https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094
--- Comment #14 from David Cook <[email protected]> --- (In reply to David Cook from comment #13) > I'll come up with something for this. Of course, my thoughts were based off the expectation that check_api_auth() returned a cookie and session ID for all responses. Here's the proposed flow: 1. GET /svc/authentication If authenticated, returns OK and session cookie for authenticated session plus X-CSRF_TOKEN header in response If not authenticated, returns failed/anon and session cookie for anonymous session plus X-CSRF_TOKEN header in response 2. POST /svc/authentication If not authenticated, perform authentication using X-CSRF_TOKEN and session cookie for anonymous session 3. POST /svc/new_bib Do work using X-CSRF_TOKEN from previous response (or meta tag if it's in a web app) and session cookie -- Technically, the POST /svc/authentication can use whatever session cookie, so I suppose I'll just create an anonymous session if one is missing. It means extra logic in /svc/authentication, which is suboptimal but it beats creating yet another "check_*" function in C4/Auth.pm or changing the API of our internal auth functions... -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
