Kia ora koutou/Hello everyone,
We have several Koha integrations that require third-party systems to call Koha ILS-DI endpoints.
For example, Bolinda (BorrowBox) which calls the GetPatronInfo
ILS-DI endpoint for authenticating users. Or the EBSCO EDS
integration, which can use Koha ILS-DI endpoints for fetching RTAC
(Real-Time Availability Check) data - alternatively, it can also
integrate via Koha Z39.50.
Since Koha 24.05, ILS-DI requests for these integrations do not work, because the Koha CSRF.pm file expects a CSRF token for all stateful methods (POST, PUT, DELETE, PATCH requests), including ILS-DI endpoints.
As ILS-DI is designed to be used cross site, we would be
interested to hear the communities thoughts on what could, or
should, be done to get ILS-DI requests from third-party systems
working again - given these integrations do not pass through CSRF
tokens.
To that end we have logged a bug report for having this
conversation: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37899
I will also link this bug report from the community Mattermost
Development channel.
We would be interested to hear your thoughts on the bug report.
Thanks so much, as always,
Alex