https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34163
Tomás Cohen Arazi <tomasco...@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #152880|0 |1 is obsolete| | --- Comment #4 from Tomás Cohen Arazi <tomasco...@gmail.com> --- Created attachment 155548 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=155548&action=edit Bug 34163: Handle both anonymous userenv when generating CSRF tokens An anonymous session might have a userenv which is undef or which is a hashref of undef/empty values. This patch generates the "anonymous" prefix for undef/empty 'id' values, which prevents CSRF errors when logging in via OAuth2/OIDC following a Koha logout. Test plan: Before applying patch: 1. Go to https://wiki.koha-community.org/wiki/Testing_SSO 2. Set up OpenID Connect realm, user, client, and Koha integration to Keycloak for koha-testing-docker as noted in the wiki 3. Go to http://localhost:8080/cgi-bin/koha/opac-main.pl?logout.x=1 4. Click on OIDC "Log in with XXXX" button and log into IDP 5. Note that you're not logged in and you instead see an error message like: "There was an error authenticating to external identity provider wrong_csrf_token" 6. Apply patch 7. Go to "Sessions" section of the test realm in Keycloak e.g. http://sso:8082/auth/admin/master/console/#/test/sessions 8. Click "Action" on the far right side of the screen 9. Choose "Sign out all active sessions" After applying patch: 10. koha-plack --restart kohadev 11. Go to http://localhost:8080/cgi-bin/koha/opac-main.pl?logout.x=1 12. Click on OIDC "Log in with XXXX" button and log into IDP 13. Note that you're logged in 14. prove t/Token.t 15. Note all tests pass Signed-off-by: Tomas Cohen Arazi <tomasco...@theke.io> -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/