Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable password recovery when using ILS Authentication #3997

Open
wants to merge 24 commits into
base: dev
Choose a base branch
from
Open

Enable password recovery when using ILS Authentication #3997

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
fa64c72
Initial changes to enable password recovery when using ILS Authentica…
oharacj Oct 8, 2024
e80e27b
Initial changes to enable password recovery when using ILS Authentica…
oharacj Oct 8, 2024
a06804d
Initial changes to enable password recovery when using ILS Authentica…
oharacj Oct 8, 2024
6afdc74
Remove the return clause in setFollowupUrlToReferer method.
oharacj Oct 8, 2024
e61daf3
Updated based on Demian's comments
oharacj Oct 15, 2024
95926c5
Add getPatronFromUsername to SierraRest driver.
oharacj Oct 15, 2024
f4e32f2
Add getPatronFromUsername to SierraRest driver.
oharacj Oct 15, 2024
e977b33
Add getPatronFromUsername to SierraRest driver.
oharacj Oct 15, 2024
03bff51
Add getPatronFromUsername to SierraRest driver.
oharacj Oct 15, 2024
58a2f2f
Multi-ILS Driver work and bug fixes
oharacj Dec 11, 2024
9a8defa
Fixed some encoding and comment issues
oharacj Dec 11, 2024
f731cde
removed comment block in .js file
oharacj Dec 11, 2024
a85a525
added displayILSPasswordRecoveryLink to the top exported comment
oharacj Dec 11, 2024
fd7d5a7
PHP 8.3 updates and space fixes
oharacj Dec 11, 2024
44d8456
PHP 8.3 updates and space fixes
oharacj Dec 11, 2024
9800f5b
PHP 8.3 double quotes in template
oharacj Dec 11, 2024
4183693
PHP 8.3 double quotes in template
oharacj Dec 11, 2024
072d3fb
Merge branch 'dev' into ilsPasswordRecovery
oharacj Dec 23, 2024
11e26a4
Remove hard-coded pin length in changePassword function
oharacj Dec 23, 2024
475f222
Update settings file to remove redundant setting.
oharacj Dec 23, 2024
7646e33
updating indentation
oharacj Jan 8, 2025
0d5b9d9
update spacing in comment
oharacj Jan 8, 2025
eb7ea64
update spacing and indents
oharacj Jan 8, 2025
85cd191
update spacing and indents
oharacj Jan 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions config/vufind/SierraRest.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,9 @@ use_prefixed_ids = false
; used (redirect_uri above is not set).
username_field = "code"
password_field = "pin"
; Some library systems use a four digit access pin. Others prefer to have alpha numeric
; passwords. set digits_only to true for pin functionality. Default is false (alpha-num).
digits_only = true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are higher-level password rules defined in config.ini. I wonder if it would be beneficial to make this setting more parallel with those (especially if we could refactor code to make the password validation logic reusable -- I haven't inspected to see how feasible this is, but it seems likely to be an option).

Alternatively, if there are really only two different options in Sierra, maybe it would be more clear to call this setting four_digit_pin (to account for both the length restriction and the content restriction), or to have a setting like password_mode = pin|password (if we want to allow for more possibilities in the future than a binary setting can provide.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just checking to see if you have any thoughts on this point, since there hasn't been further discussion on it since October. (Also happy to hear @EreMaijala's thoughts, if any).

Copy link
Contributor

@EreMaijala EreMaijala Dec 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should use the same rules as when changing a password, i.e. the [changePassword] section in ILS driver's ini:

; Uncomment the following lines to enable password (PIN) change
;[changePassword]
; PIN change parameters. The default limits are taken from the interface documentation.
;minLength = 4
;maxLength = 4
; See the password_pattern/password_hint settings in the [Authentication] section
; of config.ini for notes on these settings. When set here, these will override the
; config.ini defaults when Sierra is used for authentication.
;pattern = "numeric"
;hint = "Your optional custom hint can go here."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still not sure how I've managed to miss this section of the ini so many times. I had to have looked over it hundreds of times without seeing that there was a [changePassword] section. I'll remove the custom stuff I did but I'll also have to make a change to the changePassword function in the SierraRest driver in order to remove the hard-coded digits only section of password change.

