|unspecified |master CC| |tomascohen@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|REST API: Password recovery |Password recovery routes -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Patch doesn't apply |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #94553|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #94554|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #94551|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #8 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 112751 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=112751&action=edit Bug 19133: Password recovery via REST API This patch adds password recovery functionality to REST API. POST /public/patrons/password/recovery Creates a new password recovery request. Takes a JSON body with "email" and one of "userid" or "cardnumber" as parameters. Sends patron PASSWORD_RESET email. POST /public/patrons/password/recovery/complete Completes pending password recovery. Takes a JSON body with "uuid", "new_password" and "confirm_new_password" as parameters. If passwords meet Koha's password requirements, changes patron's password to the requested new password. To test: 1. prove t/db_dependent/api/v1/patrons_password_recovery.t 2. Send POST requests to the endpoints listed above. See the description of endpoints above for required parameters. 3. Check message_queue (or your email if you actually send messages in the queue) to make sure your password recovery was enqueued 4. Observe your password has been changed once you completed the recovery process Sponsored-by: Koha-Suomi Oy Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #9 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 112752 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=112752&action=edit Bug 19133: Add an ability to link patron to third party service to reset their password Adds additional functionality to POST /public/patrons/password/recovery. Pass a new parameter "custom_link" to send patron a recovery email that contains this link instead of Koha OPAC's opac-password-recovery.pl page. This way third party services can link Koha patrons to their own service to have passwords recovered. By default, forbids all custom links. To enable specific services, use the new system preference OpacResetPasswordHostWhitelist. This preference contains a list of allowed host names to which it is allowed to link the patron in recovery email. Use case in steps (to understand the feature better): 1. Library uses a discovery software (e.g. VuFind, from now on VF) and has disabled Koha's OPAC 2. VF uses Koha REST API 3. Patrons can login to VF with their Koha userid and password 4. Patron goes to VF login screen, but has forgotten their password 5. Patron requests their password to be reset in VF 6. VF sends a POST request to /api/v1/patrons/password/recovery with patron's userid and email as parameters, as well as custom_link to a password reset page in VF 7. Koha sends patron an email containing a link to VF password reset page (instead of Koha OPAC's opac-password-recovery.pl) 8. Patron reads their email and resets password in VF To test: 1. Apply patch and run updatedatabase.pl 2. prove t/db_dependent/api/v1/patrons_password_recovery.t 3. Modify OpacResetPasswordHostWhitelist system preference. Add "anything" to its value. 4. Send a POST request to /api/v1/public/atrons/password/recovery with parameters "email", "userid" and "custom_link" (custom_link value e.g. "https://anything/reset-password.pl?token={uuid}") 5. You should get a HTTP 201 response 6. Check your message_queue. Your password recovery email should now contain the link you provided in step 4 7. Repeat step 4 but this time use something else as custom_link value 8. You should get a response that this host name is not accepted Sponsored-by: Koha-Suomi Oy Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #10 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 112753 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=112753&action=edit Bug 19133: Allow third party services to send password recovery emails instead of Koha Adds a new parameter "skip_mail" to POST /api/v1/public/patrons/password/recovery. This allows third party services to avoid Koha enqueueing recovery email to message queue. Instead, letter content and the link containing uuid is returned. Requires permission to do so. Adds a new permission borrowers.get_password_reset_uuid that allows the above. To test: 1. Apply patch and run updatedatabase.pl 2. prove t/db_dependent/api/v1/patrons_password_recovery.t 3. Add yourself borrowers.get_password_reset_uuid permission 4. Send POST request to /api/v1/public/patrons/password/recovery containing a JSON body { "email": "patrons@email.com", "userid": "patrons userid", "custom_link": "https://allowed/reset.pl?token={uuid}", "skip_mail": true } (Make sure custom link is allowed by the system preference introduced in previous patch) 5. Check that the message contents and other related data is returned 6. Check borrower_password_recovery table - there should be a new entry for you 7. Check message_queue table - this message should not be enqueued Sponsored-by: Koha-Suomi Oy Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #11 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 112755 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=112755&action=edit Bug 19133: (QA follow-up) Remove unrelated change Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #12 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 112756 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=112756&action=edit Bug 19133: (QA follow-up) More contemporary language Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #13 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 112757 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=112757&action=edit Bug 19133: (QA follow-up) Correct exception description Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #14 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 112758 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=112758&action=edit Bug 19133: Fix tests Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #15 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Ok, I rebased it and made some cleanup. I will try to rewrite the tests with newer style and stuff. