https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094
--- Comment #23 from David Cook <[email protected]> --- (In reply to David Cook from comment #22) > I've bumped into this again with the ILS-DI API (see bug 36560). > > But it reminds me that the SVC API won't work for MarcEdit either. While "GET /svc/authentication" would work with the SVC API, the ILS-DI API doesn't have an equivalent option. It doesn't use cookie auth; it uses IP auth. -- Since it uses IP auth, we can't use our cookie/session-based CSRF tokens with it. I think for the ILS-DI, we're going to have to just put in an exception. Eventually, we'll want to get rid of the ILS-DI all together, and replace it with equivalent REST API endpoints. The "/api/v1/auth/password/validation" effectively replaces the "AuthenticatePatron" services in ILS-DI anyway. Of course, at some point, we'll add CSRF protection to the REST API. For that, we'll either require OAuth2 which doesn't need the CSRF tokens, or if they are using Basic Auth, we'll need to require people to use cookies and do something like 'GET /svc/authentication". Anyway... in summary, I think the ILS-DI needs an exception, since it doesn't use cookie-based auth. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
