open-ils.auth.authenticate.init incorrectly checks if identifier is username or barcode

Bug #1827296 reported by Jeff Davis
This bug affects 2 people
Affects Status Importance Assigned to Milestone

Bug Description

EG 3.1+

open-ils.auth.authenticate.init attempts to determine if the provided identifier is a username or a barcode. But it always does this by matching the identifier against a hard-coded barcode pattern of '^\d'. This is plainly incorrect: some libraries use a different barcode format (as specified by the opac.barcode_regex setting), and any usernames beginning with a number will be wrongly treated as barcodes for authentication purposes (which is problematic if your username and barcode don't match).

One place where this causes problems is AuthProxy native login. Even if you enter a barcode in the login form, AuthProxy will look up the username of the associated account; it always passes a username to open-ils.auth.authenticate.init. But if your username starts with a number, the init method itself treats the username as a barcode!

One solution would be to add a context org parameter to open-ils.auth.authenticate.init, so that it can lookup the correct barcode format. But login requests don't always have a known context org, and valid barcodes may not conform to any pattern. Alternatively, we could deprecate open-ils.auth.authenticate.init. Note that both of these solutions would be problematic for any external clients currently using the init method.

Revision history for this message
Jeff Davis (jdavis-sitka) wrote :

I opened bug 1828456 for the AuthProxy issue, which can be fixed even if we don't fix the .init method.

tags: added: authentication
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.