[Koha-bugs] [Bug 22522] API authentication breaks with updated Mojolicious version
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Oct 3 15:07:33 CEST 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22522
--- Comment #7 from Magnus Enger <magnus at libriotech.no> ---
Created attachment 93592
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=93592&action=edit
Bug 22522 - Update API specs' access in Auth.pm
With newer versions of Mojolicious and its plugins, endpoints' specs
could no longer be accessed, thus bypassing authorization checks
and failing to validate query parameters.
Test plan:
1. Without being logged in to Koha, access an endpoint directly
(such as /api/v1/patrons/{patron_id})
2. Notice results are received (which is bad since we're not authenticated)
3. Try again with an endpoint that accepts query parameters
(such as /api/v1/patrons?firstname=something)
4. Notice that the query is not accepted (even with correct parameters)
5. Apply the patch
6. Repeat step 1
7. Notice that the access is denied
8. Login as a user with proper access rights
9. Repeat step 1
10. Notice that you can now get results
11. Repeat step 3
12. Notice that the query is now accepted
13. Repeat step 3 but with an absurd parameter
14. Notice the query is correctly rejected
15. Ideally, check if other API calls were not broken
Signed-off-by: Magnus Enger <magnus at libriotech.no>
Upgraded modules with:
$ sudo cpanm Mojolicious JSON::Validator Mojolicious::Plugin::OpenAPI at 2.14
Before the patch data is returned without being logged in. Not good!
After the patch: {"error":"Authentication failure."}
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list