[Koha-bugs] [Bug 20568] Add API key management interface for patrons
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Apr 18 18:23:54 CEST 2018
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20568
Julian Maurice <julian.maurice at biblibre.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Signed Off |Failed QA
--- Comment #30 from Julian Maurice <julian.maurice at biblibre.com> ---
QA comments:
1) The UUID generation happens in the store method. This means that every time
I revoke/activate a key, client_id and secret are changed. I think that is not
the desired behaviour.
2) A CSRF attack can remove and revoke keys. This can be prevented by using
Koha::Token.
3) UUID::generate($uuid); UUID::unparse( $uuid, $uuidstring ); can be replaced
by $uuidstring = uuid();
4) In intranet, if I have no key and click twice on "Generate a new client
id/secret pair" link, the form appear then disappear. Not really a problem, but
it's an odd behaviour. I suggest to just show the button even if I have no
keys, like in OPAC.
5) I feel that api_keys.id is not useful as client_id can be used as a primary
key
6) Since we're using UUID, why not store the binary representation instead of
the string representation ? I don't know how that would affect performance but
that will save storage space. If we stick with the string representation I
suggest that we change the data type of client_id and secret to a fixed-width
string type (CHAR(36) ?)
Failing QA for 1 and 2.
3 and 4 are not required but they should be easy to do.
5 and 6 are just thoughts. Please comment.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list