https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=34755
--- Comment #5 from Maryse Simard <[email protected]> --- Created attachment 161784 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=161784&action=edit Bug 34755: Resets the userenv when calling OAuth api endpoints When using OIDC authentication, the error "wrong_csrf_token" can happen if another user's userenv is loaded during login. This is because the wrong userenv is used to compare the tokens. This patch explicitly resets userenv when using OAuth endpoints of the Koha api. Steps to reproduce: 0. On a Koha with SSO configured 1. Open the OPAC 2. Log in with a regular Koha user, not using SSO. 3. In a private browser window, open the OPAC 4. log in using SSO with a different user account. 5. Notice that you get the error message "There was an error authenticating to external identity provider wrong_csrf_token" 6. Click on the "Log in with [...]" button again. 7. Notice that the user is immediately logged in. To test: - Apply the tests patch - prove t/db_dependent/api/v1/idp.t => FAIL: wrong_csrf_token - Apply patch - prove t/db_dependent/api/v1/idp.t => SUCCESS - Run other OAuth endpoints tests to make sure nothing broke: prove t/db_dependent/api/v1/auth_authenticate_api_request.t prove t/db_dependent/api/v1/oauth.t -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
