[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Jesse Maseto changed: What|Removed |Added CC||[email protected] --- Comment #19 from Jesse Maseto --- Merge conflicts with 24.05.x, please rebase if needed in 24.05.x. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Paul Derscheid changed: What|Removed |Added Keywords|rel_24_11_candidate | -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 --- Comment #18 from Paul Derscheid --- Nice work everyone! Pushed to 24.11.x for 24.11.04 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Paul Derscheid changed: What|Removed |Added Status|Pushed to main |Pushed to stable Version(s)|25.05.00|25.05.00,24.11.04 released in|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 --- Comment #15 from Julian Maurice --- Can this be backported please ? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Katrin Fischer changed: What|Removed |Added Keywords||rel_24_11_candidate --- Comment #16 from Katrin Fischer --- (In reply to Julian Maurice from comment #15) > Can this be backported please ? Hi Julian, you can use the rel_... keyword to give an additional alert to the RMaint. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Julian Maurice changed: What|Removed |Added Keywords||rel_24_05_candidate --- Comment #17 from Julian Maurice --- Thanks Katrin. I also added the keyword for 24.05 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 --- Comment #14 from Katrin Fischer --- Pushed for 25.05! Well done everyone, thank you! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Katrin Fischer changed: What|Removed |Added Status|Passed QA |Pushed to main Version(s)||25.05.00 released in|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 --- Comment #13 from Katrin Fischer --- Additional tests and a lot of removed FIXMES... :) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286
Jonathan Druart changed:
What|Removed |Added
Attachment #176544|0 |1
is obsolete||
Attachment #177101|0 |1
is obsolete||
--- Comment #8 from Jonathan Druart ---
Created attachment 179117
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179117&action=edit
Bug 37286: Fix REST API authentication when using Mojo apps
Koha::REST::V1::Auth checks the request URL path and do various things
depending on how it looks.
For instance, it allows everyone to access paths starting with
"/api/v1/oauth/"
But because of how Koha::REST::V1 was written, when using mojolicious
applications Koha::App::Intranet and Koha::App::Opac, paths had to add a
path prefix ("/api"), which means the final path as seen by
Koha::REST::V1::Auth looked like this: "/api/api/v1/oauth".
I said "had to", but actually there is another way that does not require
this path manipulation and that's what this patch does:
Koha::REST::V1 now accepts a configuration parameter that allows to
change the base path for API routes, which allows
Koha::App::Plugin::RESTV1 (used by Koha::App::Intranet and
Koha::App::Opac) to generate the right routes.
This configuration parameter defaults to "/api/v1", so when outside of
Koha::App::Intranet and Koha::App::Opac (when using
debian/templates/plack.psgi for instance), the behavior is unchanged.
Test plan:
1. Do not apply the patch yet
2. Run `bin/intranet daemon -l http://*:8080`
3. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token`
It should return a 403 error, with an error message "Authentication
failure".
4. Stop `bin/intranet daemon -l http://*:8080` by hitting Ctrl-C on the
terminal you started it
5. Apply the patch
6. Run `bin/intranet daemon -l http://*:8080` again
7. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token`
This time it should return a 400 error with an error message saying
the "grant_type" property is missing.
This error is normal as we did not send any data in the POST request
body, and seeing this means Koha allowed us to use that route because
it recognized '/api/v1/oauth/' at the start of the URL path
8. You can do the same test with `bin/opac`
Signed-off-by: Magnus Enger
Works as advertised. See Bugzilla for notes from testing.
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Martin Renvoize (ashimema) changed: What|Removed |Added Attachment #179118|0 |1 is obsolete|| --- Comment #11 from Martin Renvoize (ashimema) --- Created attachment 179130 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179130&action=edit Bug 37286: Add tests for REST authentication through Mojo apps Amended-by: Jonathan Druart Add +x Signed-off-by: Martin Renvoize -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286
Martin Renvoize (ashimema) changed:
What|Removed |Added
Attachment #179117|0 |1
is obsolete||
--- Comment #10 from Martin Renvoize (ashimema)
---
Created attachment 179129
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179129&action=edit
Bug 37286: Fix REST API authentication when using Mojo apps
Koha::REST::V1::Auth checks the request URL path and do various things
depending on how it looks.
For instance, it allows everyone to access paths starting with
"/api/v1/oauth/"
But because of how Koha::REST::V1 was written, when using mojolicious
applications Koha::App::Intranet and Koha::App::Opac, paths had to add a
path prefix ("/api"), which means the final path as seen by
Koha::REST::V1::Auth looked like this: "/api/api/v1/oauth".
I said "had to", but actually there is another way that does not require
this path manipulation and that's what this patch does:
Koha::REST::V1 now accepts a configuration parameter that allows to
change the base path for API routes, which allows
Koha::App::Plugin::RESTV1 (used by Koha::App::Intranet and
Koha::App::Opac) to generate the right routes.
This configuration parameter defaults to "/api/v1", so when outside of
Koha::App::Intranet and Koha::App::Opac (when using
debian/templates/plack.psgi for instance), the behavior is unchanged.
