[Koha-bugs] [Bug 13920] API authentication system - proposal

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Wed Jun 24 16:13:34 CEST 2015 

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13920

--- Comment #5 from Olli-Antti Kivilahti <olli-antti.kivilahti at jns.fi> ---
Created attachment 40583
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40583&action=edit
Bug 13920 - API authentication system - Swagtenticator authentication - WIP

This feature implements REST API-key authentication and Koha permission
validation
in the Swagger2-plugin extension.
This is basically a Mojolicious to Koha authentication using Swagger2 RESTful
API
definition to autodocument and check for proper user permissions, aka.
    "KohaliciousSwagtenticator".

With this feature the API provider doesn't need to code anything in the
Controller
to support Koha permissions. Simply by defining a custom Swagger2 parameter
 "x-koha-parameters": {}
the Swagtenticator knows to check the user for proper Koha permissions.

Example (require any borrowers-permission):
...
  "paths": {
    "/borrowers": {
      "get": {
        "x-mojo-controller": "Koha::REST::V1::Borrowers",
        "x-koha-permission": {
          "borrowers": "*"
        },
        "operationId": "listBorrowers",
...

This x-koha-permission definition is turned to a HASH and given to the
C4::Auth::haspermission() for verification by the Swagger2-based plugin.

Bug dependencies:
  Buugg 13995 - Proper Exception handling,
    which helps a lot in dealing with all the various ways authentication can
fail.
  Buugg 14437 - Refactor C4::Auth::haspermission() to Koha::Object and return
better
              errors.
    Which returns the failing permission so we can create a more helpful API
which
    tells which permissions are missing
    (also helps admins in giving the right permissions)

This feature is implemented by inheriting Mojolicious::Plugin::Swagger2 in
Koha::REST::V1::Plugins::KohaliciousSwagtenticator and overloading the
necessary
subroutines.

TEST PLAN:

1. Add the given example (up) to any "Operation Object *".
2. Call the "Operation object" (eg. /v1/borrowers/10) with user credetials not
   having any borrower-permissions.
3. Fail because of myriad of reasons.
   (see. KohaliciousSwagtenticator::check_key_auth())
4. Add some borrowers-permissions to the same user.
5. Succeed in your operation.

* from Swagger2.0 specification

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list