[Bug 19752] New: Improve authentication response in offline_circ/ service.pl
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Bug ID: 19752 Summary: Improve authentication response in offline_circ/service.pl Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Circulation Assignee: koha-bugs@lists.koha-community.org Reporter: alex.arnaud@biblibre.com QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com, kyle.m.hall@gmail.com offline_circ/service.pl currently returns a "200 OK" HTTP status with a "Authentication failed" string. We need a valid status code in this case (401). We also need a nocookie option in this script. We added a test button in Koct FF extention that check if the entered login/password are correct. But if the user is currently authenticated on Koha, the script will use the cookie authentication which can be misleading. With nocookie parameter set to true, only the login/password will be checked. Patch is coming -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Alex Arnaud <alex.arnaud@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |alex.arnaud@biblibre.com |ity.org | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Matthias Meusburger <matthias.meusburger@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |19689 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19689 [Bug 19689] Koha Offline Circulation Firefox plugin sends entries with wrong branchcode without error -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 --- Comment #1 from Alex Arnaud <alex.arnaud@biblibre.com> --- Created attachment 69511 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=69511&action=edit offline_circ/service.pl return HTTP status 401 when authentication failed and add option nocookie. test plan: - Apply this patch, - log in to Koha, - go to cgi-bin/koha/offline_circ/service.pl with no valid user and password as parameters and nocookie set to 1. i.e: cgi-bin/koha/offline_circ/service.pl?user=alex&password=wrongpass&nocookie=1, - auth should fail - check that the response code is 401 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Alex Arnaud <alex.arnaud@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Maksim Sen <maksim.sen@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |maksim.sen@inlibro.com --- Comment #2 from Maksim Sen <maksim.sen@inlibro.com> --- Hey Alex, I only get a 404 code and not 401 in the opac. and I got nothing by using your link/path with the intranet. Am I missing some steps? Thanks, Maksim Sen -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Matthias Meusburger <matthias.meusburger@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |matthias.meusburger@biblibr | |e.com --- Comment #3 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- Hi Maksim, service.pl is indeed an intranet page. What do you mean you got nothing? A blank page? Keep in mind that service.pl is meant to be called as a webservice, so it's not abnormal nothing is displayed in the page itself. However, you'll be able to display the HTTP status code using firefox's debug tool (F12 key, then Network tab, then load the page) By the way, I've tested this, and it behaves correctly: I have a 200 error code following the test plan before applying the patch, and a 401 error code with the patch. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mtompset@hotmail.com --- Comment #4 from M. Tompsett <mtompset@hotmail.com> --- I had the FireFox Rester tool installed. On a kohadevbox with Offline Circulation enabled. Something is weird I think with the $lasttime and $timeout check in the function call. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Maksim Sen <maksim.sen@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Maksim Sen <maksim.sen@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #69511|0 |1 is obsolete| | --- Comment #5 from Maksim Sen <maksim.sen@inlibro.com> --- Created attachment 73799 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=73799&action=edit offline_circ/service.pl return HTTP status 401 when authentication failed and add option nocookie. test plan: - Apply this patch, - log in to Koha, - go to cgi-bin/koha/offline_circ/service.pl with no valid user and password as parameters and nocookie set to 1. i.e: cgi-bin/koha/offline_circ/service.pl?user=alex&password=wrongpass&nocookie=1, - auth should fail - check that the response code is 401 https://bugs.koha-community.org/show_bug.cgi?id=19752 Signed-off-by: Maksim Sen <maksim.sen@inlibro.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 --- Comment #6 from Maksim Sen <maksim.sen@inlibro.com> --- I don't know why it showed this link at the end of my sign off: https://bugs.koha-community.org/show_bug.cgi?id=19752 Anyway, I tried it with the dev tools, Matthias, and it works! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de Status|Signed Off |Failed QA --- Comment #7 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Test plan passes, but shouldn't the right credentials give me a 200? It seems I always get a 401. Alex, can you extend the test plan a bit to explain the expected outcomes? - What happens with and without nocookie? - What happens with and without the right credentials? