use Mojo::Base 'Mojolicious::Controller';
use C4::Auth qw( check_cookie_auth get_session haspermission );
+use C4::Context;
+use Koha::ApiKeys;
use Koha::Account::Lines;
use Koha::Checkouts;
use Koha::Holds;
+use Koha::OAuth;
+use Koha::OAuthAccessTokens;
use Koha::Old::Checkouts;
use Koha::Patrons;
use Koha::Exceptions::Authentication;
use Koha::Exceptions::Authorization;
+use Module::Load::Conditional;
use Scalar::Util qw( blessed );
use Try::Tiny;
my $spec = $c->match->endpoint->pattern->defaults->{'openapi.op_spec'};
my $authorization = $spec->{'x-koha-authorization'};
+
+ my $authorization_header = $c->req->headers->authorization;
+
+ if ($authorization_header and $authorization_header =~ /^Bearer /) {
+ # attempt to use OAuth2 authentication
+ if ( ! Module::Load::Conditional::can_load('Net::OAuth2::AuthorizationServer') ) {
+ Koha::Exceptions::Authorization::Unauthorized->throw(
+ error => 'Authentication failure.'
+ );
+ }
+ else {
+ require Net::OAuth2::AuthorizationServer;
+ }
+
+ my $server = Net::OAuth2::AuthorizationServer->new;
+ my $grant = $server->client_credentials_grant(Koha::OAuth::config);
+ my ($type, $token) = split / /, $authorization_header;
+ my ($valid_token, $error) = $grant->verify_access_token(
+ access_token => $token,
+ );
+
+ if ($valid_token) {
+ my $patron_id = Koha::ApiKeys->find( $valid_token->{client_id} )->patron_id;
+ my $patron = Koha::Patrons->find($patron_id);
+ my $permissions = $authorization->{'permissions'};
+ # Check if the patron is authorized
+ if ( haspermission($patron->userid, $permissions)
+ or allow_owner($c, $authorization, $patron)
+ or allow_guarantor($c, $authorization, $patron) ) {
+
+ validate_query_parameters( $c, $spec );
+
+ # Everything is ok
+ return 1;
+ }
+
+ Koha::Exceptions::Authorization::Unauthorized->throw(
+ error => "Authorization failure. Missing required permission(s).",
+ required_permissions => $permissions,
+ );
+ }
+
+ # If we have "Authorization: Bearer" header and oauth authentication
+ # failed, do not try other authentication means
+ Koha::Exceptions::Authentication::Required->throw(
+ error => 'Authentication failure.'
+ );
+ }
+
my $cookie = $c->cookie('CGISESSID');
my ($session, $user);
# Mojo doesn't use %ENV the way CGI apps do
my $parameters = {
accountlines_id => \&_object_ownership_by_accountlines_id,
- borrowernumber => \&_object_ownership_by_borrowernumber,
+ borrowernumber => \&_object_ownership_by_patron_id,
+ patron_id => \&_object_ownership_by_patron_id,
checkout_id => \&_object_ownership_by_checkout_id,
reserve_id => \&_object_ownership_by_reserve_id,
};
=cut
-sub _object_ownership_by_borrowernumber {
- my ($c, $user, $borrowernumber) = @_;
+sub _object_ownership_by_patron_id {
+ my ($c, $user, $patron_id) = @_;
- return $user->borrowernumber == $borrowernumber;
+ return $user->borrowernumber == $patron_id;
}
=head3 _object_ownership_by_checkout_id