[Koha-bugs] [Bug 20402] Implement OAuth2 authentication for REST API
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Apr 11 21:17:50 CEST 2018
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402
Josef Moravec <josef.moravec at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Needs Signoff |Failed QA
--- Comment #24 from Josef Moravec <josef.moravec at gmail.com> ---
(In reply to Julian Maurice from comment #22)
> Created attachment 74018 [details] [review]
> Bug 20402: Implement OAuth2 authentication for REST API
>
> It implements only the "client credentials" flow with no scopes
> support. API clients are tied to an existing patron and have the same
> permissions as the patron they are tied to.
> API Clients are defined in $KOHA_CONF.
>
> Test plan:
> 0. Install Net::OAuth2::AuthorizationServer 0.16 and
> Mojolicious::Plugin::OAuth2::Server 0.40
> 1. In $KOHA_CONF, add an <api_client> element under <config>:
> <api_client>
> <client_id>$CLIENT_ID</client_id>
> <client_secret>$CLIENT_SECRET</client_secret>
> <patron_id>X</patron_id> <!-- X is an existing borrowernumber -->
> </api_client>
> 2. Apply patch, run updatedatabase.pl and reload starman
> 3. Install Firefox extension RESTer [1]
> 4. In RESTer, go to "Authorization" tab and create a new OAuth2
> configuration:
> - OAuth flow: Client credentials
> - Access Token Request Method: POST
> - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token
> - Access Token Request Client Authentication: Credentials in request
> body
> - Client ID: $CLIENT_ID
> - Client Secret: $CLIENT_SECRET
> 5. Click on the newly created configuration to generate a new token
> (which will be valid only for an hour)
> 6. In RESTer, set HTTP method to GET and url to
> http://$KOHA_URL/api/v1/patrons then click on SEND
> If patron X has permission 'edit_borrowers', it should return 200 OK
> with the list of patrons
> Otherwise it should return 403 with the list of required permissions
> (Please test both cases)
> 7. Wait an hour (or run the following SQL query:
> UPDATE oauth_access_tokens SET expires = 0) and repeat step 6.
> You should have a 403 Forbidden status, and the token must have been
> removed from the database.
Token is removed, but i got status 500
> 8. Create a bunch of tokens using RESTer, make some of them expires
> using the previous SQL query, and run the following command:
> misc/cronjobs/cleanup_database.pl --oauth-tokens
> Verify that expired tokens were removed, and that the others are
> still there
> 9. prove t/db_dependent/api/v1/oauth.t
One test is failing for me:
not ok 19 - 200 OK
# Failed test '200 OK'
# at t/db_dependent/api/v1/oauth.t line 98.
# got: '403'
# expected: '200'
# Looks like you failed 1 test of 19.
>
> [1] https://addons.mozilla.org/en-US/firefox/addon/rester/
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list