Hi Alex,
As you may have seen, I’ve marked bug 37899 as a duplicate of bug 36560. ILS-DI doesn’t use cookie auth, so it’s not vulnerable to CSRF as such. (Of course, using IP authentication, it’s still problematic, but that’s a whole other story.) Locally, I’ve added an exemption to ilsdi.pl in Koha::Middleware::CSRF. I’ll send a patch upstream for it soon. David Cook Senior Software Engineer Prosentient Systems Suite 7.03 6a Glen St Milsons Point NSW 2061 Australia Office: 02 9212 0899 Online: 02 8005 0595 From: Koha-devel <koha-devel-boun...@lists.koha-community.org> On Behalf Of Alex Buckley via Koha-devel Sent: Monday, 16 September 2024 9:32 AM To: Field, Jonathan <jonathan.fi...@ptfs-europe.com> Cc: koha-devel <koha-devel@lists.koha-community.org>; kohat...@catalyst.net.nz Subject: Re: [Koha-devel] Discussion around Koha ILS-DI endpoints expecting a CSRF token from third-party integrations Hi Jonathan, Many thanks for that information about Bolinda and EBSCO EDS, that is very helpful! I've shared it with our team. Thanks again, Alex On 12/09/24 8:39 pm, Field, Jonathan wrote: Hi Alex, This won't help fix this bug in particular but I thought I'd let you know that I have been in dialogue with Bolinda in the UK about moving from ILS-DI to the REST API for their BorrowBox service. This is work they are actively progressing at the moment and testing against one of our systems. EBSCO EDS are also now able to use the REST API for RTAC but I'm certain there are many who don't use that (we have only been using it on our more recent integrations with EDS) so probably quite a few integration ILS-DI's still out there! Appreciate that only mitigates one of the integrations described below so we have also alerted our development team to try and look at the bug you posted below. Clearly still needs addressing. Thanks Jonathan On Thu, 12 Sept 2024 at 04:51, Alex Buckley via Koha-devel <koha-devel@lists.koha-community.org <mailto:koha-devel@lists.koha-community.org> > wrote: Kia ora koutou/Hello everyone, We have several Koha integrations that require third-party systems to call Koha ILS-DI endpoints. For example, Bolinda (BorrowBox) which calls the GetPatronInfo ILS-DI endpoint for authenticating users. Or the EBSCO EDS integration, which can use Koha ILS-DI endpoints for fetching RTAC (Real-Time Availability Check) data - alternatively, it can also integrate via Koha Z39.50. Since Koha 24.05, ILS-DI requests for these integrations do not work, because the Koha CSRF.pm <https://git.koha-community.org/Koha-community/Koha/src/branch/main/Koha/Middleware/CSRF.pm> file expects a CSRF token for all stateful methods (POST, PUT, DELETE, PATCH requests), including ILS-DI endpoints. As ILS-DI is designed to be used cross site, we would be interested to hear the communities thoughts on what could, or should, be done to get ILS-DI requests from third-party systems working again - given these integrations do not pass through CSRF tokens. To that end we have logged a bug report for having this conversation: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37899 I will also link this bug report from the community Mattermost Development channel. We would be interested to hear your thoughts on the bug report. Thanks so much, as always, Alex _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org <mailto:Koha-devel@lists.koha-community.org> https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : https://www.koha-community.org/ git : https://git.koha-community.org/ bugs : https://bugs.koha-community.org/ -- Jonathan Field Managing Director PTFS Europe <https://lh4.googleusercontent.com/up95Sc9vaOdf9EccQ-yhVxBOwPJy9_PuAneh0Ecpmdewemb0EkYpGAm9_UB7NJMvNMGd-ebuKlL9rZkD87zmtQNmzbh1H5frJtL8qZm6SirBEweWfBwwaReOh37jhvXFF-Mo56pnj5PvVmD_IYeOBQ> M: +44 7919 372002 | T: +44 1483 378728 ext. 1000 <https://lh4.googleusercontent.com/jePY_9pa4y-Uj2lL7OSCkr2cnXkfA-KZjEeUsj-WRnOzIM7ZtAO8YEUjGRucr5wA0YGwO8l3ls87yoVBamaRD2niDLvBEvX1lz_wpLKVTK2Op5jSZBWH6mmdpZlFeQswLFOVf5lLIgowBLRaSYnJTw> <mailto:jonathan.fi...@ptfs-europe.com> jonathan.fi...@ptfs-europe.com <https://lh6.googleusercontent.com/gpunBsXoJzdkF_gZDYAyrqBjQsP-Zj1NtntsaliG_-FKqLiW4PD0ugMwNNIHd23Sln1u-mIdD2kUulwlIvmQZzTgUtzsr8XmWVEvKi0sCwBcXr2SqKcvsnaJYpaOmyYAx2eVag08XAmfVsGe0PiQsQ> <http://www.ptfs-europe.com/> www.ptfs-europe.com Sign up for our <http://eepurl.com/dPjjkn> Newsletter <http://www.linkedin.com/company/ptfs-europe-limited> <https://www.youtube.com/@PTFSEurope> <https://www.ptfs-europe.com/> -- Alex Buckley (he/him) Developer, Implementation Lead | Rōpū kohinga Catalyst.Net Limited - Expert Open Source Solutions Catalyst.Net Limited - a Catalyst IT group company www.catalyst.net.nz <http://www.catalyst.net.nz> Follow Catalyst Koha on Twitter <https://twitter.com/catalystkoha> | Subscribe to the Catalyst Koha newsletter <https://catalyst.us4.list-manage.com/subscribe?u=62457ff5060d15ee3c07d3fc4&id=b73fbdcac8> <https://object-storage.nz-hlz-1.catalystcloud.io/v1/AUTH_3458c7e192ac4b5880c337b21b3c06fb/catweb_prod/svg/catalyst-logo.svg> CONFIDENTIALITY NOTICE: This email is intended for the named recipients only. It may contain privileged, confidential or copyright information. If you are not the named recipient, any use, reliance upon, disclosure or copying of this email or its attachments is unauthorised. If you have received this email in error, please reply via email or call +64 4 499 2267.
_______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : https://www.koha-community.org/ git : https://git.koha-community.org/ bugs : https://bugs.koha-community.org/
