From b860ffa9414c6e2946287940b16179ab02f9be3e Mon Sep 17 00:00:00 2001
From: Galen Charlton <gmc@equinoxOLI.org>
Date: Thu, 17 Nov 2022 10:09:39 -0500
Subject: [PATCH] LP#1996908: allow OpenILS::WWW::Proxy::Authen to check
 eg.auth.token

This patch allows the authentication handler to accept the
'eg.auth.token' cookie coming from the staff client if a 'ses' parameter
or 'ses' cookie has not been set. This allows resources gated by
this handler to be accessed by a staff member who has logged
into the staff client without requiring an additional login.

To test
-------
[1] Create a report and note the URL of one of its
    outputs.
[2] In a completely fresh browser session, log into the
    staff client, then directly load the reporter output.
    You will be prompted to log in again because the 'ses'
    cookie was not set.
[3] Apply the patch and repeat step 2. This time, the reporter
    output should be directly retrieved.

Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org>
---
 Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm
index 0cc9ec447d..caf2a61154 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/Proxy/Authen.pm
@@ -40,7 +40,17 @@ sub handler {
     return Apache2::Const::NOT_FOUND unless (@$perms);
 
     my $cgi = new CGI;
-    my $auth_ses = $cgi->param('ses') || $cgi->cookie('ses');
+    my $auth_ses = $cgi->param('ses') || $cgi->cookie('ses') || $cgi->cookie('eg.auth.token');
+    if ($auth_ses =~ /^"(.+)"$/) { # came from eg2 login, is json encoded
+        $auth_ses = $1;
+    }
+
+    # Note that the handler accepts an eg.auth.token from the web staff
+    # client but will not set it if it has to ask the user for
+    # credentials (it will only set 'ses'). As of 2022-11, it works this
+    # way to avoid this authen handler from becoming a way to create
+    # a staff login session that does not have a workstation set.
+
     my $ws_ou = $apache->dir_config('OILSProxyLoginOU') || $cgi->param('ws_ou') || $cgi->cookie('ws_ou');
 
     my $url = $cgi->url;
-- 
2.11.0