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kyle@bywatersolutions.com, | |martin.renvoize@ptfs-europe | |.com, | |nick@bywatersolutions.com QA Contact| |tomascohen@gmail.com --- Comment #16 from Tomás Cohen Arazi <tomascohen@gmail.com> --- If this gets a sign-off, I will do a final QA round with the tests changes I proposed. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #17 from Tomás Cohen Arazi <tomascohen@gmail.com> --- QA question: POST recovery/complete vs POST recover/completion completion reads more RESTful. Does the recovery_request have an id? maybe the recovery_request is the one to get the completion: POST /recovery_request/<ID/token>/completion I'd prefer that. Looking forward for your comments to move forward. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #18 from Tomás Cohen Arazi <tomascohen@gmail.com> --- This is also missing some tests for the Recovery.pm changes (url param). -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #112751|0 |1 is obsolete| | Attachment #112752|0 |1 is obsolete| | Attachment #112753|0 |1 is obsolete| | Attachment #112755|0 |1 is obsolete| | Attachment #112756|0 |1 is obsolete| | Attachment #112757|0 |1 is obsolete| | Attachment #112758|0 |1 is obsolete| | --- Comment #19 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 112937 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=112937&action=edit Bug 19133: Password recovery via REST API This patch adds password recovery functionality to REST API. POST /public/patrons/password/recovery Creates a new password recovery request. Takes a JSON body with "email" and one of "userid" or "cardnumber" as parameters. Sends patron PASSWORD_RESET email. POST /public/patrons/password/recovery/complete Completes pending password recovery. Takes a JSON body with "uuid", "new_password" and "confirm_new_password" as parameters. If passwords meet Koha's password requirements, changes patron's password to the requested new password. To test: 1. prove t/db_dependent/api/v1/patrons_password_recovery.t 2. Send POST requests to the endpoints listed above. See the description of endpoints above for required parameters. 3. Check message_queue (or your email if you actually send messages in the queue) to make sure your password recovery was enqueued 4. Observe your password has been changed once you completed the recovery process Sponsored-by: Koha-Suomi Oy Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #20 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 112938 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=112938&action=edit Bug 19133: Add an ability to link patron to third party service to reset their password Adds additional functionality to POST /public/patrons/password/recovery. Pass a new parameter "custom_link" to send patron a recovery email that contains this link instead of Koha OPAC's opac-password-recovery.pl page. This way third party services can link Koha patrons to their own service to have passwords recovered. By default, forbids all custom links. To enable specific services, use the new system preference OpacResetPasswordHostWhitelist. This preference contains a list of allowed host names to which it is allowed to link the patron in recovery email. Use case in steps (to understand the feature better): 1. Library uses a discovery software (e.g. VuFind, from now on VF) and has disabled Koha's OPAC 2. VF uses Koha REST API 3. Patrons can login to VF with their Koha userid and password 4. Patron goes to VF login screen, but has forgotten their password 5. Patron requests their password to be reset in VF 6. VF sends a POST request to /api/v1/patrons/password/recovery with patron's userid and email as parameters, as well as custom_link to a password reset page in VF 7. Koha sends patron an email containing a link to VF password reset page (instead of Koha OPAC's opac-password-recovery.pl) 8. Patron reads their email and resets password in VF To test: 1. Apply patch and run updatedatabase.pl 2. prove t/db_dependent/api/v1/patrons_password_recovery.t 3. Modify OpacResetPasswordHostWhitelist system preference. Add "anything" to its value. 