[Koha-bugs] [Bug 20402] Implement OAuth2 authentication for REST API

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Wed Apr 11 21:17:50 CEST 2018


https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402

Josef Moravec <josef.moravec at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Needs Signoff               |Failed QA

--- Comment #24 from Josef Moravec <josef.moravec at gmail.com> ---
(In reply to Julian Maurice from comment #22)
> Created attachment 74018 [details] [review]
> Bug 20402: Implement OAuth2 authentication for REST API
> 
> It implements only the "client credentials" flow with no scopes
> support. API clients are tied to an existing patron and have the same
> permissions as the patron they are tied to.
> API Clients are defined in $KOHA_CONF.
> 
> Test plan:
> 0. Install Net::OAuth2::AuthorizationServer 0.16 and
>    Mojolicious::Plugin::OAuth2::Server 0.40
> 1. In $KOHA_CONF, add an <api_client> element under <config>:
>      <api_client>
>        <client_id>$CLIENT_ID</client_id>
>        <client_secret>$CLIENT_SECRET</client_secret>
>        <patron_id>X</patron_id> <!-- X is an existing borrowernumber -->
>      </api_client>
> 2. Apply patch, run updatedatabase.pl and reload starman
> 3. Install Firefox extension RESTer [1]
> 4. In RESTer, go to "Authorization" tab and create a new OAuth2
>    configuration:
>    - OAuth flow: Client credentials
>    - Access Token Request Method: POST
>    - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token
>    - Access Token Request Client Authentication: Credentials in request
>      body
>    - Client ID: $CLIENT_ID
>    - Client Secret: $CLIENT_SECRET
> 5. Click on the newly created configuration to generate a new token
>    (which will be valid only for an hour)
> 6. In RESTer, set HTTP method to GET and url to
>    http://$KOHA_URL/api/v1/patrons then click on SEND
>    If patron X has permission 'edit_borrowers', it should return 200 OK
>    with the list of patrons
>    Otherwise it should return 403 with the list of required permissions
>    (Please test both cases)
> 7. Wait an hour (or run the following SQL query:
>    UPDATE oauth_access_tokens SET expires = 0) and repeat step 6.
>    You should have a 403 Forbidden status, and the token must have been
>    removed from the database.

Token is removed, but i got status 500

> 8. Create a bunch of tokens using RESTer, make some of them expires
>    using the previous SQL query, and run the following command:
>      misc/cronjobs/cleanup_database.pl --oauth-tokens
>    Verify that expired tokens were removed, and that the others are
>    still there
> 9. prove t/db_dependent/api/v1/oauth.t

One test is failing for me: 

not ok 19 - 200 OK

    #   Failed test '200 OK'
    #   at t/db_dependent/api/v1/oauth.t line 98.
    #          got: '403'
    #     expected: '200'
    # Looks like you failed 1 test of 19.


> 
> [1] https://addons.mozilla.org/en-US/firefox/addon/rester/

-- 
You are receiving this mail because:
You are watching all bug changes.


More information about the Koha-bugs mailing list