[Koha-bugs] [Bug 22522] API authentication breaks with updated Mojolicious version
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Mar 19 18:53:53 CET 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22522
José-Mario Monteiro-Santos <jose-mario.monteiro-santos at inlibro.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #86756|Bug 22522 - Update API |Fix for newer
description|specs' access in Auth.pm |Mojolicious/OpenAPI
| |versions
--- Comment #4 from José-Mario Monteiro-Santos <jose-mario.monteiro-santos at inlibro.com> ---
Comment on attachment 86756
--> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=86756
Fix for newer Mojolicious/OpenAPI versions
>From 9398e9ce1ddb545b031c4accad4148f743eddadd Mon Sep 17 00:00:00 2001
>From: Jose-Mario Monteiro-Santos <jose-mario.monteiro-santos at inLibro.com>
>Date: Tue, 19 Mar 2019 11:55:45 -0400
>Subject: [PATCH] Bug 22522 - Update API specs' access in Auth.pm
>
>With newer versions of Mojolicious and its plugins, endpoints' specs
>could no longer be accessed, thus bypassing authorization checks
>and failing to validate query parameters.
>
>Test plan:
>1. Without being logged in to Koha, access an endpoint directly
> (such as /api/v1/patrons/{patron_id})
>2. Notice results are received (which is bad since we're not authenticated)
>3. Try again with an endpoint that accepts query parameters
> (such as /api/v1/patrons?firstname=something)
>4. Notice that the query is not accepted (even with correct parameters)
>
>5. Apply the patch
>
>6. Repeat step 1
>7. Notice that the access is denied
>8. Login as a user with proper access rights
>9. Repeat step 1
>10. Notice that you can now get results
>11. Repeat step 3
>12. Notice that the query is now accepted
>13. Repeat step 3 but with an absurd parameter
>14. Notice the query is correctly rejected
>
>15. Ideally, check if other API calls were not broken
>---
> Koha/REST/V1/Auth.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm
>index 53c6bac..d0ecd13 100644
>--- a/Koha/REST/V1/Auth.pm
>+++ b/Koha/REST/V1/Auth.pm
>@@ -130,7 +130,7 @@ sub authenticate_api_request {
>
> my $user;
>
>- my $spec = $c->match->endpoint->pattern->defaults->{'openapi.op_spec'};
>+ my $spec = $c->openapi->spec;
> my $authorization = $spec->{'x-koha-authorization'};
>
> my $authorization_header = $c->req->headers->authorization;
>--
>2.7.4
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list