[Koha-bugs] [Bug 19133] REST API: Password recovery

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Thu Aug 24 16:01:12 CEST 2017 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19133

--- Comment #2 from Lari Taskula <lari.taskula at jns.fi> ---
Created attachment 66416
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=66416&action=edit
Bug 19133: Add an ability to link patron to third party service to reset their
password

Adds additional functionality to POST /patrons/password/recovery. Pass a new
parameter "custom_link" to send patron a recovery email that contains this
link instead of Koha OPAC's opac-password-recovery.pl page. This way third
party
services can link Koha patrons to their own service to have passwords
recovered.

By default, forbids all custom links. To enable specific services, use the new
system preference OpacResetPasswordHostWhitelist. This preference contains
a list of allowed host names to which it is allowed to link the patron in
recovery email.

Use case in steps (to understand the feature better):
1. Library uses a discovery software (e.g. VuFind, from now on VF) and has
   disabled Koha's OPAC
2. VF uses Koha REST API
3. Patrons can login to VF with their Koha userid and password
4. Patron goes to VF login screen, but has forgotten their password
5. Patron requests their password to be reset in VF
6. VF sends a POST request to /api/v1/patrons/password/recovery with patron's
   userid and email as parameters, as well as custom_link to a password reset
   page in VF
7. Koha sends patron an email containing a link to VF password reset page
   (instead of Koha OPAC's opac-password-recovery.pl)
8. Patron reads their email and resets password in VF

To test:
1. Apply patch and run updatedatabase.pl
2. prove t/db_dependent/api/v1/passwordrecovery.t
3. Modify OpacResetPasswordHostWhitelist system preference. Add "anything"
   to its value.
4. Send a POST request to /api/v1/patrons/password/recovery with parameters
   "email", "userid" and "custom_link" (custom_link value e.g.
   "https://anything/reset-password.pl?token={uuid}")
5. You should get a HTTP 201 response
6. Check your message_queue. Your password recovery email should now contain
   the link you provided in step 4
7. Repeat step 4 but this time use something else as custom_link value
8. You should get a response that this host name is not accepted

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list