Commit c00782de authored by Benjamin Rokseth's avatar Benjamin Rokseth
Browse files

koha: prepare middleware auth for restapi v2

parent 856eb0e2
......@@ -186,6 +186,7 @@ sub call {
$dt,
$out->[0];
# Print response
return Plack::Util::response_cb($out, sub {
my ($res) = @_;
my $cookie = bake_cookie("koha.session" =>
......
package Auth;
use strict;
use warnings;
use parent "Plack::Middleware";
use Plack::Request;
=head
Authentication middleware used by swagger_security
Checks for header token if a protected route
For now we validate routes here, but it should be in raisin routes
=cut
sub call {
my ($self, $env) = @_;
my $req = Plack::Request->new($env);
my $path = $req->path;
my @paths = qw(
/auth/overdrive
/patron/dooraccess
);
if (my ($p) = grep { $_ eq $path } @paths) {
warn "Protected route: $p";
# TODO: proper auth
($req->header("bearer") // "") eq "secret" or return [403, [], ["forbidden"]];
}
$self->app->($env);
}
1;
\ No newline at end of file
......@@ -12,12 +12,13 @@ use Types::Standard qw(Int Str);
use FindBin '$Bin';
use lib ("$Bin/.");
plugin "Swagger";
middleware "+Auth";
middleware "CrossOrigin",
origins => "*",
methods => [qw/DELETE GET HEAD OPTIONS PATCH POST PUT/],
headers => [qw/accept authorization content-type api_key_token/];
plugin "Swagger";
plugin "Logger", outputs => [["Screen", min_level => "debug"]];
api_default_format "json";
......@@ -39,11 +40,7 @@ swagger_setup(
url => "http://dev.perl.org/licenses/",
},
);
#before sub {
# my $self = shift;
# say "Before " . $self->req->method . q{ } . $self->req->path;
#};
swagger_security(name => "bearer", in => "header", type => "api_key");
use RESTAPI::Auth;
use RESTAPI::Items;
......
......@@ -13,8 +13,9 @@ use Deichman::Auth;
use Deichman::Auth::Session::DB;
use Deichman::Exception;
desc "Session operations";
desc "Auth operations";
resource auth => sub {
desc "Login session creation";
resource session => sub {
params(
requires("userid", type => Str, desc => "Session user"),
......@@ -40,6 +41,35 @@ resource auth => sub {
};
};
};
desc "Overdrive authentication";
resource overdrive => sub {
params(
requires("userid", type => Str, desc => "Overdrive user"),
requires("password", type => Str, desc => "Overdrive pass"),
);
tags "overdrive";
summary "Authenticate against overdrive";
post sub {
my $params = shift;
try {
# validate here
{
IsAuthorized => 1,
LibraryBranch => "Deichman Hovedbibliotek",
LoanerId => 1004567,
}
} catch {
use Data::Dumper; warn Dumper($_->description);
if ($_->isa("Deichman::Exception::Auth::ArgumentError") ||
$_->isa("Deichman::Exception::Auth::InvalidSession")) {
res->status(HTTP_FORBIDDEN);
} else {
app->log(error => $_->description);
res->status(HTTP_INTERNAL_SERVER_ERROR);
}
};
};
};
};
1;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment