Hi David,
Thank you very much.
Kind regards,
Alex
On 30/09/24 6:40 pm, David Cook wrote:
Hi Alex,
As you may have seen, I’ve marked bug 37899 as a duplicate of bug 36560.
ILS-DI doesn’t use cookie auth, so it’s not vulnerable to CSRF as
such. (Of course, using IP authentication, it’s still problematic, but
that’s a whole other story.)
Locally, I’ve added an exemption to ilsdi.pl in
Koha::Middleware::CSRF. I’ll send a patch upstream for it soon.
David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia
Office: 02 9212 0899
Online: 02 8005 0595
*From:*Koha-devel <koha-devel-boun...@lists.koha-community.org> *On
Behalf Of *Alex Buckley via Koha-devel
*Sent:* Monday, 16 September 2024 9:32 AM
*To:* Field, Jonathan <jonathan.fi...@ptfs-europe.com>
*Cc:* koha-devel <koha-devel@lists.koha-community.org>;
kohat...@catalyst.net.nz
*Subject:* Re: [Koha-devel] Discussion around Koha ILS-DI endpoints
expecting a CSRF token from third-party integrations
Hi Jonathan,
Many thanks for that information about Bolinda and EBSCO EDS, that is
very helpful! I've shared it with our team.
Thanks again,
Alex
On 12/09/24 8:39 pm, Field, Jonathan wrote:
Hi Alex,
This won't help fix this bug in particular but I thought I'd let
you know that I have been in dialogue with Bolinda in the UK about
moving from ILS-DI to the REST API for their BorrowBox service.
This is work they are actively progressing at the moment and
testing against one of our systems.
EBSCO EDS are also now able to use the REST API for RTAC but I'm
certain there are many who don't use that (we have only been using
it on our more recent integrations with EDS) so probably quite a
few integration ILS-DI's still out there!
Appreciate that only mitigates one of the integrations described
below so we have also alerted our development team to try and look
at the bug you posted below. Clearly still needs addressing.
Thanks
Jonathan
On Thu, 12 Sept 2024 at 04:51, Alex Buckley via Koha-devel
<koha-devel@lists.koha-community.org> wrote:
Kia ora koutou/Hello everyone,
We have several Koha integrations that require third-party
systems to call Koha ILS-DI endpoints.
For example, Bolinda (BorrowBox) which calls the GetPatronInfo
ILS-DI endpoint for authenticating users. Or the EBSCO EDS
integration, which can use Koha ILS-DI endpoints for fetching
RTAC (Real-Time Availability Check) data - alternatively, it
can also integrate via Koha Z39.50.
Since Koha 24.05, ILS-DI requests for these integrations do
not work, because the Koha CSRF.pm
<https://git.koha-community.org/Koha-community/Koha/src/branch/main/Koha/Middleware/CSRF.pm>
file expects a CSRF token for all stateful methods (POST, PUT,
DELETE, PATCH requests), including ILS-DI endpoints.
As ILS-DI is designed to be used cross site, we would be
interested to hear the communities thoughts on what could, or
should, be done to get ILS-DI requests from third-party
systems working again - given these integrations do not pass
through CSRF tokens.
To that end we have logged a bug report for having this
conversation:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37899
I will also link this bug report from the community Mattermost
Development channel.
We would be interested to hear your thoughts on the bug report.
Thanks so much, as always,
Alex
_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/
--
*Jonathan Field*
Managing Director
PTFS Europe
Phone iconM: +44 7919 372002 | T: +44 1483 378728 ext. 1000
Email iconjonathan.fi...@ptfs-europe.com
<mailto:jonathan.fi...@ptfs-europe.com>
Link iconwww.ptfs-europe.com <http://www.ptfs-europe.com/>
Sign up for our Newsletter <http://eepurl.com/dPjjkn>
<http://www.linkedin.com/company/ptfs-europe-limited>Click to open
YouTube <https://www.youtube.com/@PTFSEurope>
Click to open PTFS Europe webpage <https://www.ptfs-europe.com/>
--
*Alex Buckley (he/him)*
Developer, Implementation Lead | Rōpū kohinga
*Catalyst.Net Limited - Expert Open Source Solutions*
*Catalyst.Net Limited - a Catalyst IT group company*
www.catalyst.net.nz <http://www.catalyst.net.nz>
Follow Catalyst Koha on Twitter <https://twitter.com/catalystkoha> |
Subscribe to the Catalyst Koha newsletter
<https://catalyst.us4.list-manage.com/subscribe?u=62457ff5060d15ee3c07d3fc4&id=b73fbdcac8>
Catalyst Logo
CONFIDENTIALITY NOTICE: This email is intended for the named
recipients only. It may contain privileged, confidential or copyright
information. If you are not the named recipient, any use, reliance
upon, disclosure or copying of this email or its attachments is
unauthorised. If you have received this email in error, please reply
via email or call +64 4 499 2267.
--
*Alex Buckley (he/him)*
Developer, Implementation Lead | Rōpū kohinga
*Catalyst.Net Limited - Expert Open Source Solutions*
*Catalyst.Net Limited - a Catalyst IT group company*
www.catalyst.net.nz <http://www.catalyst.net.nz>
Follow Catalyst Koha on Twitter <https://twitter.com/catalystkoha> |
Subscribe to the Catalyst Koha newsletter
<https://catalyst.us4.list-manage.com/subscribe?u=62457ff5060d15ee3c07d3fc4&id=b73fbdcac8>
Catalyst Logo
CONFIDENTIALITY NOTICE: This email is intended for the named recipients
only. It may contain privileged, confidential or copyright information.
If you are not the named recipient, any use, reliance upon, disclosure
or copying of this email or its attachments is unauthorised. If you have
received this email in error, please reply via email or call +64 4 499 2267._______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : https://www.koha-community.org/
git : https://git.koha-community.org/
bugs : https://bugs.koha-community.org/