4. Send a POST request to /api/v1/public/atrons/password/recovery with parameters "email", "userid" and "custom_link" (custom_link value e.g. "https://anything/reset-password.pl?token={uuid}") 5. You should get a HTTP 201 response 6. Check your message_queue. Your password recovery email should now contain the link you provided in step 4 7. Repeat step 4 but this time use something else as custom_link value 8. You should get a response that this host name is not accepted Sponsored-by: Koha-Suomi Oy Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #21 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 112939 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=112939&action=edit Bug 19133: Allow third party services to send password recovery emails instead of Koha Adds a new parameter "skip_mail" to POST /api/v1/public/patrons/password/recovery. This allows third party services to avoid Koha enqueueing recovery email to message queue. Instead, letter content and the link containing uuid is returned. Requires permission to do so. Adds a new permission borrowers.get_password_reset_uuid that allows the above. To test: 1. Apply patch and run updatedatabase.pl 2. prove t/db_dependent/api/v1/patrons_password_recovery.t 3. Add yourself borrowers.get_password_reset_uuid permission 4. Send POST request to /api/v1/public/patrons/password/recovery containing a JSON body { "email": "patrons@email.com", "userid": "patrons userid", "custom_link": "https://allowed/reset.pl?token={uuid}", "skip_mail": true } (Make sure custom link is allowed by the system preference introduced in previous patch) 5. Check that the message contents and other related data is returned 6. Check borrower_password_recovery table - there should be a new entry for you 7. Check message_queue table - this message should not be enqueued Sponsored-by: Koha-Suomi Oy Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #22 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 112940 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=112940&action=edit Bug 19133: (QA follow-up) Remove unrelated change Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #23 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 112941 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=112941&action=edit Bug 19133: (QA follow-up) More contemporary language Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #24 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 112942 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=112942&action=edit Bug 19133: (QA follow-up) Correct exception description Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #25 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 112943 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=112943&action=edit Bug 19133: Fix tests Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #26 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 112944 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=112944&action=edit Bug 19133: (QA follow-up) Fix QA script issues Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #27 from Lari Taskula <lari.taskula@hypernova.fi> --- (In reply to Tomás Cohen Arazi from comment #18)
This is also missing some tests for the Recovery.pm changes (url param).
Hi Tomas, and Kyle, nice to see you testing and QA'ing this. I can confirm the missing tests - Recovery.pm::SendPasswordRecoveryEmail() is missing tests for the changes introduced in the second and third patch (url and skip_mail parameters). The main functionality is tested in the REST tests but of course we should still add unit tests to SendPasswordRecoveryEmail itself. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #28 from Tomás Cohen Arazi <tomascohen@gmail.com> --- (In reply to Lari Taskula from comment #27)
(In reply to Tomás Cohen Arazi from comment #18)
This is also missing some tests for the Recovery.pm changes (url param).
Hi Tomas, and Kyle, nice to see you testing and QA'ing this. I can confirm the missing tests - Recovery.pm::SendPasswordRecoveryEmail() is missing tests for the changes introduced in the second and third patch (url and skip_mail parameters). The main functionality is tested in the REST tests but of course we should still add unit tests to SendPasswordRecoveryEmail itself.
We are almost on feature freeze. If the RM would consider this for inclusion (I would include it, as it is not going to break any existing feature) I can help with the missing tests. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Failed QA --- Comment #29 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- 1. I am getting an horrible stack of errors when running the tests: $ prove t/db_dependent/api/v1/patrons_password_recovery.t t/db_dependent/api/v1/patrons_password_recovery.t .. unable to establish SMTP connection to localhost port 25 Trace begun at /usr/share/perl5/Email/Sender/Transport/SMTP.pm line 194 Email::Sender::Transport::SMTP::_throw('Email::Sender::Transport::SMTP=HASH(0x55ca6a314d18)', 'unable to establish SMTP connection to localhost port 25') called at /usr/share/perl5/Email/Sender/Transport/SMTP.pm line 144 [...] 2. This cannot be pushed without missing tests. 3. + unless (C4::Context->preference('OpacPasswordChange') and + C4::Context->preference('OpacPasswordReset')) + { + return $c->render(status => 403, openapi => { + error => 'Password recovery is disabled.' + }); + } hum? OpacPasswordReset never existed, it's OpacResetPassword. But I think $patron->category->can_reset_password (from bug 21890) should be used here instead. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #30 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Created attachment 113328 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=113328&action=edit Bug 19133: Fix atomic updates -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133 --- Comment #31 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Just realized that this functionality is not covered by the API yet and wanted to add a +1 at least. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org