+
+ my $authorization_header = $c->req->headers->authorization;
+
+ if ($authorization_header and $authorization_header =~ /^Bearer /) {
+ # attempt to use OAuth2 authentication
+ if ( ! Module::Load::Conditional::can_load('Net::OAuth2::AuthorizationServer') ) {
+ Koha::Exceptions::Authorization::Unauthorized->throw(
+ error => 'Authentication failure.'
+ );
+ }
+ else {
+ require Net::OAuth2::AuthorizationServer;
+ }
+
+ my $server = Net::OAuth2::AuthorizationServer->new;
+ my $grant = $server->client_credentials_grant(Koha::OAuth::config);
+ my ($type, $token) = split / /, $authorization_header;
+ my ($valid_token, $error) = $grant->verify_access_token(
+ access_token => $token,
+ );
+
+ if ($valid_token) {
+ my $patron_id = Koha::ApiKeys->find( $valid_token->{client_id} )->patron_id;
+ my $patron = Koha::Patrons->find($patron_id);
+ my $permissions = $authorization->{'permissions'};
+ # Check if the patron is authorized
+ if ( haspermission($patron->userid, $permissions)
+ or allow_owner($c, $authorization, $patron)
+ or allow_guarantor($c, $authorization, $patron) ) {
+
+ validate_query_parameters( $c, $spec );
+
+ # Everything is ok
+ return 1;
+ }
+
+ Koha::Exceptions::Authorization::Unauthorized->throw(
+ error => "Authorization failure. Missing required permission(s).",
+ required_permissions => $permissions,
+ );
+ }
+
+ # If we have "Authorization: Bearer" header and oauth authentication
+ # failed, do not try other authentication means
+ Koha::Exceptions::Authentication::Required->throw(
+ error => 'Authentication failure.'
+ );
+ }
+