; Authentication method to use with global patron data access. Default is "native".
; "ldap" is supported for REST API v6 and later (see api_version above).
; IMPORTANT: when using "native" authentication, the driver assumes by default that
Expand Down
73 changes: 72 additions & 1 deletion module/VuFind/src/VuFind/Auth/ILS.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,23 @@ public function authenticate($request)
return $this->handleLogin($username, $password, $loginMethod, $rememberMe);
}

/**
* Does this authentication method support password recovery
*
* @return bool
*/
public function supportsPasswordRecovery()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs a counterpart in MultiILS that supports checking the selected target. For inspiration:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My initial work is only supposed to be for the ILS auth. MultiILS is something I'll look at in the future but I'm not sure it's part of the scope of this work. Is this piece a necessity? If so, I can start working on this and I'll resubmit when I have it done. I only have one ILS and I can't really test but I'm happy to look into it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could potentially use the Demo driver as a second ILS for testing purposes, if that helps! Let me know if you need more details/help to get that set up.

{
$driver = $this->getCatalog()->getDriver();
if (
method_exists($driver, 'recoverPassword')
&& ($this->config['Authentication']['recover_password'] ?? false)
) {
return true;
}
return false;
}

/**
* Does this authentication method support password changing
*
Expand Down Expand Up @@ -166,8 +183,13 @@ public function updatePassword($request)
foreach (['oldpwd', 'password', 'password2'] as $param) {
$params[$param] = $request->getPost()->get($param, '');
}

// Connect to catalog:
if ($hash = $request->getPost('hash') ?? false) {
if ($user = $this->getDbService(UserServiceInterface::class)->getUserByVerifyHash($hash)) {
$username = $user->getUsername();
}
}

if (!($patron = $this->authenticator->storedCatalogLogin())) {
throw new AuthException('authentication_error_technical');
}
Expand All @@ -178,6 +200,55 @@ public function updatePassword($request)
$result = $this->getCatalog()->changePassword(
[
'patron' => $patron,
'username' => $patron['cat_username'],
'oldPassword' => $params['oldpwd'],
'newPassword' => $params['password'],
]
);
if (!$result['success']) {
throw new AuthException($result['status']);
}

// Update the user and send it back to the caller:
$username = $patron[$this->getUsernameField()];
$user = $this->getOrCreateUserByUsername($username);
$this->authenticator->saveUserCatalogCredentials($user, $patron['cat_username'], $params['password']);
return $user;
}

/**
* Change/Reset a user's password when they've forgotten.
*
* @param Request $request Request object containing new account details.
*
* @return UserEntityInterface Updated user entity.
*
* @throws PasswordSecurity
* @throws AuthException
* @throws \Exception
*/
public function newPassword($request)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not entirely sure (without spending more time digging deeper into the code and the history) why we need to split updatePassword into two methods... but if this is unavoidable, I wonder if resetPassword would be a better name than newPassword since it's more verb-based. Also, if we make this change here, do we need to make parallel changes to VuFind\Auth\Database since it is currently implemented to do password resets using only updatePassword, and some of the other code changes here might conflict with that?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm pretty sure that updatePassword is able to do everything needed, so this method shouldn't be needed.

{
foreach (['oldpwd', 'password', 'password2'] as $param) {
$params[$param] = $request->getPost()->get($param, '');
}
// Connect to catalog:
if ($hash = $request->getPost('hash') ?? false) {
if ($user = $this->getDbService(UserServiceInterface::class)->getUserByVerifyHash($hash)) {
$username = $user->getUsername();
}
}
if (!($patron = $this->authenticator->storedCatalogLogin($username ?? null))) {
throw new AuthException('authentication_error_technical');
}
$this->validatePasswordUpdate($params);
if (empty($params['oldpwd'])) {
$params['oldpwd'] = $patron['cat_password'];
}
$result = $this->getCatalog()->recoverPassword(
[
'patron' => $patron,
'username' => $patron['cat_username'],
'oldPassword' => $params['oldpwd'],
'newPassword' => $params['password'],
]
Expand Down
27 changes: 21 additions & 6 deletions module/VuFind/src/VuFind/Auth/ILSAuthenticator.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -309,11 +309,12 @@ public function getStoredCatalogCredentials()
* fails, clear the user's stored credentials so they can enter new, corrected
* ones.
*
* Returns associative array of patron data on success, false on failure.
* @param $user_name - the username/barcode for ILS password reset
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor points of style: I'd suggest $username or $userName instead of $user_name -- we rarely use snake_case in our code, so the other options would be more consistent. Also, you don't need the "-" separator in this comment.

