[Koha-bugs] [Bug 13920] API authentication system - proposal
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Jun 25 11:33:20 CEST 2015
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13920
Julian Maurice <julian.maurice at biblibre.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #40591|0 |1
is obsolete| |
--- Comment #10 from Julian Maurice <julian.maurice at biblibre.com> ---
Created attachment 40624
-->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40624&action=edit
Bug 13920: 8. API Authentication, part 2: implement authentication in API
For authentication to succeed, the client have to send 3 custom HTTP
headers:
- X-Koha-Username: userid of borrower
- X-Koha-Timestamp: timestamp of the request
- X-Koha-Signature: signature of the request
The signature is a HMAC-SHA256 hash of several elements of the request,
separated by spaces:
- HTTP method (uppercase)
- URL path and query string
- username
- timestamp of the request
The server then tries to rebuild the signature with each user's API key.
If one matches the received X-Koha-Signature, then authentication is
almost OK.
To avoid requests to be replayed, the last request's timestamp is stored
in database and the authentication succeeds only if the stored timestamp
is lesser than X-Koha-Timestamp.
This patch implements server-side authentication (in Koha/REST/V1.pm)
There is also an "anonymous" mode if X-Koha-* headers are not set.
Anonymous mode differ from authenticated mode in one thing: if user is
authenticated, the corresponding Koha::Borrower object is stored in
Mojolicious stash, so it can easily be retrieved by controllers.
Controllers then have the responsability of what to do if user is
authenticated or not.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list