http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13920
Julian Maurice <julian.maur...@biblibre.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #40591|0 |1
is obsolete| |
--- Comment #10 from Julian Maurice <julian.maur...@biblibre.com> ---
Created attachment 40624
-->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40624&action=edit
Bug 13920: 8. API Authentication, part 2: implement authentication in API
For authentication to succeed, the client have to send 3 custom HTTP
headers:
- X-Koha-Username: userid of borrower
- X-Koha-Timestamp: timestamp of the request
- X-Koha-Signature: signature of the request
The signature is a HMAC-SHA256 hash of several elements of the request,
separated by spaces:
- HTTP method (uppercase)
- URL path and query string
- username
- timestamp of the request
The server then tries to rebuild the signature with each user's API key.
If one matches the received X-Koha-Signature, then authentication is
almost OK.
To avoid requests to be replayed, the last request's timestamp is stored
in database and the authentication succeeds only if the stored timestamp
is lesser than X-Koha-Timestamp.
This patch implements server-side authentication (in Koha/REST/V1.pm)
There is also an "anonymous" mode if X-Koha-* headers are not set.
Anonymous mode differ from authenticated mode in one thing: if user is
authenticated, the corresponding Koha::Borrower object is stored in
Mojolicious stash, so it can easily be retrieved by controllers.
Controllers then have the responsability of what to do if user is
authenticated or not.
--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