*
* @return array|bool
* @return array|bool Returns associative array of patron data on success,
* false on failure.
*/
public function storedCatalogLogin()
public function storedCatalogLogin($user_name = null)
{
// Fail if no username is found, but allow a missing password (not every ILS
// requires a password to connect).
Expand All @@ -336,8 +337,22 @@ public function storedCatalogLogin()
$this->ilsAccount[$username] = $patron;
return $patron;
}
} elseif (!empty($user_name)) {
if (isset($this->ilsAccount[$user_name])) {
return $this->ilsAccount[$user_name];
}
$user = $this->getDbService(UserServiceInterface::class)->getUserByUsername($user_name);
if (empty($user)) {
return false;
}
$patron = $this->catalog->patronLogin($user_name, $this->getCatPasswordForUser($user));
if (empty($patron)) {
$user->setCatUsername(null)->setRawCatPassword(null)->setCatPassEnc(null);
} else {
$this->ilsAccount[$user_name] = $patron;
return $patron;
}
}

return false;
}

Expand All @@ -347,9 +362,9 @@ public function storedCatalogLogin()
* @param string $username Catalog username
* @param string $password Catalog password
*
* Returns associative array of patron data on success, false on failure.
* @return array|bool Returns associative array of patron data on success,
* false on failure.
*
* @return array|bool
* @throws ILSException
*/
public function newCatalogLogin($username, $password)
Expand Down
16 changes: 16 additions & 0 deletions module/VuFind/src/VuFind/Auth/Manager.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -670,6 +670,22 @@ public function updatePassword($request)
return $user;
}

/**
* Reset a user's password from the request.
*
* @param \Laminas\Http\PhpEnvironment\Request $request Request object containing
* password change details.
*
* @throws AuthException
* @return UserEntityInterface Updated user entity.
*/
public function newPassword($request)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should not be necessary either.

{
$user = $this->getAuth()->newPassword($request);
$this->updateSession($user);
return $user;
}

/**
* Update a user's email from the request.
*
Expand Down
8 changes: 8 additions & 0 deletions module/VuFind/src/VuFind/Controller/AbstractBase.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -710,6 +710,14 @@ protected function setFollowupUrlToReferer(bool $allowCurrentUrl = true, array $
if ($mrhuNorm === $refererNorm) {
return;
}
// if is the stored current url of the lightbox
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I understand this comment, and if is suggests to me that maybe there are extra or missing words.

// which overrides the url from the server request when present
$normReferer = $this->normalizeUrlForComparison($referer);
$myUserReset = $this->getServerUrl('myresearch-verify');
$murNorm = $this->normalizeUrlForComparison($myUserReset);
if (str_starts_with($normReferer, $murNorm)) {
return;
}

// If the referer is the MyResearch/UserLogin action, it probably means
// that the user is repeatedly mistyping their password. We should
Expand Down
63 changes: 57 additions & 6 deletions module/VuFind/src/VuFind/Controller/MyResearchController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,35 @@ protected function processAuthenticationException(AuthException $e)
$this->flashMessenger()->addMessage($msg, 'error');
}

/**
* Store a referer (if appropriate) to keep post-login redirect pointing
* to an appropriate location. This is used when the user clicks the
* log in link from an arbitrary page or when a password is mistyped;
* separate logic is used for storing followup information when VuFind
* forces the user to log in from another context.
*
* @param bool $allowCurrentUrl Whether the current URL is valid for followup
* @param array $extras Extra data for the followup
*
* @return void
*/
protected function setFollowupUrlToReferer(bool $allowCurrentUrl = true, array $extras = [])
{
// lbreferer is the stored current url of the lightbox
// which overrides the url from the server request when present
$refer = $this->getRequest()->getQuery()->get(
'lbreferer',
$this->getRequest()->getServer()->get('HTTP_REFERER', null)
);
$normReferer = $this->normalizeUrlForComparison($refer);
$myUserReset = $this->getServerUrl('myresearch-verify');
$murNorm = $this->normalizeUrlForComparison($myUserReset);
if (str_starts_with($normReferer, $murNorm)) {
return;
}
parent::setFollowupUrlToReferer($allowCurrentUrl, $extras);
demiankatz marked this conversation as resolved.
Show resolved Hide resolved
}