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 --- Comment #8 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- If I'm correct, the following behavior is expected: - right credentials, with a cookie, without the nocookie option: 200 - wrong credentials, with a cookie, without the nocookie option: 200 - right credentials, with a cookie, with the nocookie option: 200 - wrong credentials, with a cookie, with the nocookie option: 401 - right credentials, without a cookie, without the nocookie option: 200 - wrong credentials, without a cookie, without the nocookie option: 401 - right credentials, without a cookie, with the nocookie option: 200 - wrong credentials, without a cookie, with the nocookie option: 401 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 --- Comment #9 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- The second line: - wrong credentials, with a cookie, without the nocookie option: 200 is the current behavior in Koha, and is the reason the nocookie option is introduced, in order the be able to have this behavior: - wrong credentials, with a cookie, with the nocookie option: 401 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 --- Comment #10 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Hi Matts, can you maybe check if it works for you? My test was nocookie=1 with correct credentials and I still got a 401. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 --- Comment #11 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- You're right Katrin, there is a problem: - right credentials, without a cookie, with the nocookie option returns 401 instead of 200. (check_api_auth returns status="expired") -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 --- Comment #12 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- I found the problem, the test plan was incorrect, the parameter to use is userid and not user: cgi-bin/koha/offline_circ/service.pl?userid=alex&password=wrongpass&nocookie=1 When using the correct parameters, it works as expected. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 --- Comment #13 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- We need to remember to fix the commit message then. Could you do it? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Matthias Meusburger <matthias.meusburger@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #73799|0 |1 is obsolete| | --- Comment #14 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- Created attachment 74712 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74712&action=edit offline_circ/service.pl return HTTP status 401 when authentication failed and add option nocookie. test plan: - Apply this patch, - log in to Koha, - go to cgi-bin/koha/offline_circ/service.pl with no valid user and password as parameters and nocookie set to 1. i.e: cgi-bin/koha/offline_circ/service.pl?userid=alex&password=wrongpass&nocookie=1, - auth should fail - check that the response code is 401 https://bugs.koha-community.org/show_bug.cgi?id=19752 Signed-off-by: Maksim Sen <maksim.sen@inlibro.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Small patch Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74712|0 |1 is obsolete| | --- Comment #15 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Created attachment 74776 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74776&action=edit Bug 19752: offline_circ/service.pl - Return HTTP status 401 when authentication failed and add option nocookie Test plan: - Apply this patch, - log in to Koha, - go to cgi-bin/koha/offline_circ/service.pl with no valid user and password as parameters and nocookie set to 1. i.e: cgi-bin/koha/offline_circ/service.pl?userid=alex&password=wrongpass&nocookie=1, - auth should fail - check that the response code is 401 https://bugs.koha-community.org/show_bug.cgi?id=19752 Signed-off-by: Maksim Sen <maksim.sen@inlibro.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@bugs.koha-c | |ommunity.org --- Comment #16 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Since KOCT 0.4.5, that's it? Maybe we should add a comment close to the parameter explaining where does it comes from? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 --- Comment #17 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- Yes, that's right, since 0.4.5 I'll add a comment to explain. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Matthias Meusburger <matthias.meusburger@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #74776|0 |1 is obsolete| | --- Comment #18 from Matthias Meusburger <matthias.meusburger@biblibre.com> --- Created attachment 74814 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=74814&action=edit Bug 19752: offline_circ/service.pl - Return HTTP status 401 when authentication failed and add option nocookie Test plan: - Apply this patch, - log in to Koha, - go to cgi-bin/koha/offline_circ/service.pl with no valid user and password as parameters and nocookie set to 1. i.e: cgi-bin/koha/offline_circ/service.pl?userid=alex&password=wrongpass&nocookie=1, - auth should fail - check that the response code is 401 https://bugs.koha-community.org/show_bug.cgi?id=19752 Signed-off-by: Maksim Sen <maksim.sen@inlibro.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 --- Comment #19 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Thanks Matts! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master --- Comment #20 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Pushed to master for 18.05, thanks to everybody involved! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com Status|Pushed to Master |Pushed to Stable -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19752 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Stable |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org