Kia ora koutou/Hello everyone,

We have several Koha integrations that require third-party systems to call Koha ILS-DI endpoints.

For example, Bolinda (BorrowBox) which calls the GetPatronInfo ILS-DI endpoint for authenticating users. Or the EBSCO EDS integration, which can use Koha ILS-DI endpoints for fetching RTAC (Real-Time Availability Check) data - alternatively, it can also integrate via Koha Z39.50.

Since Koha 24.05, ILS-DI requests for these integrations do not work, because the Koha CSRF.pm file expects a CSRF token for all stateful methods (POST, PUT, DELETE, PATCH requests), including ILS-DI endpoints. 

As ILS-DI is designed to be used cross site, we would be interested to hear the communities thoughts on what could, or should, be done to get ILS-DI requests from third-party systems working again - given these integrations do not pass through CSRF tokens.

To that end we have logged a bug report for having this conversation: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37899 I will also link this bug report from the community Mattermost Development channel.

We would be interested to hear your thoughts on the bug report.

Thanks so much, as always,

Alex