/**
* Maintaining this method for backwards compatibility;
* logic moved to parent and method re-named
Expand Down Expand Up @@ -937,7 +966,7 @@ public function performDeleteFavorite($id, $source)
* @param UserEntityInterface $user Logged-in user
* @param \VuFind\RecordDriver\AbstractBase $driver Record driver for favorite
* @param int $listID List being edited (null
* if editing all favorites)
* if editing all favorites)
*
* @return object
*/
Expand Down Expand Up @@ -1729,6 +1758,23 @@ public function recoverAction()
} elseif ($username = $this->params()->fromPost('username')) {
$user = $userService->getUserByUsername($username);
}
//ILS Driver:
//if the user hasn't logged in yet, but is found by the ILS, call function
//getPatronFromUsername
Comment on lines +1728 to +1730
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another minor style tweak that you can commit directly from this comment:

Suggested change
//ILS Driver:
//if the user hasn't logged in yet, but is found by the ILS, call function
//getPatronFromUsername
// ILS Driver:
// if the user hasn't logged in yet, but is found by the ILS, call function
// getPatronFromUsername

if (!$user && $this->formWasSubmitted() && !empty($username)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this, as opposed to updatePassword, should be split to ILS-specific part. And because the ILS's have different functionality, we can't rely on always being able to fetch a user by username. It could also be email address.
It might also make sense to not even try to retrieve a full user in this situation, but just whatever information is needed when the password is reset. In some cases it could be that the ILS supports password reset by way of a recovery token instead of username, but e.g. for Koha we should just need patron id (borrowernumber).

$dbService = $this->getDbService(UserServiceInterface::class);
$entity = $dbService->createEntityForUsername($username);
$catalog = $this->getILS()->getDriver();
if ($catalog->supportsMethod('getPatronFromUsername', $username)) {
$patron = $catalog->getPatronFromUsername($username);
$entity->setEmail($patron['email']);
$entity->setCatPassEnc($patron['password']);
$entity->setFirstname($patron['firstname']);
$entity->setLastname($patron['lastname']);
$dbService->persistEntity($entity);
}
$user = $dbService->getUserByUsername($username);
}
$view = $this->createViewModel();
$view->useCaptcha = $this->captcha()->active('passwordRecovery');
// If we have a submitted form
Expand Down Expand Up @@ -1854,7 +1900,7 @@ protected function sendChangeNotificationEmail($user, $newEmail)
*
* @param ?UserEntityInterface $user User object we're recovering
* @param bool $change Is the user changing their email (true)
* or setting up a new account (false).
* or setting up a new account (false).
*
* @return void (sends email or adds error message)
*/
Expand Down Expand Up @@ -2070,18 +2116,23 @@ public function newPasswordAction()
return $view;
}
}
// Update password
// Set/Reset password
try {
$user = $this->getAuthManager()->updatePassword($this->getRequest());
$user = $this->getAuthManager()->newPassword($this->getRequest());
} catch (AuthException $e) {
$this->flashMessenger()->addMessage($e->getMessage(), 'error');
return $view;
}
// Update hash to prevent reusing hash
$this->getAuthManager()->updateUserVerifyHash($user);
// Login
if ($followUp = $this->followup()->retrieve('url')) {
//This exists because the followupURL gets set to Verify which returns
//an error message due to trying to check the hash a second time
oharacj marked this conversation as resolved.
Show resolved Hide resolved
$followUpUrl = strstr($followUp, 'Verify', true) . 'Home';
$this->followup()->clear('url');
$this->followup()->store([], $followUpUrl);
}
$this->getAuthManager()->login($this->request);
// Return to account home
$this->flashMessenger()->addMessage('new_password_success', 'success');
return $this->redirect()->toRoute('myresearch-home');
}
Expand Down
Loading
Loading