https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561
--- Comment #24 from David Cook <[email protected]> --- In the wild, we typically see third-parties using ILS-DI "AuthenticatePatron" then ILS-DI "GetPatronInfo", and really... that's leaking more information than I'd like. We could try to replace it with "/api/v1/auth/password/validation" and "/api/v1/patrons/XXX" (which is what I use in my Keycloak SSO extension which uses Koha as the user database), but "/api/v1/patrons/XXX" also leaks a lot of data plus with x-koha-embed I think it has the capacity to leak even more data than we realize. I think that we've been so focused on the REST API in terms of Koha CRUD and convenience that we haven't really thought about how it can be used (securely) by third-parties. Going back to bug 37144... maybe we should have an endpoint "/api/v1/patron_profiles/XXX". The patron profile would sit in front of the actual patron data, and ideally be configurable... -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