Test plan:
1. Do not apply the patch yet
2. Run `bin/intranet daemon -l http://*:8080`
3. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token`
It should return a 403 error, with an error message "Authentication
failure".
4. Stop `bin/intranet daemon -l http://*:8080` by hitting Ctrl-C on the
terminal you started it
5. Apply the patch
6. Run `bin/intranet daemon -l http://*:8080` again
7. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token`
This time it should return a 400 error with an error message saying
the "grant_type" property is missing.
This error is normal as we did not send any data in the POST request
body, and seeing this means Koha allowed us to use that route because
it recognized '/api/v1/oauth/' at the start of the URL path
8. You can do the same test with `bin/opac`
Signed-off-by: Magnus Enger
Works as advertised. See Bugzilla for notes from testing.
Signed-off-by: Martin Renvoize
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Martin Renvoize (ashimema) changed: What|Removed |Added CC||martin.renvoize@ptfs-europe ||.com QA Contact|[email protected] |martin.renvoize@ptfs-europe |y.org |.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Martin Renvoize (ashimema) changed: What|Removed |Added Status|Signed Off |Passed QA --- Comment #12 from Martin Renvoize (ashimema) --- I'm also happy here, so adding my SO stamp.. I've also drawn Tomas's attention to it.. but I reckon we can PQA here now. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 --- Comment #9 from Jonathan Druart --- Created attachment 179118 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=179118&action=edit Bug 37286: Add tests for REST authentication through Mojo apps Amended-by: Jonathan Druart Add +x -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Jonathan Druart changed: What|Removed |Added Status|Patch doesn't apply |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Marcel de Rooy changed: What|Removed |Added Status|Signed Off |Patch doesn't apply -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Julian Maurice changed: What|Removed |Added Status|Failed QA |Signed Off --- Comment #7 from Julian Maurice --- (In reply to Jonathan Druart from comment #5) > Julian, do you think you could provide a test? Done! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 --- Comment #6 from Julian Maurice --- Created attachment 177101 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=177101&action=edit Bug 37286: Add tests for REST authentication through Mojo apps -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Jonathan Druart changed: What|Removed |Added CC||[email protected] Status|Signed Off |Failed QA --- Comment #5 from Jonathan Druart --- Julian, do you think you could provide a test? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Paul Derscheid changed: What|Removed |Added CC||[email protected] -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Magnus Enger changed: What|Removed |Added CC||[email protected] --- Comment #4 from Magnus Enger --- Initially, I had the same problem as David (in KTD), but I got around it by replacing :8080 with :8083 in the test plan. Here is what I got: === Server === $ bin/intranet daemon -l http://*:8083 [2025-01-15 10:28:23.65073] [11469] [info] Listening at "http://*:8083"; Web application available at http://127.0.0.1:8083 === Client === $ curl -i -d{} http://127.0.0.1:8083/api/v1/oauth/token HTTP/1.1 401 Unauthorized Server: Mojolicious (Perl) Date: Wed, 15 Jan 2025 10:29:10 GMT Content-Type: application/json; charset=utf8 Content-Length: 35 {"error":"Authentication failure."} === Server === [2025-01-15 10:29:10.88254] [11469] [trace] [smrnH4W71gxh] POST "/api/api/v1/oauth/token" [2025-01-15 10:29:10.88285] [11469] [trace] [smrnH4W71gxh] Routing to application "Koha::REST::V1" [2025-01-15 10:29:10.88386] [11469] [trace] [smrnH4W71gxh] POST "/api/api/v1/oauth/token" [2025-01-15 10:29:10.88987] [11469] [trace] [smrnH4W71gxh] Routing to controller "Koha::REST::V1::Auth" and action "under" [2025-01-15 10:29:10.89101] [11469] [trace] [smrnH4W71gxh] 401 Unauthorized (0.007137s, 140.115/s) Applied the patch and restarted all the things. === Server === $ bin/intranet daemon -l http://*:8083 [2025-01-15 10:30:57.89162] [12106] [info] Listening at "http://*:8083"; Web application available at http://127.0.0.1:8083 === Client === $ curl -i -d{} http://127.0.0.1:8083/api/v1/oauth/token HTTP/1.1 400 Bad Request Server: Mojolicious (Perl) Content-Length: 79 Content-Type: application/json;charset=UTF-8 Date: Wed, 15 Jan 2025 10:31:04 GMT {"errors":[{"message":"Missing property.","path":"\/grant_type"}],"status":400} === Server === [2025-01-15 10:31:04.33156] [12106] [trace] [QQTeoJ7i-Vbe] POST "/api/v1/oauth/token" [2025-01-15 10:31:04.33186] [12106] [trace] [QQTeoJ7i-Vbe] Routing to application "Koha::REST::V1" [2025-01-15 10:31:04.33434] [12106] [trace] [QQTeoJ7i-Vbe] POST "/api/v1/oauth/token" [2025-01-15 10:31:04.34088] [12106] [trace] [QQTeoJ7i-Vbe] Routing to controller "Koha::REST::V1::Auth" and action "under" [2025-01-15 10:31:04.34195] [12106] [trace] [QQTeoJ7i-Vbe] Routing to controller "Koha::REST::V1::OAuth" and action "token" [2025-01-15 10:31:04.34253] [12106] [trace] [QQTeoJ7i-Vbe] 400 Bad Request (0.008181s, 122.234/s) So I have verified this works according to the tese plan, but it will definitely need a more thorough review of the code. :-) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286
Magnus Enger changed:
What|Removed |Added
Attachment #168644|0 |1
is obsolete||
--- Comment #3 from Magnus Enger ---
Created attachment 176544
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=176544&action=edit
Bug 37286: Fix REST API authentication when using Mojo apps
Koha::REST::V1::Auth checks the request URL path and do various things
depending on how it looks.
