https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20402
Josef Moravec <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Failed QA --- Comment #24 from Josef Moravec <[email protected]> --- (In reply to Julian Maurice from comment #22) > Created attachment 74018 [details] [review] > Bug 20402: Implement OAuth2 authentication for REST API > > It implements only the "client credentials" flow with no scopes > support. API clients are tied to an existing patron and have the same > permissions as the patron they are tied to. > API Clients are defined in $KOHA_CONF. > > Test plan: > 0. Install Net::OAuth2::AuthorizationServer 0.16 and > Mojolicious::Plugin::OAuth2::Server 0.40 > 1. In $KOHA_CONF, add an <api_client> element under <config>: > <api_client> > <client_id>$CLIENT_ID</client_id> > <client_secret>$CLIENT_SECRET</client_secret> > <patron_id>X</patron_id> <!-- X is an existing borrowernumber --> > </api_client> > 2. Apply patch, run updatedatabase.pl and reload starman > 3. Install Firefox extension RESTer [1] > 4. In RESTer, go to "Authorization" tab and create a new OAuth2 > configuration: > - OAuth flow: Client credentials > - Access Token Request Method: POST > - Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token > - Access Token Request Client Authentication: Credentials in request > body > - Client ID: $CLIENT_ID > - Client Secret: $CLIENT_SECRET > 5. Click on the newly created configuration to generate a new token > (which will be valid only for an hour) > 6. In RESTer, set HTTP method to GET and url to > http://$KOHA_URL/api/v1/patrons then click on SEND > If patron X has permission 'edit_borrowers', it should return 200 OK > with the list of patrons > Otherwise it should return 403 with the list of required permissions > (Please test both cases) > 7. Wait an hour (or run the following SQL query: > UPDATE oauth_access_tokens SET expires = 0) and repeat step 6. > You should have a 403 Forbidden status, and the token must have been > removed from the database. Token is removed, but i got status 500 > 8. Create a bunch of tokens using RESTer, make some of them expires > using the previous SQL query, and run the following command: > misc/cronjobs/cleanup_database.pl --oauth-tokens > Verify that expired tokens were removed, and that the others are > still there > 9. prove t/db_dependent/api/v1/oauth.t One test is failing for me: not ok 19 - 200 OK # Failed test '200 OK' # at t/db_dependent/api/v1/oauth.t line 98. # got: '403' # expected: '200' # Looks like you failed 1 test of 19. > > [1] https://addons.mozilla.org/en-US/firefox/addon/rester/ -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