For instance, it allows everyone to access paths starting with
"/api/v1/oauth/"
But because of how Koha::REST::V1 was written, when using mojolicious
applications Koha::App::Intranet and Koha::App::Opac, paths had to add a
path prefix ("/api"), which means the final path as seen by
Koha::REST::V1::Auth looked like this: "/api/api/v1/oauth".
I said "had to", but actually there is another way that does not require
this path manipulation and that's what this patch does:
Koha::REST::V1 now accepts a configuration parameter that allows to
change the base path for API routes, which allows
Koha::App::Plugin::RESTV1 (used by Koha::App::Intranet and
Koha::App::Opac) to generate the right routes.
This configuration parameter defaults to "/api/v1", so when outside of
Koha::App::Intranet and Koha::App::Opac (when using
debian/templates/plack.psgi for instance), the behavior is unchanged.
Test plan:
1. Do not apply the patch yet
2. Run `bin/intranet daemon -l http://*:8080`
3. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token`
It should return a 403 error, with an error message "Authentication
failure".
4. Stop `bin/intranet daemon -l http://*:8080` by hitting Ctrl-C on the
terminal you started it
5. Apply the patch
6. Run `bin/intranet daemon -l http://*:8080` again
7. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token`
This time it should return a 400 error with an error message saying
the "grant_type" property is missing.
This error is normal as we did not send any data in the POST request
body, and seeing this means Koha allowed us to use that route because
it recognized '/api/v1/oauth/' at the start of the URL path
8. You can do the same test with `bin/opac`
Signed-off-by: Magnus Enger
Works as advertised. See Bugzilla for notes from testing.
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Magnus Enger changed: What|Removed |Added Status|Needs Signoff |Signed Off Patch complexity|--- |Medium patch -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 David Nind changed: What|Removed |Added CC||[email protected] --- Comment #2 from David Nind --- Any hints on how to set things up for testing this? In koha-testing-docker, I get this when running step 2 of the test plan: bin/intranet daemon -l http://*:8080 Can't create listen socket: Address already in use at /usr/share/perl5/Mojo/IOLoop.pm line 124 PS I don't know what a "Mojo app" is, so maybe I'm not the right person to test this bug 8-) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 David Cook changed: What|Removed |Added CC||[email protected] -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286 Julian Maurice changed: What|Removed |Added Status|ASSIGNED|Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 37286] Fix REST API authentication when using Mojo apps
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37286
--- Comment #1 from Julian Maurice ---
Created attachment 168644
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=168644&action=edit
Bug 37286: Fix REST API authentication when using Mojo apps
Koha::REST::V1::Auth checks the request URL path and do various things
depending on how it looks.
For instance, it allows everyone to access paths starting with
"/api/v1/oauth/"
But because of how Koha::REST::V1 was written, when using mojolicious
applications Koha::App::Intranet and Koha::App::Opac, paths had to add a
path prefix ("/api"), which means the final path as seen by
Koha::REST::V1::Auth looked like this: "/api/api/v1/oauth".
I said "had to", but actually there is another way that does not require
this path manipulation and that's what this patch does:
Koha::REST::V1 now accepts a configuration parameter that allows to
change the base path for API routes, which allows
Koha::App::Plugin::RESTV1 (used by Koha::App::Intranet and
Koha::App::Opac) to generate the right routes.
This configuration parameter defaults to "/api/v1", so when outside of
Koha::App::Intranet and Koha::App::Opac (when using
debian/templates/plack.psgi for instance), the behavior is unchanged.
Test plan:
1. Do not apply the patch yet
2. Run `bin/intranet daemon -l http://*:8080`
3. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token`
It should return a 403 error, with an error message "Authentication
failure".
4. Stop `bin/intranet daemon -l http://*:8080` by hitting Ctrl-C on the
terminal you started it
5. Apply the patch
6. Run `bin/intranet daemon -l http://*:8080` again
7. Run `curl -i -d{} http://127.0.0.1:8080/api/v1/oauth/token`
This time it should return a 400 error with an error message saying
the "grant_type" property is missing.
This error is normal as we did not send any data in the POST request
body, and seeing this means Koha allowed us to use that route because
it recognized '/api/v1/oauth/' at the start of the URL path
8. You can do the same test with `bin/opac`
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
